Port Security Violation Modes – Detailed Explanation

1. What are Violation Modes?

Violation modes are switch port security settings that determine how a switch will respond if an unauthorized device (or MAC address) attempts to access a secure port.
Role: To protect network access at the edge by controlling which MAC addresses are allowed on specific switch ports.

2. How Switches Respond to Security Violations

When a port with port security receives a frame from a MAC address not allowed by the configured security policy, the switch reacts based on its configured violation mode.

3. Protect Mode

Frames from unauthorized MAC addresses are silently dropped (no alert).
No notification, log messages, or SNMP traps.
The port remains up and continues to forward allowed traffic.

Use Case: Where you want to block unauthorized devices but avoid disruptions or alerts.

4. Restrict Mode

Frames from unauthorized MACs are dropped (like protect mode).
Violation is logged: The switch generates SNMP traps and syslog messages.
The port stays up for authorized traffic.

Use Case: Block unauthorized devices and also monitor/report violations, but do not disable the port.

5. Shutdown Mode (Default)

The port is placed into error-disabled (err-disabled) state—shut down.
Logs the violation and sends SNMP traps.
All traffic stops until the port is manually or automatically recovered.

Use Case: High-security areas where any violation should result in a complete shutdown for investigation.

6. Comparison of Violation Modes

Mode	Action on Violation	Logging/Notification	Port Status
Protect	Drop violating frames (silent)	No	Remains up
Restrict	Drop violating frames	Yes (logs/traps)	Remains up
Shutdown	Interface err-disabled (shutdown)	Yes (logs/traps)	Down (err-disabled)

7. When to Use Each Mode

Protect: Minimal disruption, no logging; low-security user zones.
Restrict: Logging/monitoring needed, but port must remain up.
Shutdown: Strict security zones (finance, DMZ, executives) – disables port until reviewed.

8. Configuring Violation Modes

interface FastEthernet0/1
 switchport port-security
 switchport port-security violation protect    ! or restrict/shutdown

Default: If not specified, mode is shutdown.

9. Detection and Logging

Violation triggers:
- Number of learned MAC addresses exceeds the configured maximum.
- Unknown MAC sends traffic to the port.
Monitor violations:
- show port-security interface FastEthernet0/1
- show port-security address
- show logging | include SEC
Restrict/Shutdown: Generate SNMP traps and logs. Protect: No logging.

10. Recovery from Shutdown Mode

Manual Recovery:

interface FastEthernet0/1
 shutdown
 no shutdown

Automatic Recovery:

errdisable recovery cause psecure-violation
errdisable recovery interval 300    ! (seconds)

11. Best Practices for Violation Modes

Use protect where service continuity is critical and logging is not required.
Use restrict where you want logs but not port disruption.
Use shutdown in sensitive areas or where investigation is mandatory.
Always monitor logs and SNMP traps for security events.
Document and label security settings for easier management.

12. Troubleshooting Violation Issues

Symptom	Diagnosis	Solution
Port is down (err-disabled)	Likely shutdown mode violation	shutdown/no shutdown, or auto recovery
Frames dropped but no log/trap	Mode is protect	Change to restrict for logging
Many violation logs, port still up	Mode is restrict, not shutdown	Review allowed MACs/network changes
Frequent port security violations	Allowed MAC addresses may be outdated	Update or increase maximum as needed

Example Scenario:
Secure a user port to allow only one MAC address; use restrict mode to log any violations but keep the port up.

interface FastEthernet0/2
 switchport mode access
 switchport port-security
 switchport port-security maximum 1
 switchport port-security violation restrict
 switchport port-security mac-address sticky

If a device with a new MAC connects, frames are dropped and a log message is generated, but the port remains up for the allowed MAC.

Key Points and Exam Tips

Key Point	Explanation
Protect	Silent drop, no logs, port stays up
Restrict	Drop + log/trap, port stays up
Shutdown	Drop + log/trap, port is err-disabled (down)
Default Mode	Shutdown (unless changed)
When to Use	Protect/Restrict: User ports; Shutdown: High-security/DMZ/finance
Monitoring	show port-security interface, SNMP/logs for restrict/shutdown
Recovery	Manual (sh/no sh) or auto with errdisable recovery

When and Where to Use Each Mode:
Protect/Restrict: General user ports, labs, or environments where uptime is important but monitoring is needed.
Shutdown: Finance, executive, DMZ, or any sensitive port—immediately disables access on any violation.

Port Security Violation Modes Quiz

1. What happens to frames from unauthorized MAC addresses in Protect mode?

A. They trigger port shutdown B. They generate SNMP traps C. They are forwarded normally D. They are silently dropped

Correct answer is D. In Protect mode, unauthorized frames are dropped silently without logs or alerts.

2. Which violation mode logs security violations but keeps the port up?

A. Restrict B. Protect C. Shutdown D. Recovery

Correct answer is A. Restrict mode drops violating frames and logs the events but does not disable the port.

3. What is the default port security violation mode on Cisco switches?

A. Protect B. Restrict C. Shutdown D. Recovery

Correct answer is C. The default mode is Shutdown, which disables the port on violation.

4. Which command configures a switch port to use restrict violation mode?

A. switchport port-security violation protect B. switchport port-security violation restrict C. switchport port-security violation shutdown D. switchport port-security violation recovery

Correct answer is B. This command sets restrict mode for port security violations.

5. What command can be used to recover a port from shutdown mode after a violation?

A. Shutdown followed by no shutdown on the interface B. Clear ip interface C. Reload the switch D. Disable port security

Correct answer is A. Manually shutting down and then enabling the interface clears the err-disabled state.

6. Which violation mode does NOT generate SNMP traps or syslog messages?

A. Restrict B. Shutdown C. Recovery D. Protect

Correct answer is D. Protect mode silently drops frames without logs or traps.

7. Which of the following is TRUE about restrict mode?

A. It disables the port immediately B. It allows all unauthorized frames C. It drops unauthorized frames and logs the violation D. It forwards unauthorized frames silently

Correct answer is C. Restrict mode drops unauthorized frames and generates logs/traps.

8. When is protect mode best used?

A. In environments where service continuity is critical and logging is not necessary B. In high-security areas where any violation must disable the port C. When you want to log violations but keep the port up D. For temporary violations only

Correct answer is A. Protect mode silently drops unauthorized traffic, minimizing disruption.

9. Which command shows the port security status and violation count on interface FastEthernet0/1?

A. show interface status FastEthernet0/1 B. show port-security interface FastEthernet0/1 C. show running-config interface FastEthernet0/1 D. show mac address-table FastEthernet0/1

Correct answer is B. This command provides port security details and violations.

10. What is a recommended use case for shutdown violation mode?

A. For general user access ports where uptime is important B. For monitoring unauthorized devices without disruption C. For high-security or sensitive ports requiring immediate shutdown upon violation D. For temporary network testing

Correct answer is C. Shutdown mode is suited for sensitive areas needing strict security enforcement.

← Back to Home