What Is Shutdown mode in Networking?
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
Shutdown mode is a security feature on network switches. When a switch port detects a violation, like a wrong MAC address trying to connect, the port automatically turns off. This stops the unauthorized device from accessing the network. The port stays disabled until a network administrator manually brings it back up.
Commonly Confused With
Restrict mode keeps the port up and operational for all authorized devices. It drops frames from the violating MAC address and logs the violation, but the port remains active. Shutdown mode completely disables the port, blocking all traffic.
If restrict mode is used, a guest laptop on a port would be blocked from sending data, but the authorized desktop on the same port would still work. With shutdown, the entire port goes dead and neither device can use it.
Protect mode drops frames from the violating MAC address without any logging or alert. The port stays up. Shutdown mode disables the port and generates a log. Protect is silent and does not increment the violation counter.
A malicious device plugged into a port in protect mode would be silently ignored with no record, but the port remains usable by other devices. With shutdown, the port shuts off and an administrator is alerted.
Errdisable is the resulting state of a port after a shutdown violation, but it is not a violation mode itself. It is a condition triggered by many features, like BPDU guard or UDLD. Port security with shutdown is just one cause of errdisable.
A port can go err-disable because of a loop detection (STP BPDU guard) or because of a port security violation. Both end in the same state, but the cause and recovery commands differ. Shutdown mode is the configuration, errdisable is the effect.
This command sets the maximum number of MAC addresses allowed on a port. It defines the threshold that, when breached, can trigger a violation. It is not a violation mode. Shutdown mode is what happens when that threshold is crossed.
Setting maximum to 1 means only one device can learn. If a second device appears, that triggers the violation, and the configured mode (shutdown) determines the action. The maximum is the rule; shutdown is the penalty.
Must Know for Exams
Shutdown mode is a frequent topic in Cisco CCNA, CompTIA Network+, and other networking certification exams. It is a core concept within the Port Security section. In the CCNA 200-301 exam, port security with shutdown mode appears under the 'Security Fundamentals' domain. Candidates must know the three violation modes: shutdown, restrict, and protect. Shutdown is the default and the most important. Exam questions often ask which mode is the most secure or which mode places the port in an err-disabled state.
In the CompTIA Network+ (N10-008 or N10-009) exam, port security is covered under network security and switching concepts. Questions may present a scenario where a company wants to automatically disable a port if an unauthorized device is detected to prevent further access. The correct answer is shutdown mode. They also test the recovery process: knowing that an administrator must manually re-enable the port or configure auto-recovery.
Exam objectives expect you to understand the difference between the three modes. Shutdown mode is the only one that error-disables the port. Restrict mode keeps the port up but logs the violation and drops frames from the unknown MAC. Protect mode silently drops frames without logging. Questions often list these options and ask you to select the one that disables the port. A common trick is to list 'disable' as an option, but the official Cisco term is 'shutdown'.
In simulation questions, you might be asked to configure port security on an interface with the shutdown violation action. The commands are: interface FastEthernet0/1, switchport port-security, switchport port-security maximum 1, switchport port-security mac-address sticky, switchport port-security violation shutdown. You might also be asked to verify the port status after a violation using show interfaces status or show port-security.
For exams beyond Cisco, such as Juniper JNCIA, the concept is similar but the terminology may differ. Juniper uses the term 'shutdown' within the port security configuration under ethernet-switching options. The underlying logic is the same: a violation causes the interface to disable.
Overall, shutdown mode is a high-probability topic. It is simple to understand but easy to confuse with other modes. Exam-takers should memorize the exact behavior: shuts down the port, sends syslog messages, increments violation counter, port enters err-disabled state, requires manual recovery or auto-recovery configuration.
Simple Meaning
Think of shutdown mode like a lock on a door that has a security guard watching who comes in. You have a list of approved people who are allowed to enter through that door. If someone who is not on the list tries to come in, the security guard not only stops them but also permanently locks the door from the inside. That door cannot be used again until the head of security comes over, checks what happened, and unlocks it with a special key.
In a computer network, each switch port is like that door. The switch has a list of approved devices, identified by their MAC addresses, that are allowed to plug into that port. When a device that is not on the list plugs in or sends data, it creates a security violation. If the port is set to shutdown mode, the switch immediately disables the port. The light on the port goes dark, and no data can travel through it anymore. The port stays that way even if the unauthorized device is removed.
This is different from other modes that might just warn you or block only the offending device. Shutdown mode is the most serious response. It completely cuts off that connection point until a human, usually a network administrator, logs into the switch and issues a command to bring the port back to life. This ensures that a security breach cannot continue to happen on that port without someone in charge knowing about it and deliberately fixing it.
For someone learning about IT, it is important to understand that shutdown mode is a strong, final action. It is used in environments where security is very important, and where even a small unauthorized attempt to connect must be treated as a serious incident. It adds a layer of physical security to the network, making sure that only the right devices can connect in the right places.
Full Technical Definition
Shutdown mode is one of the three configurable violation actions for Cisco switch port security, along with restrict and protect. When a port security violation is detected, and the configured action is shutdown, the switch immediately places the port into an error-disabled state. This action is triggered by specific events: the port receives a frame from a MAC address that is not in the secure MAC address list and the maximum number of allowed secure MAC addresses has already been reached, or when a MAC address that is statically configured on one port is seen on a different port.
The violation detection mechanism is rooted in the switch's Content-Addressable Memory (CAM) table. When a frame arrives at a port with port security enabled, the switch checks the source MAC address against the list of secure addresses. If the address is not found and the port has reached its configured maximum number of secure addresses, a violation counter increments. In shutdown mode, the switch then sets the port state to err-disabled. This is a port condition where all Layer 1 and Layer 2 functionality is halted. The port LED typically turns off, and the switch discards all incoming and outgoing frames on that port.
The err-disabled state is recorded in the switch's running configuration. The specific command used to enable shutdown mode is switchport port-security violation shutdown. It is also possible to use the variant shutdown vlan, which only places the specific VLAN on the port into error-disable state, allowing other VLANs on a trunk port to continue functioning. The standard shutdown action disables the entire port across all VLANs.
To recover from a shutdown mode violation, an administrator must manually perform a shutdown command followed by a no shutdown command on the interface. Alternatively, the errdisable recovery cause psecure-violation global command can be configured, allowing the port to automatically recover after a specified interval. This auto-recovery is useful in environments where temporary violations are expected, but it reduces the security effectiveness of the feature.
In real IT implementations, shutdown mode is used on access ports in office environments and data centers where the physical port is dedicated to a specific device. For example, a port for a CEO's desktop would be configured with a single allowed MAC address and the shutdown violation action. If an attacker unplugs the desktop and plugs in a laptop, the port shuts down immediately, creating a security log entry and alerting administrators.
Standards such as IEEE 802.1X can be used alongside port security, but shutdown mode operates independently at Layer 2. It does not rely on authentication servers. It is a simple, deterministic, hardware-enforced security measure that works even without network connectivity to a central server.
Real-Life Example
Imagine a private office building with a secure parking garage. Each employee has a specific, assigned parking spot. The garage has an automated gate that only opens when it reads a specific RFID tag attached to the employee's car. The system is programmed with a list of which RFID tag belongs to which parking spot.
One day, an unauthorized driver without a proper tag tries to enter the garage by following closely behind a legitimate car. The system detects that a car without an approved tag is attempting to use a spot. In response, not only does the gate refuse to open, but the entire entrance lane shuts down completely. A red barrier arm drops down, and the lane is sealed off. No further cars can enter that lane until a security guard comes out, inspects the situation, and manually lifts the barrier. The lane is in a 'shutdown mode'.
This is exactly how shutdown mode works on a switch port. The parking spot is the switch port. The RFID tag is the MAC address of the authorized device. The gate system's list of approved tag-to-spot mappings is the switch's secure MAC address table. When the unauthorized car (device) shows up, the lane (port) does not just issue a warning or briefly block that one car. It completely stops all traffic on that lane by going into a full shutdown. The lane stays dead until the guard (network administrator) manually resets it.
In contrast, a less severe mode would be like a lane that just flashes a warning light but still lets other cars through after the unauthorized car leaves. Shutdown mode is the most restrictive. It prioritizes security over convenience. In a corporate network, this prevents any further attempts from the same physical port and forces an administrator to investigate why a foreign device tried to connect. It is a very effective way to prevent someone from simply unplugging a workstation and plugging in a rogue laptop to gain network access.
Why This Term Matters
Shutdown mode matters because it provides the strongest possible Layer 2 security response against unauthorized physical access to a network. In many organizations, the physical security of network ports is a weak point. Conference rooms, open office areas, and even individual cubicles have live network ports. Without port security, anyone with a physical cable can plug a device into the wall and gain access to the internal network. This is a major vector for attacks like rogue DHCP servers, ARP spoofing, or malware introduction.
Shutdown mode addresses this risk by not just logging the intrusion but stopping it cold. It forces the network administrator to take action. This is crucial in environments that must comply with security standards like PCI-DSS, HIPAA, or ISO 27001. These standards often require measures to prevent unauthorized network access. Shutdown mode is a straightforward way to demonstrate compliance with that requirement.
it simplifies incident response. When a port goes into err-disabled state because of a shutdown violation, the network logging system records the exact time, port, and the offending MAC address. The administrator knows that something happened at that physical location. They can then investigate whether a device was swapped, a visitor plugged in, or if there is a faulty device broadcasting unexpected MAC addresses. Without shutdown mode, the violation might only cause a log message that is easily overlooked, and the unauthorized device could remain connected and active on the network.
Another reason it matters is that it prevents network disruption. A device that is not supposed to be on a specific port could cause loops, broadcast storms, or IP address conflicts, impacting other users. Shutdown mode prevents this by instantly isolating the port. The impact is contained to that single connection point.
shutdown mode is a critical tool for maintaining network security boundaries. It enforces the principle of least privilege at the physical layer. It is a direct, enforceable policy that says only the designated device can use that cable. For IT professionals, understanding and correctly configuring shutdown mode is a basic but powerful skill for securing a local area network.
How It Appears in Exam Questions
Shutdown mode questions appear in multiple formats across certification exams. The most common is a multiple-choice question directly asking for the violation mode that disables the port. For example: 'Which port security violation mode causes the switch port to enter an error-disabled state?' The answer is shutdown. Another variant asks: 'An administrator wants a switch port to automatically stop all traffic if an unknown MAC address is detected. Which configuration should be applied?' Again, shutdown mode is the correct choice.
Scenario-based questions are very common. A typical scenario describes a company that experiences security incidents where employees plug personal laptops into network jacks. The policy requires that any such attempt immediately disables the port and alerts the IT team. The question asks: 'Which port security violation mode should be configured?' The candidate must select shutdown. A more advanced scenario might describe a port that is currently in err-disabled state and ask the candidate to identify the most likely cause, with the correct answer being a port security violation with the shutdown action.
Configuration questions appear in simulations and multiple-choice format. A candidate might be shown a partial configuration and asked what is missing. For example: 'interface GigabitEthernet0/1 switchport port-security switchport port-security maximum 2 switchport port-security mac-address sticky', The missing command is 'switchport port-security violation shutdown'. Candidates must recognize that shutdown is the default, but it is good practice to explicitly configure it, and some questions test if the default behavior is known.
Troubleshooting questions are also frequent. A ticket might say: 'Users connected to port Fa0/2 lost network connectivity after a device was plugged in. The port LED is off. Show interface status shows the port is err-disabled.' The question asks: 'What command should the administrator use to restore functionality?' The answer is to enter interface configuration mode and use 'shutdown' followed by 'no shutdown'. A related question might ask why auto-recovery is not working, which tests knowledge of the 'errdisable recovery cause psecure-violation' command.
Exam questions also test the difference between shutdown and shutdown vlan. For example: 'A trunk port experiences a port security violation. Which configuration disables only the VLAN where the violation occurred?' The correct answer is shutdown vlan. Questions may also combine port security with other features like sticky MAC addresses, where a violation could occur if the maximum is reached and a new MAC appears.
Practise Shutdown mode Questions
Test your understanding with exam-style practice questions.
Example Scenario
A small business has a single network switch in a closet. The switch has 24 ports. Port 1 is used by the receptionist's desktop computer. Port 2 is used by the accounting manager's computer. The office policy is strict: only these specific computers should be plugged into those ports. No guests or other employees should be able to use these ports.
A visitor to the office sees an empty cubicle with a live network port. The visitor plugs in their laptop, hoping to get internet access. However, the network administrator has previously configured port security on all switch ports using the shutdown violation mode. The visitor's laptop has a different MAC address than the approved computer for that port.
As soon as the laptop sends a network packet, the switch detects the unknown MAC address. Because the port is configured with a maximum of one secure MAC address and that address is already learned (the original computer's MAC), the switch triggers a violation. Since the violation mode is shutdown, the switch immediately places the port into an error-disabled state. The port LED turns off. The visitor's laptop shows a 'network cable unplugged' message. The visitor assumes the port is dead and moves on.
Back at the IT department, an alert pops up on the network monitoring system. The log shows: 'Port security violation on interface FastEthernet0/3, new MAC address aabb.ccdd.eeff is seen on a secure port.' The administrator knows that someone tried to connect a foreign device. The administrator checks the security camera and sees the visitor. The administrator then accesses the switch, goes into the interface configuration for port 3, and issues the 'shutdown' and then 'no shutdown' commands to re-enable the port. The original computer is then reconnected, and everything works normally.
This scenario shows how shutdown mode prevents unauthorized access, creates a clear audit trail, and requires human intervention to restore service. It demonstrates the balance between security and operational overhead, which is a common topic in exam questions.
Common Mistakes
Assuming that shutdown mode only blocks the unauthorized MAC address and leaves the port operational for other devices.
Shutdown mode completely disables the entire switch port. It does not selectively block an individual MAC address. The port enters an error-disabled state where all traffic is dropped, regardless of the source MAC.
Remember that shutdown is the most severe violation mode. It kills the whole port, not just the offending device. If you need to block only the specific MAC but keep the port up, use restrict or protect mode.
Thinking that the port automatically recovers after the unauthorized device is removed.
Shutdown mode places the port in an error-disabled state, which persists even after the violating device is disconnected. The port remains disabled until an administrator manually re-enables it with a 'shutdown' followed by 'no shutdown', or until an auto-recovery timer expires if configured.
Learn that shutdown mode requires manual intervention by default. The only way to automate recovery is to use the 'errdisable recovery cause psecure-violation' global command. In exam questions, assume manual recovery unless the question specifically mentions auto-recovery.
Confusing 'shutdown' mode with the 'restrict' mode, specifically thinking both modes generate logs.
Both shutdown and restrict modes do generate syslog messages and increment the violation counter. However, the key difference is that shutdown disables the port, while restrict keeps the port up but drops traffic from the violating MAC. Many learners memorize only the logging part and forget the port state difference.
Create a simple table: Shutdown = port off, logs, manual recover. Restrict = port on, logs, drops violating MAC. Protect = port on, no logs, drops violating MAC silently. Focus on the port status for each.
Believing that shutdown mode is the default and therefore does not need to be explicitly configured in an exam simulation.
While shutdown is the default violation mode on most Cisco switches, exam simulations often require complete configuration statements. Some questions will deliberately test if you know the default. If the question asks 'What is the default violation mode?', the answer is shutdown. But if a configuration is shown without the command, a question might ask what is missing, and the answer is not necessarily the violation command unless the scenario describes a different mode.
Know the default is shutdown, but always check the specific requirement of the question. If an objective says 'configure shutdown mode', you should type the command even if it is the default, because the examiner may be looking for explicit configuration practice.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a port that is in an error-disabled state because of a port security violation. The question asks the candidate to choose the next step. One answer is 'remove the unauthorized device'.
Another answer is 'configure the port with port security violation restrict'. A third answer is 'enter interface configuration mode and issue the shutdown and no shutdown commands'.","why_learners_choose_it":"Many learners think that removing the offending device will fix the problem because the port is now safe.
They also consider changing the violation mode to restrict as a solution to allow the port to work again. Both seem reasonable because they address the root cause.","how_to_avoid_it":"Understand that error-disabled ports are not healed by removing the cause.
The switch hardware state is locked. The only way to clear the err-disabled state is through administrative action: a manual shutdown/no shutdown cycle or configured auto-recovery. Do not select remove the device or change the violation mode as a direct fix.
The correct answer is to manually re-enable the interface."
Step-by-Step Breakdown
Port security is enabled on the interface
The administrator configures 'switchport port-security' on a specific switch port. This activates the port security feature, allowing the switch to monitor and restrict MAC addresses on that port. Without this step, no violation modes apply.
The maximum number of secure MAC addresses is set
Using 'switchport port-security maximum <number>', the administrator defines how many unique MAC addresses are allowed to send traffic on the port. Common values are 1 for a single device or higher for phones with PCs behind them. This sets the violation threshold.
The violation mode is configured to shutdown
The command 'switchport port-security violation shutdown' sets the action. This tells the switch to disable the port entirely if a violation occurs. It is the most aggressive response. The switch now knows exactly what to do when the threshold is exceeded.
A violation event occurs
A device with a MAC address not in the secure list attempts to send a frame. The switch checks its secure MAC address table. Because the maximum is already reached, the switch determines a violation. It increments the violation counter and triggers the configured shutdown action.
The port enters error-disabled state
The switch immediately places the interface into an err-disabled state. The port LED turns off. The switch drops all incoming and outgoing frames. The port becomes completely non-functional at Layer 1 and Layer 2. A syslog message is generated, and the violation counter is visible in show commands.
Administrator manually recovers the port
A network administrator logs into the switch, enters interface configuration mode for the disabled port, and issues the 'shutdown' command followed by 'no shutdown'. This clears the err-disabled state and returns the port to normal operation. The secure MAC addresses may need to be re-learned.
Practical Mini-Lesson
Shutdown mode is a fundamental aspect of port security that every network professional must master. In practice, you will configure this on access ports that connect to known endpoints like desktops, printers, IP phones, or security cameras. The goal is to prevent any device other than the intended one from using that physical connection.
When configuring port security on a Cisco switch, the typical workflow begins at the interface level. You enter interface configuration mode for a specific port, for example, interface GigabitEthernet0/1. The first command is switchport port-security. This alone does not enforce much; it simply enables the feature. Then you set the maximum number of secure MAC addresses. For a standard desktop, you use switchport port-security maximum 1. You then configure how the switch learns addresses, often using switchport port-security mac-address sticky. This command dynamically learns the MAC address of the first device that connects and saves it to the running configuration. Finally, you set the violation action: switchport port-security violation shutdown.
Once configured, you should test the port. Connect the authorized device and verify that it communicates correctly. Then disconnect it and connect a different device. The port should immediately go into err-disabled state. You can verify this with show interfaces status, which will show the port as err-disabled. The show port-security interface command will display the violation count and the action.
What can go wrong? A common issue is that a device that generates multiple MAC addresses, such as a VoIP phone that passes through a PC, can cause violations because the maximum is set too low. In that case, you need to increase the maximum to 2 or more. Another issue is a sticky MAC address table that gets filled incorrectly when testing, causing the actual device to be rejected. The solution is to clear the sticky addresses with clear port-security sticky and then reconnect the authorized device.
For auto-recovery, you can configure errdisable recovery cause psecure-violation and set the timer with errdisable recovery interval seconds. This is useful for areas like conference rooms where devices change frequently, but it reduces security guarantees. Always weigh the need for uptime against security requirements.
In enterprise networks, shutdown mode is often combined with other security features like 802.1X, DHCP snooping, and dynamic ARP inspection. But even alone, it is a powerful tool. For the exam, know the commands, the default behavior, and the recovery process. Practice configuring it in simulators to build muscle memory.
Memory Tip
Shutdown mode is like a 'dead man's switch', once triggered, the port is dead until you revive it with the shutdown / no shutdown command.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
The 8-pin CPU connector is a power cable from the power supply that delivers dedicated electricity to the processor on a computer's motherboard.
Frequently Asked Questions
What happens to traffic on a port that is in shutdown mode because of a violation?
All traffic stops. The port is in an error-disabled state, which means no frames are forwarded or received. The port is effectively dead until an administrator re-enables it.
Can a port in shutdown mode recover by itself?
Not by default. The port stays err-disabled until an administrator manually issues a shutdown and no shutdown command. However, if you configure the global command 'errdisable recovery cause psecure-violation', the port will automatically recover after a timer expires.
Is shutdown mode the default violation mode on Cisco switches?
Yes, shutdown is the default violation mode for port security. If you enable port security without specifying the violation action, the port will use shutdown by default.
How do I know if a port has been shut down due to a port security violation?
Use the command 'show interfaces status' to see if the port is in err-disabled state. Use 'show port-security interface <interface>' to see the violation count and the last violating MAC address. You will also see a syslog message indicating the violation.
Does shutdown mode affect all VLANs on a trunk port?
By default, shutdown mode disables the entire port, affecting all VLANs. However, if you use 'switchport port-security violation shutdown vlan', only the specific VLAN where the violation occurred is disabled, leaving other VLANs on the trunk operational.
What is the difference between shutdown and shutdown vlan?
Standard shutdown disables the entire physical port. Shutdown vlan only places the specific VLAN on the port into error-disabled state, allowing other VLANs to continue functioning. Shutdown vlan is used on trunk ports.
Summary
Shutdown mode is a critical port security feature used in network switching to automatically disable a switch port when an unauthorized device attempts to connect. It is the most severe of the three violation actions, designed to physically block access at the port level. When a violation occurs, the port enters an error-disabled state, stops all traffic, and requires manual administrative intervention to be restored. This provides a strong security boundary that prevents rogue devices from accessing the network and forces investigation of security incidents.
In the context of IT certification exams, shutdown mode is a heavily tested concept. Candidates must know the exact behavior, how to configure it, how to verify it, and how to recover from it. It is essential to differentiate shutdown mode from restrict and protect modes based on the port state and logging behavior. Common exam traps include assuming automatic recovery or confusing the violation mode with the resulting errdisable state.
For real-world practice, understanding shutdown mode is fundamental for securing campus networks. It is easy to implement but powerful in its effect. The key takeaway is simple: shutdown mode turns off the port completely when something goes wrong, and you must turn it back on yourself. Remembering this will serve you well both in exams and in your career as a network professional.