Courseiva
SecurityPrivileged EXEC

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Syntax·Privileged EXEC
show port-security interface [intf]

When to Use This Command

  • Verify that port security is enabled and configured correctly on an access port connected to a known device.
  • Troubleshoot a port that has been err-disabled due to a security violation by checking the violation count and last source MAC.
  • Audit which MAC addresses are currently learned on a secure port and whether they are static or dynamic.
  • Confirm that the maximum number of secure MAC addresses has not been exceeded on a trunk port with port security enabled.

Command Examples

Basic usage on a secure access port

show port-security interface gigabitethernet 0/1
Port Security              : Enabled
Port Status                : Secure-up
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0050.7966.6800:10
Security Violation Count   : 0

Port Security: Enabled means port security is active. Port Status: Secure-up indicates the port is up and no violation. Violation Mode: Shutdown means the port will be err-disabled on violation. Maximum MAC Addresses: 1 means only one MAC allowed. Total MAC Addresses: 1 shows one MAC learned. Last Source Address:Vlan shows the last source MAC and VLAN. Security Violation Count: 0 means no violations.

Port in err-disabled state due to violation

show port-security interface fastethernet 0/2
Port Security              : Enabled
Port Status                : Secure-shutdown
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 2
Total MAC Addresses        : 2
Configured MAC Addresses   : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0011.2233.4455:20
Security Violation Count   : 3

Port Status: Secure-shutdown indicates the port is err-disabled due to a violation. Security Violation Count: 3 shows three violations occurred. Last Source Address:Vlan shows the MAC that caused the last violation. Total MAC Addresses: 2 equals the maximum, meaning the port learned the maximum allowed addresses before the violation.

Understanding the Output

The output shows the port security status and configuration for the specified interface. 'Port Security' indicates whether the feature is enabled. 'Port Status' shows the current state: 'Secure-up' means normal operation, 'Secure-shutdown' means the port has been disabled due to a violation, and 'Secure-down' means the line protocol is down. 'Violation Mode' displays the configured action (shutdown, restrict, or protect). 'Aging Time' and 'Aging Type' relate to MAC address aging. 'Maximum MAC Addresses' is the configured limit. 'Total MAC Addresses' shows how many MACs are currently learned. 'Configured MAC Addresses' are statically defined, and 'Sticky MAC Addresses' are dynamically learned and saved to running config. 'Last Source Address:Vlan' shows the most recent source MAC and VLAN that triggered a violation or was learned. 'Security Violation Count' increments each time a violation occurs; a high count indicates repeated issues. In a real network, a violation count greater than 0 with 'Secure-shutdown' status requires manual intervention (shut/no shut) to recover the port. A 'Secure-up' status with zero violations is the desired state.

CCNA Exam Tips

1.

Remember that the default violation mode is 'shutdown', which err-disables the port; the exam may ask how to recover (shut/no shut).

2.

Know that 'sticky' MAC addresses are saved to running config and become like static entries; they survive reloads only if config is saved.

3.

The 'maximum MAC addresses' default is 1; the exam may test that you can increase it to allow multiple devices.

4.

Be able to distinguish between 'shutdown', 'restrict', and 'protect' violation modes: shutdown disables the port, restrict drops frames and logs, protect drops frames without logging.

Common Mistakes

Forgetting to enable port security globally with 'switchport port-security' after configuring interface-level commands.

Assuming that 'sticky' MAC addresses are automatically saved to startup-config; they are only in running-config until you copy.

Setting the maximum MAC addresses too low for a trunk port, causing legitimate traffic to be dropped as violations.

Not realizing that a port in err-disabled state due to security violation must be manually re-enabled with 'shutdown' followed by 'no shutdown'.

Related Commands

show port-security

Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.

show port-security address

Displays the secure MAC addresses configured on all switch ports or a specific interface, used to verify port security address learning and aging.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions