switchport port-security violation [protect|restrict|shutdown]
Configures the action a switch port takes when a security violation occurs, such as when the maximum MAC addresses is exceeded or an unauthorized MAC address attempts to communicate.
switchport port-security violation [protect|restrict|shutdown]When to Use This Command
- Preventing unauthorized devices from accessing the network by shutting down the port when a violation occurs.
- Allowing limited access by restricting traffic from unknown MAC addresses while logging violations.
- Protecting against MAC flooding attacks by protecting the port without shutting it down.
- Enforcing security policies in a campus network where only specific devices are allowed on certain ports.
Command Examples
Configure port security violation to shutdown
Switch(config-if)# switchport port-security violation shutdownThis command sets the violation mode to shutdown, which will err-disable the port if a violation occurs. No output is shown upon successful configuration.
Configure port security violation to restrict
Switch(config-if)# switchport port-security violation restrictThis command sets the violation mode to restrict, which will drop packets from unknown MAC addresses and increment the violation counter. No output is shown upon successful configuration.
Understanding the Output
This command does not produce output on its own. To verify the violation mode, use 'show port-security interface <interface>'. The output will display the 'Violation Mode' field, which can be 'shutdown', 'restrict', or 'protect'. In 'shutdown' mode, the port will be err-disabled and show 'Port Status: secure-down' or 'err-disabled'. In 'restrict' mode, the port remains up but drops violating traffic and increments the violation counter. In 'protect' mode, the port drops violating traffic silently without incrementing the counter. Watch for 'Violation Count' to increase in restrict mode, indicating unauthorized access attempts.
CCNA Exam Tips
Remember that 'shutdown' is the default violation mode for port security.
In the CCNA exam, know that 'restrict' drops violating frames and increments the violation counter, while 'protect' drops frames silently without incrementing the counter.
Be aware that a port in err-disable state due to a security violation must be manually re-enabled with 'shutdown' followed by 'no shutdown' or by configuring 'errdisable recovery cause psecure-violation'.
The 'protect' mode is not recommended for security because it does not log violations, making it harder to detect attacks.
Common Mistakes
Confusing 'restrict' and 'protect': 'restrict' increments the violation counter, 'protect' does not.
Forgetting that 'shutdown' mode err-disables the port and requires manual intervention to recover.
Not enabling port security first with 'switchport port-security' before setting the violation mode.
Related Commands
show port-security
Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.
show port-security interface [intf]
Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions