Port Security Violation Modes – Detailed Explanation

1. What Are Port Security Violation Modes?

Port security is a Cisco switch feature that restricts which MAC addresses may communicate through a specific access port. A violation mode defines exactly what the switch does when a frame arrives from an unauthorised MAC address — one that exceeds the configured maximum or is not in the allowed list.

There are three violation modes available on Cisco IOS switches, each offering a different balance between security enforcement and operational continuity:

  Unauthorised MAC frame arrives on port Fa0/1
        |
        v
  Port Security checks MAC against allowed list
        |
  NOT ALLOWED -- which mode is configured?
        |
   +----+----+----------+
   |         |          |
  PROTECT  RESTRICT  SHUTDOWN
   |         |          |
  Drop      Drop     err-disable
  Silent  + Log/Trap   port
           Port UP    Port DOWN

Related pages: Port Security Overview | Sticky MAC Addresses | MAC Address Table | MAC Addresses | PortFast & BPDU Guard | VLAN Tagging | VLANs | Standard & Extended ACLs | SNMP Traps | SNMP Overview | Syslog | show logging | show running-config | Step-by-Step: Port Security

2. When Does a Violation Occur?

A port security violation is triggered when either of these conditions is met:

  • The number of unique source MAC addresses seen on the port exceeds the configured maximum (default: 1)
  • A frame arrives from a MAC address that is not in the port's allowed MAC list (static or sticky)

This protects against: rogue devices being plugged in, users connecting unauthorised hubs or switches, MAC flooding attacks, and BYOD policy violations.

3. Protect Mode

In Protect mode, the switch silently drops frames from unauthorised MAC addresses. The port stays up and continues to forward traffic from allowed MAC addresses normally. No alert is generated.

AttributeBehaviour
Unauthorised framesSilently dropped — no ICMP unreachable sent to source
Logging / syslogNone
SNMP trapNone
Port stateRemains up — allowed traffic continues unaffected
Violation counterIncremented (visible in show port-security)

Best use case: Environments where service continuity is critical and silent enforcement is acceptable — e.g., a public-facing kiosk port where you want to block unauthorised devices but cannot afford help-desk calls about ports going down.

Limitation: No visibility into violations — without logging you may not know rogue devices are being attempted. If monitoring is needed, use Restrict instead.

4. Restrict Mode

In Restrict mode, the switch drops frames from unauthorised MAC addresses (same as Protect) but also generates a syslog message and SNMP trap, and increments the violation counter. The port remains up.

AttributeBehaviour
Unauthorised framesDropped
Logging / syslogYes — %PORT_SECURITY-2-PSECURE_VIOLATION message logged
SNMP trapYes — sent to configured NMS
Port stateRemains up — allowed traffic continues
Violation counterIncremented

Best use case: General user access ports where you need visibility into violations but cannot afford port disruption — e.g., open-plan offices or labs where temporary device connections are common but should be monitored.

5. Shutdown Mode (Default)

In Shutdown mode (the Cisco IOS default), a single violation immediately places the port into an error-disabled (err-disabled) state. The port is completely shut down — no traffic passes until an administrator manually recovers it or automatic recovery is configured.

AttributeBehaviour
Unauthorised framesOne violation → port immediately shut down
Logging / syslogYes — violation logged with the offending MAC address
SNMP trapYes — sent to configured NMS
Port stateerr-disabled — interface is down, all traffic stops
RecoveryManual (shutdown / no shutdown) or automatic (errdisable recovery)

Best use case: High-security environments where any unauthorised access attempt should halt connectivity immediately and trigger an investigation — server rooms, finance terminals, executive workstations, DMZ ports.

6. Comparison of All Three Modes

FeatureProtectRestrictShutdown
Unauthorised frames droppedYesYesYes
Syslog message generatedNoYesYes
SNMP trap sentNoYesYes
Port remains upYesYesNo (err-disabled)
Violation counter incrementsYesYesYes (then port shuts)
Is the default mode?NoNoYes
Requires recovery actionNoNoYes

7. Full Configuration Example

! Step 1: Configure the port as an access port
Switch(config)# interface FastEthernet0/1
Switch(config-if)# switchport mode access

! Step 2: Enable port security
Switch(config-if)# switchport port-security

! Step 3: Set maximum allowed MAC addresses (default is 1)
Switch(config-if)# switchport port-security maximum 2

! Step 4: Set the violation mode (protect / restrict / shutdown)
Switch(config-if)# switchport port-security violation restrict

! Step 5: Enable sticky MAC (learns current MACs and saves to config)
Switch(config-if)# switchport port-security mac-address sticky

! Step 6: Verify
Switch# show port-security interface FastEthernet0/1
Switch# show port-security address

Sticky MAC: The sticky keyword makes the switch dynamically learn the first MAC address(es) seen on the port and automatically add them to the running configuration as secure MACs. This eliminates the need to manually specify every allowed MAC address.

8. Recovering a Port from Shutdown (err-disabled)

Method 1 — Manual Recovery

Switch(config)# interface FastEthernet0/1
Switch(config-if)# shutdown
Switch(config-if)# no shutdown

The brief shutdown clears the err-disabled state. The port returns to up after no shutdown. If the violating device is still connected and port security is still active, it will shut down again immediately.

Method 2 — Automatic Recovery (errdisable recovery)

! Enable automatic recovery for port security violations
Switch(config)# errdisable recovery cause psecure-violation

! Set the recovery interval (seconds — default 300)
Switch(config)# errdisable recovery interval 60

! Verify errdisable status
Switch# show errdisable recovery

With automatic recovery, the switch waits for the configured interval, then brings the port back up automatically. If the violating device is gone, the port stays up. If not, it immediately shuts down again.

9. Detection and Monitoring Commands

Switch# show port-security                          ! Summary of all secure ports
Switch# show port-security interface FastEthernet0/1 ! Detail: mode, count, violation count
Switch# show port-security address                   ! All secure MAC addresses and their ports
Switch# show interfaces FastEthernet0/1 status       ! Current port status (err-disabled?)
Switch# show logging | include SEC                   ! Filter syslog for port security events

The show port-security interface output shows:

Port Security              : Enabled
Port Status                : Secure-up (or Secure-shutdown for err-disabled)
Violation Mode             : Restrict
Aging Time                 : 0 mins
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 1
Last Source Address:Vlan   : 001a.2b3c.4d5e:10
Security Violation Count   : 3

10. Troubleshooting Port Security Issues

SymptomLikely CauseResolution
Port is down (err-disabled)Shutdown mode violation triggeredRemove unauthorised device, then shutdown/no shutdown or configure errdisable recovery
Device can't connect but port is upProtect mode dropping frames — no alertRun show port-security interface and check violation count; change to restrict for logging visibility
Continuous violation logs, port upRestrict mode — unauthorised device repeatedly attempting accessIdentify device from last source MAC in show output; decide whether to add it or block it
Port keeps shutting down after recoveryViolating device still plugged inRemove the device first, then recover; or add its MAC to the allowed list if it's legitimate
Sticky MACs lost after reloadwrite memory (copy run start) not savedAlways save config after sticky MACs are learned: copy running-config startup-config

11. Best Practices

  • Use Protect only where uptime is paramount and you have other security controls in place; its silence makes it easy to miss ongoing violations
  • Prefer Restrict for general user ports — you get full visibility into violations without disrupting legitimate traffic
  • Use Shutdown for sensitive or high-value ports (server room access, finance workstations, network equipment management ports)
  • Always configure errdisable recovery cause psecure-violation with a reasonable interval (300–600 seconds) to avoid permanent manual recovery overhead
  • Use sticky MAC to learn legitimate devices automatically; save config immediately after learning
  • Monitor SNMP traps and syslog for restrict/shutdown violations — integrate with your NMS for alerting
  • Set maximum 1 on all user-facing ports to prevent hub or switch connections that would enumerate multiple MACs. See MAC Address Table

Port Security Violation Modes Quiz

1. What happens to frames from unauthorised MAC addresses in Protect mode?

Correct answer is D. In Protect mode, unauthorised frames are dropped silently — no syslog message, no SNMP trap, and the port stays up. The violation counter increments (visible in show port-security), but no active alert is generated. This makes Protect the least disruptive but also the least visible mode.

2. Which violation mode drops unauthorised frames AND generates syslog/SNMP alerts while keeping the port up?

Correct answer is A. Restrict mode drops violating frames AND generates a %PORT_SECURITY-2-PSECURE_VIOLATION syslog message plus an SNMP trap to alert the network team — while keeping the port operational for authorised traffic. It provides the best balance of enforcement and visibility for general user ports. See Syslog and SNMP Traps for monitoring setup.

3. What is the default port security violation mode on Cisco switches if not explicitly configured?

Correct answer is C. Shutdown is the Cisco IOS default violation mode. When you enable port security with switchport port-security without specifying a mode, the switch will err-disable the port on any violation. This is the most secure default, but it requires administrators to plan for recovery procedures.

4. Which Cisco IOS command configures a switch port to use Restrict violation mode?

Correct answer is B. switchport port-security violation restrict sets restrict mode on the interface. This is an interface-level command that must be entered after switchport port-security has been enabled. The three valid options are: protect, restrict, and shutdown.

5. What is the manual recovery procedure for a port placed in err-disabled state by a shutdown violation?

Correct answer is A. The manual recovery sequence is: navigate to the err-disabled interface, enter shutdown (confirms the state change), then no shutdown (brings it back up). Always remove the unauthorised device first — otherwise the port will immediately err-disable again as soon as it comes up and receives a frame from the violating MAC.

6. Which violation mode does NOT generate SNMP traps or syslog messages when a violation occurs?

Correct answer is D. Only Protect mode is completely silent — it drops frames without any notification. Both Restrict and Shutdown generate syslog messages and SNMP traps. This is the critical exam-tested distinction: Protect = silent drop; Restrict = drop + notify (port up); Shutdown = drop + notify + err-disable (port down).

7. Which of the following is TRUE about Restrict mode?

Correct answer is C. Restrict mode enforces security (drops unauthorised frames) and provides visibility (generates syslog and SNMP alerts) while maintaining service continuity (port stays up for authorised traffic). It is the recommended mode for most general-purpose user access ports in enterprise environments.

8. When is Protect mode most appropriately used?

Correct answer is A. Protect mode's silent enforcement is appropriate when disruption to authorised users from port shutdowns is unacceptable, and when you have compensating controls (e.g., SNMP monitoring of other metrics, physical access controls, CCTV) to detect rogue devices. It is NOT appropriate where you need visibility into access attempts. See SNMP and syslog for compensating monitoring controls.

9. Which command shows the port security status and violation count on interface FastEthernet0/1?

Correct answer is B. show port-security interface FastEthernet0/1 displays port security details including: the violation mode, port status (Secure-up or Secure-shutdown), maximum and current MAC addresses, sticky MAC addresses, the last violating MAC address, and the cumulative violation count. This is the primary diagnostic command for port security issues.

10. What Cisco IOS command enables automatic recovery from err-disabled state for port security violations?

Correct answer is C. errdisable recovery cause psecure-violation enables automatic recovery specifically for port security-triggered err-disabled ports. Pair it with errdisable recovery interval <seconds> (default 300 seconds) to control how long the switch waits before attempting to bring the port back up. Always remove the violating device first — otherwise the port will re-disable immediately.

Related Topics & Step-by-Step Tutorials

Continue your port security and switch security studies:

← Back to Home