Port Security Violation Mode
Course Contents
1. Introduction
Port security violation mode defines how a Cisco switch reacts when an unauthorized device sends traffic through a secured port.
Cisco offers three Port Security violation modes to control this behavior:
- Shutdown (default)
- Restrict
- Protect
Each mode offers a different level of enforcement and logging. Let’s explore them one by one.
2. Shutdown Mode (Default)
The Shutdown mode is the most aggressive and secure option.
Behavior
- The switch disables the port (err-disabled state).
- A syslog and/or SNMP alert is generated when the violation occurs.
- All traffic stops on the interface, including from authorized devices.
- The violation counter increases once (at the moment of shutdown).
Once the port is shut down, no additional logs are generated, even if the unauthorized device keeps sending traffic.
This mode ensures maximum security but requires manual intervention or automatic recovery to bring the port back up.
3. Restrict Mode
The Restrict mode is more flexible than Shutdown mode.
Behavior
- Unauthorized traffic is dropped.
- A syslog and/or SNMP message is generated every time a violation occurs.
- The port remains operational for authorized devices.
- The violation counter increases for each unauthorized frame.
This mode is useful in production environments where network availability is a priority but violation monitoring is still required.
Example Configuration for Restrict Mode
Let’s take a hands-on look at how Restrict Mode operates in practice!
Step 1 – Enable Port Security:
First, enable Port Security on interface G0/1:
SW1(config)# int g0/1 SW1(config-if)# switchport port-security
Step 2 – Configure a secure MAC address (PC1):
This time, I will statically authorize PC1’s MAC address. Let’s explore the available port security options:
SW1(config)# int g0/1 SW1(config-if)# switchport port-security ? aging Port-security aging commands mac-address Secure mac address maximum Max secure addresses violation Security violation mode
Now, we configure PC1’s MAC address (AAAA.BBBB.CCCC) as the secure MAC address:
SW1(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
Step 3 – Set violation mode to restrict:
Next, let’s configure the violation mode to Restrict:
SW1(config-if)# switchport port-security ?
aging Port-security aging commands
mac-address Secure mac address
maximum Max secure addresses
violation Security violation mode
The available violation modes are shown below:
SW1(config-if)# switchport port-security violation ? protect Security violation protect mode restrict Security violation restrict mode shutdown Security violation shutdown mode
To enable restrict mode:
SW1(config-if)# switchport port-security violation restrict
Step 4 – Verify:
We can now check the status of Port Security on G0/1:
SW1# show port-security interface g0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : 0000.0000.0000:0 Security Violation Count : 0
Here we can see:
- Port Status: Secure-up, meaning the port is operational.
- Violation Mode: Restrict, confirming the configured mode.
- Security Violation Count: 0, as no unauthorized traffic has been detected yet.
Step 5 – Test with unauthorized device:
Now, let’s connect an unauthorized device to G0/1 and observe what happens.
When the unauthorized device sends data, the switch detects a security violation and logs it:
*Jan 21 13:52:10.469: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address DDDD.EEEE.FFFF on port GigabitEthernet0/1 . *Jan 21 13:52:21.138: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address DDDD.EEEE.FFFF on port GigabitEthernet0/1 . *Jan 21 13:52:26.601: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violatio n occurred, caused by MAC address DDDD.EEEE.FFFF on port GigabitEthernet0/1
Each log entry corresponds to a frame sent by the unauthorized device (DDDD.EEEE.FFFF).
Step 6 – Recheck interface status:
SW1# show port-security interface g0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Restrict Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : DDDD.EEEE.FFFF:1 Security Violation Count : 9£
Observations
✔ Port Status: Secure-up, meaning authorized devices can still use the port.
✔ Last Source Address: Displays the MAC address of the unauthorized device (DDDD.EEEE.FFFF).
✔ Security Violation Count: 9, meaning the switch has detected and logged nine unauthorized frames.
Restrict mode effectively blocks unauthorized traffic while keeping the port operational for authorized devices.
4. Protect Mode
The Protect mode is the most lenient and silent option.
Behavior
- Unauthorized traffic is silently dropped.
- No logs or alerts are generated.
- The port remains fully operational for authorized devices.
- The violation counter is not incremented.
This mode is useful when you expect some violations and don’t want them to be logged or to impact the availability of the port.
Example Configuration for Protect Mode
Let’s configure Protect mode in action!
Step 1 – Enable Port Security and define the secure MAC address:
SW1(config)# int g0/1
SW1(config-if)# switchport port-security
SW1(config-if)# switchport port-security mac-address AAAA.BBBB.CCCC
Step 2 – Set violation mode to protect:
SW1(config-if)# switchport port-security violation protect
Testing Protect Mode in Action
Now, connect an unauthorized device with MAC address DDDD.EEEE.FFFF to interface G0/1. That device will attempt to send traffic through the port.
What happens?
- No traffic from the unauthorized device will be forwarded.
- No log message will appear in the console.
- Authorized devices remain unaffected.
- The port stays Secure-up and continues to function normally.
Verifying the Configuration
Use the following command to verify the port’s behavior:
SW1# show port-security interface g0/1 Port Security : Enabled Port Status : Secure-up Violation Mode : Protect Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 1 Sticky MAC Addresses : 0 Last Source Address:Vlan : DDDD.EEEE.FFFF:1 Security Violation Count : 0£
Key Observations:
- Port Status: Secure-up → The port is active.
- Violation Mode: Protect → Confirming silent mode is active.
- Last Source Address → May still show the most recent MAC, but without any alert or action taken.
- Security Violation Count: 0 → No alert, no counter incremented.
5. Conclusion
Choosing the right port security violation mode is essential for maintaining both security and availability on Cisco switches.
| Port Security Violation Mode | Drops Unauthorized Traffic | Generates Logs | Disables Port | Increments Counter |
|---|---|---|---|---|
| Shutdown | ✅ Yes | ✅ Yes (once) | ✅ Yes | ✅ Yes (once) |
| Restrict | ✅ Yes | ✅ Yes (every time) | ❌ No | ✅ Yes (every time) |
| Protect | ✅ Yes | ❌ No | ❌ No | ❌ No |
Choosing the Right Mode
- Shutdown: Ideal for high-security environments where any violation must trigger a complete shutdown and alert.
- Restrict: Best suited for production networks, as it allows normal operations for trusted devices while still logging violations.
- Protect: Useful when silent enforcement is preferred and logging is not required.
By understanding how each port security violation mode works, network administrators can make smarter decisions based on their environment’s needs.