What Is Restrict mode in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Restrict mode is a setting on network switches that controls what happens when an unauthorized device tries to connect. Instead of shutting down the port or blocking everything, the switch only blocks traffic from that unauthorized device. It still records the event in error logs so a network administrator can be notified. This is a middle-ground security response that balances safety with keeping the network running.
Commonly Confused With
Both restrict and protect drop traffic from unauthorized MACs and keep the port up. The key difference is that restrict mode generates syslog messages and SNMP traps and increments the violation counter, while protect mode drops traffic silently with no logging. Restrict provides visibility; protect does not.
If you want to know when someone tries to plug in a rogue device, use restrict. If you don't care about logs, use protect.
Shutdown mode disables the port interface entirely (error-disabled state) upon a violation. The port must be manually or automatically recovered using errdisable recovery. Restrict mode never disables the port. Shutdown is the most aggressive, restrict is moderate.
If you plug a friend's laptop into a port in shutdown mode, the port goes dead for everyone until an admin fixes it. In restrict mode, your laptop still works, but your friend's does not.
Port security with restrict mode uses MAC addresses to decide access. 802.1X uses credentials (username/password or certificates). Restrict mode is simpler but easier to bypass (MAC spoofing). 802.1X is more secure but requires an authentication server like RADIUS. They can be used together.
Port security is like checking a person's ID badge. 802.1X is like asking for a username and password. Restrict mode is what happens if the ID badge is invalid: you let the person in but not do any work.
Must Know for Exams
Restrict mode is a common topic in Cisco CCNA (200-301) and CompTIA Network+ (N10-008/009) exams. For CCNA, it falls under the exam objective 'Configure and verify Layer 2 discovery protocols and Port Security.' The exam expects you to know the three violation modes (shutdown, restrict, protect) and their behavior. You will likely see a multiple-choice question asking which mode logs violations but does not shut down the port. The correct answer is restrict. You may also see a simulation where you are asked to configure port security on an interface and you must choose the restrict keyword to meet a requirement that the port must remain operational during a violation.
For CompTIA Network+, port security concepts appear under '2.1 Compare and contrast networking devices' and '3.2 Explain the purpose of organizational processes and procedures.' The exam focuses more on the concept than the command syntax. You might be asked: 'A network administrator wants to prevent unauthorized devices from connecting while ensuring the port stays active for authorized users. Which violation mode should be used?' Restrict is the correct choice. They may also ask about the difference between restrict and protect mode (protect does not send syslog messages; restrict does).
In more advanced exams like CCNP or JNCIS, restrict mode might appear in troubleshooting scenarios. A candidate might be shown a logging configuration and asked why a port is not sending syslog messages during violations, which would indicate it is in protect mode rather than restrict mode. Knowing the exact behavior differences is critical.
Question types include direct knowledge definition questions, scenario-based questions (e.g., 'You are securing a public kiosk. The port must not go down. Which mode?'), and configuration questions that require you to spot an error (e.g., 'The port is dropping traffic from unknown devices but no logs are generated. What is wrong?'). The key is to remember: Shutdown = port disabled. Restrict = port stays up, logs sent, traffic dropped. Protect = traffic dropped, but no logs.
Simple Meaning
Imagine you have a secure building with a security guard at the door. The guard has a list of people who are allowed to enter freely. Most security systems, if an unauthorized person shows up, might either lock the entire door (shutting down access for everyone) or let everyone through but just make a note. Restrict mode is like a smarter guard. The guard keeps the door open so the authorized people can still get in. However, when the unauthorized person tries to walk in, the guard physically blocks only that one person and writes down their name and the time they tried to enter. This way, the building stays open, the good people keep working, and the security team gets a report of who tried to sneak in.
In the IT world, network switches use something called port security to control which devices (computers, printers, phones) can plug into a specific port on the switch. You can tell the switch, "Only this one specific computer is allowed on this port." The switch identifies the computer by its MAC address, which is a unique hardware ID. When a different device tries to plug into that same port, the switch has a choice. It can just shut down the entire port (that is called shutdown mode), which means even the authorized computer can't use it anymore until an administrator fixes it. Or it can let the unauthorized traffic in but just log it (that is called protect mode). Restrict mode is the balanced choice. The switch keeps the port up and running for the authorized computer. But it drops all traffic from the unknown device into a black hole, and it also sends a notification and writes a log entry. The unauthorized device thinks it is connected, but nothing works, and the administrator gets an alert.
Full Technical Definition
Restrict mode is one of three configurable violation actions for Cisco IOS port security, defined under the switchport port-security violation {protect | restrict | shutdown} command. When a switch port is configured with port security and a maximum MAC address limit is set (typically 1 to 132 addresses), the switch monitors incoming frames and learns the source MAC addresses of connected devices. If an unknown source MAC address attempts to send traffic after the port has reached its allowed MAC address limit, the switch evaluates its configured violation mode.
In restrict mode, the switch does not disable the port interface. Instead, it discards all frames received from the violating MAC address. However, the switch continues to forward traffic for all previously learned and authorized MAC addresses on that port. The switch also increments the security violation counter for that interface and sends a syslog message (e.g., %PORT_SECURITY-2-PSECURE_VIOLATION) to the logging buffer or an external syslog server. An SNMP trap is generated as well, assuming SNMP has been configured on the network management system. The restriction remains active until the violating MAC address is manually removed from the secure MAC address table, the port is administratively shut and re-enabled, or the aging timer for MAC addresses expires.
From a standards perspective, port security is a proprietary feature but is widely implemented in enterprise switches from Cisco, HP Aruba, Juniper, and others. The underlying mechanism relies on the Content Addressable Memory (CAM) table and MAC address filtering. The switch maintains a table of allowed MAC addresses. In restrict mode, the switch uses a hardware ACL (Access Control List) to dynamically deny frames matching the unauthorized source MAC. This minimizes CPU overhead because the filtering is done at the hardware level. However, the logging actions (syslog and SNMP) do consume some control plane resources.
Real IT implementation scenarios include securing physical access points in a data center or a corporate office. For example, a network administrator might configure restrict mode on ports that connect to a printer or an IP phone that should not be moved. If someone unplugs the printer and plugs in a laptop, the laptop will receive no network traffic, but the printer can be reconnected later without requiring administrative intervention to re-enable the port. This is why restrict mode is favored over shutdown mode in environments where downtime is costly and where security violations are likely to be accidental rather than malicious.
Real-Life Example
Think about a parking garage with a electronic gate that reads license plates. The garage has a list of license plates for monthly subscribers. Usually, if a car with an unrecognized plate shows up, the gate might either close completely (shutting out everyone, including subscribers) or open for everyone but just take a picture. Restrict mode is like an intermediate system. The gate stays open for subscribers. When the unauthorized car approaches, a small barrier arm rises only in front of that car's path, blocking it, while other lanes remain open. The system also records the time, the license plate number, and the lane number. The unauthorized driver cannot park, but the subscribers are not delayed.
Now apply this to a computer network. Imagine a busy hospital floor. Each patient room has a network port for the bedside computer. The port is configured to only allow that specific computer's MAC address. A visitor unplugs the computer to charge their phone. In restrict mode, the phone gets no data, the computer is still working when plugged back in, and the IT team gets a log: "Unknown device attempted on port 23 at 3:14 PM." The visitor doesn't cause a network outage, and the staff can continue working. This prevents the IT department from having to run across the hospital to manually re-enable a port every time someone accidentally plugs in the wrong device.
Why This Term Matters
In practical IT, uptime and security are often in conflict. A security feature that shuts down a port every time an unauthorized device connects can cause more operational problems than it solves. For example, in a busy open office, users often move their laptops between desks. If every port is in shutdown mode, the first time a user plugs into a new desk, the port locks. The user calls IT, who must physically or remotely re-enable the port. This wastes time and creates frustration. Restrict mode solves this by allowing the authorized user to continue working while silently blocking the guest. It also provides a log so IT can identify potential security risks.
From a security perspective, restrict mode is not a cure-all. It does not prevent an attacker from using a spoofed MAC address to bypass the filter. However, it is a very effective layer of defense against casual network access. It also helps with network device inventory. If a port logs frequent restrict violations, it may indicate a device has been replaced or an unauthorized device is being connected. The logs are actionable data for network audits and compliance.
For professionals managing large networks, restrict mode reduces administrative overhead. In shutdown mode, an administrator must manually issue a no shutdown command after each violation. In restrict mode, the port recovers automatically once the violating device is disconnected, assuming the MAC address aging timer expires. This is a significant time saver. Finally, restrict mode is often a requirement in security frameworks like PCI DSS, which mandates physical access control to network jacks. Using restrict mode helps satisfy compliance requirements without creating a helpdesk nightmare.
How It Appears in Exam Questions
Exam questions about restrict mode typically fall into three patterns: scenario-based, configuration-based, and troubleshooting-based.
Scenario-based questions present a network situation and ask for the best violation mode. For example: 'A company has a guest WiFi network. Employees are allowed to plug their laptops into wired ports in conference rooms. The port should remain up for authorized devices, but traffic from unknown devices should be blocked and logged. Which violation mode should be configured?' The correct answer is restrict. A variant of this question might list the three modes and ask which one allows the port to remain operational. The trap option is often 'protect' because learners confuse 'protect traffic' with 'protect the port'. But protect mode does not log violations, so if logging is required, the answer must be restrict.
Configuration-based questions show a command line interface. They might ask: 'Refer to the exhibit. A network engineer has entered the following commands on an interface: switchport port-security switchport port-security maximum 1 switchport port-security violation ????? The requirement is that the port must notify the administrator via syslog if an unauthorized device is detected. Which keyword completes the command?' The correct keyword is 'restrict'. The distractors are 'shutdown' and 'protect'. shuts down the port, which violates the 'port stays up' requirement. protect does not send logs.
Troubleshooting-based questions present a problem. For example: 'An administrator notices that a switch port configured with port security in restrict mode is not generating any syslog messages during a violation. However, the unauthorized device is not able to communicate. What is the most likely cause?' The answer is that 'switchport port-security violation protect' was configured instead of restrict. Another common troubleshooting question: 'A switch port is in restrict mode. An unauthorized MAC address is detected. Which of the following is true about the security violation counter?' The correct answer is that the counter increments. This tests knowledge of the operational differences.
some questions compare restrict mode with other security features like 802.1X. They might ask: 'Which feature would be used to authenticate users via username/password rather than MAC addresses?' The difference between port security (MAC-based) and 802.1X (user-based) is a common point of confusion. Restrict mode questions will always be about the punishment, not the authentication method.
Practise Restrict mode Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a network administrator for a small law firm. The firm has 20 employees, and each employee has a designated desk with a wired network port. The firm's security policy requires that only company-issued laptops are allowed on the wired network. Your supervisor wants a solution that will prevent an unauthorized device (like a guest's laptop) from accessing the network, but she does not want the port to stop working for the authorized employee. She also wants to receive an email alert if a violation occurs.
You decide to configure port security in restrict mode. On each switch port, you set the maximum MAC address to 1 (only one device is allowed). You enter the command switchport port-security violation restrict. You also configure the switch to send syslog messages to a central log server, which triggers an email alert via your monitoring software.
A few days later, a paralegal named Sarah unplugs her company laptop to take it to a meeting. While she is away, a visiting attorney plugs his personal tablet into Sarah's port. The tablet's MAC address is not in the allowed list. The switch immediately detects the violation. Because the port is in restrict mode, the port does not shut down. Sarah's laptop, when she returns and plugs it back in, will still work. However, the tablet gets no network access. The switch increments the violation counter and sends a syslog message: '%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port FastEthernet0/13.' Your monitoring software picks up this log and sends you an email. You check the logs, see the unknown MAC, and you recognize it does not belong to the firm. You then review security camera footage and see the visiting attorney. You politely remind him that only authorized devices can connect to the wired network and direct him to the guest WiFi password. The incident is resolved without anyone losing connectivity.
Common Mistakes
Thinking restrict mode shuts down the port like shutdown mode.
Restrict mode keeps the port administratively up and operational for authorized devices. Only traffic from the violating MAC address is dropped. The port interface itself remains active.
Remember: shutdown = port disabled, restrict = port enabled but bad traffic blocked.
Confusing restrict mode with protect mode and thinking both generate logs.
Protect mode drops unauthorized traffic silently without generating syslog messages or SNMP traps. Restrict mode does generate logs and increments the security violation counter.
Think: 'Protect is quiet, Restrict reports.' If logs are required, use restrict.
Believing restrict mode removes the unauthorized MAC address automatically.
The unauthorized MAC address is not removed from any table automatically in restrict mode. It is simply blocked from forwarding. The secure MAC address table still holds only the authorized MACs.
Restrict blocks the attacker but does not delete the allowed list. The authorized MAC remains valid.
Assuming restrict mode works with dynamically learned MAC addresses only.
Restrict mode works with both statically configured secure MAC addresses and dynamically learned addresses. The mode behavior (blocking, logging) is independent of how the MAC became authorized.
Restrict mode is a violation response, not a learning method. It works regardless of how MACs are learned.
Thinking that a violation in restrict mode triggers a recovery action like a timer.
Restrict mode does not have a recovery timer. The violation state persists until an administrator clears the violation counter, removes the unauthorized device, or the MAC aging timer removes the MAC from the table.
Violations in restrict mode are sticky. You must either wait for MAC aging or manually intervene.
Exam Trap — Don't Get Fooled
{"trap":"A question asks, 'Which port security violation mode allows the port to remain up, drops traffic from unknown sources, but does NOT generate a syslog message?' The trap is that learners choose 'restrict' because they remember the 'remains up' part.","why_learners_choose_it":"Learners often memorize that restrict mode keeps the port up and drops traffic.
They forget that restrict mode also generates syslog messages. The option 'protect' matches all three requirements: port stays up, traffic dropped, no syslog.","how_to_avoid_it":"Memorize the three modes using a mnemonic: 'Shut down.
Restrict reports. Protect is quiet.' Always check whether logging is mentioned in the question. If the question says 'no syslog' or 'without notification,' the answer is protect. If logging is mentioned, the answer is restrict."
Step-by-Step Breakdown
Configure port security on the interface
The administrator enters interface configuration mode (e.g., interface FastEthernet0/1) and enables port security using the command switchport port-security. Without this global enable, the violation mode command has no effect.
Set the maximum number of allowed MAC addresses
The command switchport port-security maximum 1 limits the port to learning only one MAC address. If more devices connect, the violation action is triggered. This number can be increased for ports connecting to IP phones (which need two MACs: phone and PC).
Define the violation action as restrict
The command switchport port-security violation restrict configures the port to stay up, block unauthorized traffic, and log the violation. This is the core setting that determines the behavior.
Learn the authorized MAC address
The switch learns the MAC address of the first device connected to the port. This can happen dynamically (sticky learning) or be manually configured with the command switchport port-security mac-address XXXX.XXXX.XXXX. The MAC is stored in the running configuration.
Violation occurs
When a second device with a different MAC address sends a frame on the port, the switch checks the secure MAC table. It finds that the new MAC is not allowed and that the maximum limit is already reached. The violation action is triggered.
Switch enforces restrict mode
The switch drops all frames from the violating MAC address. The port remains up. The switch increments the Port Security violation counter. A syslog message is generated and, if configured, an SNMP trap is sent. The violating MAC is NOT added to the secure MAC table.
Admin reviews and remediation
The administrator checks logs, identifies the unauthorized device, and takes appropriate action (e.g., reconfiguring the port, removing the unauthorized device, or adding the device to the allowed list if it is legitimate). The violation counter can be cleared with clear port-security sticky interface FastEthernet0/1.
Practical Mini-Lesson
To truly understand restrict mode, you need to see how it fits into real-world network configuration and management. On a Cisco switch, port security is disabled by default. To use restrict mode, you must explicitly enable port security on an interface, then set the violation action. The typical sequence is:
interface GigabitEthernet0/1 switchport mode access switchport port-security switchport port-security maximum 1 switchport port-security violation restrict switchport port-security mac-address sticky
The sticky keyword tells the switch to dynamically learn the first MAC address and then write it to the running configuration as if it were a static entry. This is extremely useful for environments where you don't want to manually type in every MAC address. Once learned, the MAC is part of the interface configuration and will survive a switch reload if saved to startup config.
What can go wrong? A common issue is that the switch port connects to a device that has multiple MAC addresses (like a virtual machine host). If you set maximum 1, the first VM might work, but the second VM's traffic will trigger a violation. The solution is to increase the maximum based on how many devices are behind the port. Another issue is that some older switches or non-Cisco switches interpret restrict mode slightly differently. For example, some low-cost managed switches might not support restrict mode at all and only offer shutdown or protect.
Another important consideration is that restrict mode does not stop MAC flooding attacks. An attacker can still send thousands of frames with different source MACs to fill the CAM table, which is a different attack. Port security only limits the number of learned MACs; it does not prevent CAM table exhaustion if you set a high maximum. For that, you would need features like port security with a low maximum or dynamic ARP inspection.
From a troubleshooting perspective, if a port is in restrict mode but no logs are appearing, check the logging configuration. Port security violation logs are at the severity level 2 (critical). If the global logging buffer is too small or logging has been disabled, you will not see the messages. The command show port-security interface [interface] is your best friend. It will display the violation mode, the violation count, and the current action. If the violation count is incrementing but no traffic passes from any device, the maximum might have been hit before the authorized MAC was learned. The command show port-security address shows which MAC addresses are allowed.
Finally, professionals often combine restrict mode with other security features. For example, you can use DHCP snooping together with port security to prevent rogue DHCP servers. Or you can use 802.1X for strong authentication and then port security as a backup for devices that fail authentication. Understanding restrict mode as one tool in a layered security strategy is the mark of a skilled network engineer.
Memory Tip
Restrict = Record. Shutdown = Shut. Protect = Peaceful (quiet).
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
Frequently Asked Questions
Can restrict mode prevent an attacker from spoofing a MAC address?
No. Restrict mode checks the source MAC address of the device. If an attacker spoofs the authorized MAC address, the switch will treat the traffic as authorized. Restrict mode is not a defense against MAC spoofing; it only protects against unauthorized devices with different MAC addresses.
Does restrict mode require any special licensing on a Cisco switch?
No. Port security including restrict mode is a base feature on most Cisco Catalyst switches. No additional license is needed beyond the switch's IOS image. However, some advanced security features like 802.1X may require a higher license level.
What happens to the violating MAC address after a restrict violation?
The violating MAC address is not stored in the switch's secure MAC address table. The switch simply discards frames from that MAC. The MAC address may appear in the violation log (via syslog), but it is not added to any permanent table.
Can I use restrict mode on a trunk port?
Yes, port security and restrict mode can be configured on trunk ports. However, it is not recommended because trunk ports carry multiple VLANs and often have many MAC addresses. Restrict mode on a trunk can cause unexpected behavior and is rarely used in production.
How do I clear a restrict mode violation without reloading the switch?
You can clear the violation counter and allow the port to learn a new MAC by using the command clear port-security sticky interface [interface] or clear port-security all. Alternatively, you can administratively shut and no shut the interface.
Is restrict mode better than shutdown mode for a public WiFi hotspot?
For a public WiFi hotspot where users frequently change, you likely do not want port security at all. If you must use it, restrict mode is better than shutdown because it prevents a single bad plug from taking down the port for everyone. However, in public spaces, 802.1X or captive portals are more suitable.
Summary
Restrict mode is a VLAN security feature that gives network administrators a balanced response to unauthorized device connections on a switch port. It is one of three violation actions in port security, sitting between shutdown mode (which disables the port) and protect mode (which silently drops traffic). The defining characteristic of restrict mode is that it keeps the port operational for authorized devices, blocks traffic from unknown MAC addresses, and records the violation through syslog and SNMP. This combination of availability and auditability makes it the most practical choice for many production environments.
For IT certification exams, especially CCNA and Network+, understanding the exact behavior of restrict mode and distinguishing it from protect and shutdown is essential. Exam questions will test not just the definition but also the troubleshooting implications, such as why logs are missing or why a port is still active during a violation. The memory tip 'Restrict records' can help you recall that restrict mode is the only violation mode that both blocks and logs.
In real-world practice, restrict mode reduces administrative overhead by avoiding unnecessary port shutdowns while still providing visibility into security events. Professionals should remember that restrict mode is not a complete security solution. It must be combined with other measures like 802.1X, DHCP snooping, and VLAN segmentation for a robust defense. However, as a simple and effective tool in the network security toolkit, restrict mode is invaluable for anyone managing a switched network.