What Is Violation mode in Networking?
On This Page
Quick Definition
Violation mode is a setting on a network switch that controls what happens when the wrong device tries to plug into a protected port. If a port is set to only allow certain devices, violation mode decides whether to just send a warning, drop the traffic, or shut the port down completely. It is a simple way to keep unwanted devices off your network.
Commonly Confused With
Storm control limits the amount of broadcast, multicast, or unknown unicast traffic on a port, while violation mode is about controlling which source MAC addresses are allowed. Storm control prevents network floods; violation mode prevents unauthorized access.
Storm control is like a speed bump that slows down a traffic jam, while violation mode is like a checkpoint that only lets certain cars through.
802.1X is an authentication protocol that requires a device to authenticate via a server before being granted access to the network. Violation mode, on the other hand, is a Layer 2 security feature that uses MAC addresses for filtering. 802.1X is more secure and flexible, whereas port security with violation mode is simpler and works without a server.
802.1X is like a hotel key card that is personalized for each guest, while port security violation mode is like a guest list at a party that only checks names.
BPDU guard is a feature that immediately errdisables a port if it receives a Bridge Protocol Data Unit (BPDU), which is used in Spanning Tree Protocol. It protects against switch loops from unauthorized switches. Violation mode deals with unauthorized MAC addresses, not BPDUs. They both can errdisable a port but are caused by different events.
BPDU guard is like a smoke detector that goes off if it senses smoke (BPDUs), while violation mode is like a fingerprint scanner that rejects unknown fingerprints (MAC addresses).
Must Know for Exams
Understanding violation modes is a core objective for several IT certification exams, particularly those focused on networking. For the Cisco Certified Network Associate (CCNA) exam, port security and its violation modes are explicitly listed in the exam blueprint under 'Configure and verify Layer 2 security features.' It appears frequently in both multiple-choice questions and simulation-based troubleshooting scenarios. The CCNA exam expects candidates to not only know the three modes but also to understand which mode generates syslog messages, which one shuts down the port, and how to recover from a shutdown violation.
For the CompTIA Network+ exam, while it does not cover Cisco-specific syntax, it does test the general concept of MAC address filtering and port security. Candidates may see questions that ask about the consequences of unauthorized device connections and the actions a switch might take, such as 'dropping traffic' or 'disabling the port.' Knowledge of violation modes helps answer these questions with a deeper understanding of real-world implementation.
In the Cisco Certified Technician (CCT) exam, which focuses on hands-on troubleshooting, violation mode is a common topic. Technicians are expected to be able to identify that a port is in errdisable state due to a security violation, understand how to check the violation counter with 'show port-security interface', and know how to re-enable the port. These are practical skills tested in the lab portion of the exam.
For the Juniper JNCIA-Junos exam, although Juniper uses different terminology, the concept of violating MAC limiting actions is similar. Cisco's violation modes are often used as a baseline for understanding how other vendors handle the same problem. Study resources and practice exams will frequently present scenario-based questions: 'A user reports that a switch port is not working. You notice the port is in errdisable state. What is the most likely cause?' The answer often points to a security violation in shutdown mode.
In all these exams, it is important to memorize the specific behaviors of each mode. Protect mode does not log, restrict mode logs but does not shut down, and shutdown mode disables the port. Questions may also test the default violation mode, which is shutdown. Knowing these details can mean the difference between a correct and an incorrect answer.
Simple Meaning
Think of violation mode like a security guard at the door of a private club. The club only lets in members who have a special ID card. If someone who is not a member tries to get in, the security guard has to decide what to do. In the networking world, a switch port can be set to only allow certain devices, identified by their MAC address, which is like a unique serial number for network hardware. Violation mode is the rule book for the security guard.
There are three main choices for what happens when an uninvited device tries to connect. The first is called 'protect.' In this mode, the guard simply blocks the unwanted person from entering but does not report anything. The unauthorized device cannot send any data through the port, but the guard does not make any noise about it. This is useful when you want to silently prevent access without attracting attention.
The second mode is 'restrict.' Here, the guard blocks the unwanted person and also makes a note in the logbook, sending a warning message to the club manager. The switch will still work for authorized devices, but the network administrator will know that an unauthorized attempt was made. This helps with security monitoring without causing any disruption to normal operation.
The third and most strict mode is 'shutdown.' In this case, the guard not only blocks the uninvited person but also closes the entire door, making it impossible for anyone, even authorized members, to get through until the manager physically reopens it. On a switch, this means the entire port is disabled until an administrator manually turns it back on. This offers the strongest security but also requires human intervention to restore service.
Understanding these modes is important because they balance security with convenience. A hospital might use shutdown mode to quickly isolate a security threat, while a busy office might use restrict mode to keep the network running while still tracking unauthorized access attempts.
Full Technical Definition
Violation mode is a parameter configured within the Cisco switch Port Security feature. Port Security allows an administrator to restrict ingress traffic by limiting the number of allowed MAC addresses on a single switch port, or by specifying exactly which MAC addresses are permitted. When a frame arrives on a secured port with a source MAC address that is not in the allowed list or that would exceed the maximum number of secure MAC addresses, a security violation occurs. The violation mode defines the switch's action in response to this violation.
There are three violation modes: protect, restrict, and shutdown. In protect mode, when a violation occurs, the switch drops all traffic from the offending source MAC address but does not generate any syslog messages or Simple Network Management Protocol (SNMP) traps. The port remains up and continues to forward traffic for authorized MAC addresses. However, protect mode does not increment the security-violation counter. This mode is considered the least intrusive but also offers the least visibility into security events.
In restrict mode, the switch also drops traffic from the offending MAC address, but unlike protect mode, it does generate syslog messages and SNMP traps. The security-violation counter is incremented for each violation. This provides network administrators with visibility into unauthorized access attempts while keeping the port operational for legitimate devices. Restrict mode is a good balance between security and operational continuity.
In shutdown mode, the switch immediately places the port in the error-disabled (errdisable) state. The port is effectively disabled, no traffic of any kind passes through it, and the port LED turns off or shows amber. A syslog message is generated, and the security-violation counter is incremented. To recover from this state, an administrator must manually re-enable the port using the 'no shutdown' command, or configure the switch to automatically recover after a specified time period using the 'errdisable recovery cause psecure-violation' command. Shutdown mode is the most secure but requires administrative intervention to restore connectivity.
The configuration itself is done in global configuration mode or interface configuration mode. The basic commands include 'switchport port-security' to enable the feature, 'switchport port-security maximum' to set the number of allowed MAC addresses, 'switchport port-security mac-address' to manually specify MAC addresses, and 'switchport port-security violation' followed by 'protect', 'restrict', or 'shutdown'. This feature is commonly used in enterprise edge switches to prevent unauthorized devices from connecting to the corporate network, such as in finance, healthcare, or government environments where access control is critical.
Real-Life Example
Imagine a small office building that has a shared printer in the hallway. The building manager decides that only employees from two specific departments, Sales and Marketing, are allowed to use that printer. To enforce this, the manager puts a special electronic lock on the printer that only opens when a company-issued badge is swiped.
Now, an employee from the HR department tries to print their documents on that printer. The electronic lock checks the badge and realizes it is not authorized. What happens next depends on the 'violation mode' the manager chose. If the manager set the lock to 'protect' mode, the lock simply stays closed and the HR employee walks away confused. No alarm sounds, no email is sent to the manager, and the printer remains available for Sales and Marketing to use.
If the manager set the lock to 'restrict' mode, the lock stays closed and a silent alert is sent to the building manager's phone. The HR employee is denied access, but the manager knows an unauthorized attempt occurred. The printer continues to work for authorized users, and the manager can investigate later without interrupting work.
If the manager set the lock to 'shutdown' mode, the lock not only stays closed but also automatically sends a signal to security to seal off the entire printer room. The printer becomes completely unavailable to everyone, including Sales and Marketing. The manager then has to personally come to the printer, inspect the situation, and manually reset the system before anyone can use the printer again. This is very secure but causes a lot of inconvenience for everyone.
This analogy maps directly to a switch port. The printer is the switch port, the badges are MAC addresses, and the electronic lock is the port security configuration. The different responses of the lock correspond to the three violation modes. Choosing the right mode depends on whether you prioritize security over convenience or need visibility into unauthorized attempts.
Why This Term Matters
In a practical IT environment, controlling which devices connect to your network is a fundamental security measure. Without port security and its violation modes, anyone could plug a laptop or a rogue access point into an open wall jack and gain access to the internal network, potentially leading to data breaches, malware infections, or network disruption. Violation mode gives network administrators granular control over how the network reacts to unauthorized access attempts, allowing them to balance security needs with operational availability.
For example, in a hospital, patient records and critical medical equipment rely on a stable network. If a visitor accidentally plugs their phone charger into a network port thinking it is a power outlet, a shutdown violation mode would immediately disable that port. While this prevents the phone from connecting, it also might disable a nearby nurse's station if the same port is used for legitimate devices. In this case, restrict mode might be better because it logs the event and blocks the unauthorized device but keeps the port up for authorized use, avoiding an accidental outage.
In a corporate office with a strict security policy, shutdown mode is often used on ports in public areas or conference rooms to isolate any rogue device immediately. This forces an administrator to physically inspect the connection and manually re-enable the port, ensuring that every new connection is authorized. This is particularly useful for preventing 'rogue' devices from bridging into the corporate network.
violation modes are critical for compliance with regulations like PCI DSS or HIPAA, which require strict network access control. Being able to demonstrate that your network automatically blocks and logs unauthorized access attempts helps pass audits. Understanding the differences between protect, restrict, and shutdown allows an IT professional to make informed decisions about security policy and troubleshoot issues when a port suddenly stops working. It is a simple but powerful tool for maintaining network integrity.
How It Appears in Exam Questions
Exam questions about violation mode typically fall into three main patterns: scenario-based multiple choice, configuration verification, and troubleshooting.
Scenario-based multiple choice questions often describe a network situation and ask which violation mode best meets the requirements. For example: 'A network administrator wants to prevent unauthorized devices from connecting to an access port but also wants to avoid disrupting legitimate users. Which violation mode should be configured?' The correct answer is 'restrict' because it blocks the unauthorized traffic and logs the event without shutting down the port. Alternatively, a question might ask: 'Which violation mode generates a syslog message but does not place the port in an errdisable state?' The answer is 'restrict.'
Configuration verification questions present a partial show command output, such as 'show port-security interface FastEthernet 0/1'. The output shows a violation mode of 'shutdown' and a recent violation count. The question might ask: 'What will happen to the port if another unauthorized device attempts to connect?' The candidate must know that the port is already in an error state if the violation count is positive and the status shows 'secure-down' or 'errdisable', and that the port will remain disabled until manually recovered.
Troubleshooting questions are common in the CCNA simulation section. A candidate might be given a scenario where users on a specific switch port cannot access the network. The candidate must connect to the switch, run 'show interfaces status' to see if the port is in errdisable state, run 'show port-security interface' to check the violation mode and count, and then determine the corrective action. For example, if the violation mode is shutdown and the port is down, the candidate must navigate to the interface and enter 'shutdown' followed by 'no shutdown' to recover the port.
Another common question type involves comparing modes. 'Which of the following is true about protect mode compared to restrict mode?' The correct answer is that protect mode does not generate log messages or increment the violation counter, while restrict mode does. Candidates must be careful not to confuse the behavior of protect and restrict, as they both drop unauthorized traffic but differ in logging and counters.
Finally, some questions test recovery from errdisable state. 'A port is in errdisable state due to a violation. What command re-enables the port?' The answer is 'no shutdown' under interface configuration mode. However, a trick question might ask for the global command to enable automatic recovery, which is 'errdisable recovery cause psecure-violation'. Knowing both manual and automatic recovery methods is important.
Practise Violation mode Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are the network administrator for a small school. The school has a computer lab with 20 desktop computers that are used by students during class. Each desktop has a fixed MAC address that is registered with the school. You have configured port security on the switch ports in the lab to only allow those specific MAC addresses. One afternoon, a teacher brings in a laptop and unplugs one of the desktop computers to connect the laptop to the network to show a video.
Because you have set the violation mode to 'shutdown' on all lab ports, the switch immediately detects that the laptop's MAC address is not allowed. The switch drops all traffic from the laptop and places the port into an errdisable state. Now, neither the laptop nor the original desktop computer can use that port. The teacher cannot access the internet, and when the student returns to their desk after lunch, the desktop computer is not working either.
The teacher calls you, frustrated. You connect to the switch and run 'show interfaces status'. You see that FastEthernet 0/1 is in 'errdisable' state. You then run 'show port-security interface FastEthernet 0/1' and see that there have been one violation and that the violation mode is 'shutdown'. You realize that the port was disabled due to an unauthorized MAC address. You ask the teacher what happened and they explain about the laptop. You decide that for this lab, the 'restrict' mode would be better because it would have blocked the laptop but kept the port available for the desktop computer when it was plugged back in. For now, you manually re-enable the port using the 'no shutdown' command and change the violation mode to 'restrict' to prevent future disruptions. This scenario shows how choosing the wrong violation mode can cause unnecessary downtime and how the right choice improves network availability.
Common Mistakes
Thinking protect mode generates syslog messages.
Protect mode is designed to silently drop unauthorized traffic without any notification. It does not send syslog messages or SNMP traps. Only restrict and shutdown modes generate log messages.
Remember that protect mode is 'silent.' It protects the network but does not alert anyone. Use restrict mode if you need logging.
Believing that shutdown mode allows the port to recover automatically by default.
By default, a port placed in errdisable state due to a violation in shutdown mode remains disabled until an administrator manually uses the 'no shutdown' command. Automatic recovery is optional and must be configured with 'errdisable recovery cause psecure-violation'.
Understand that shutdown mode requires human intervention to restore the port, unless automatic recovery is explicitly enabled.
Confusing the number of allowed MAC addresses with the violation mode.
The 'maximum' command sets how many MAC addresses are allowed on a port, but the violation mode defines what action is taken if that limit is exceeded or an unauthorized MAC appears. They are two separate configurations.
Think of 'maximum' as the capacity (how many guests are allowed) and 'violation mode' as the bouncer's behavior (what he does when too many or the wrong guest shows up).
Assuming all violation modes drop all traffic on the port.
In protect and restrict modes, only traffic from the offending MAC address is dropped. Traffic from authorized MAC addresses continues to flow normally. In shutdown mode, all traffic stops because the entire port is disabled.
Remember that protect and restrict are selective in what they drop, while shutdown is complete and disables the entire port.
Forgetting that the default violation mode on Cisco switches is shutdown.
When enabling port security without specifying a violation mode, the switch defaults to shutdown mode. This can cause unexpected port shutdowns if the administrator is not aware.
Always check the running configuration after enabling port security. If you want a different behavior, configure it explicitly.
Exam Trap — Don't Get Fooled
{"trap":"The exam states that a port is configured with port security and the violation mode is 'protect'. It then asks: 'What will the switch do when an unauthorized device is connected?' The trap answer option says: 'It will generate a syslog message and drop the traffic.'
","why_learners_choose_it":"Many learners remember that something happens when a violation occurs, and they associate violation modes with logging. They forget that protect mode is specifically designed to be silent and does not generate any logs.","how_to_avoid_it":"Memorize the exact behaviors: protect = drop only, no log, no counter.
restrict = drop, log, counter increment. shutdown = drop, log, counter increment, port disabled. Use a simple mnemonic: 'Protect is quiet, Restrict reports, Shutdown stops everything.'
Step-by-Step Breakdown
Enable port security on the interface
Use the command 'switchport port-security' in interface configuration mode. This activates the port security feature on that specific switch port. Without this step, none of the other port security settings will work.
Define the maximum number of allowed MAC addresses
Use 'switchport port-security maximum <value>' to specify how many devices can connect to this port. The default is 1. For a single workstation, 1 is common; for a hub (though rarely used now), you might set a higher number.
Specify the allowed MAC addresses
You can manually configure MAC addresses with 'switchport port-security mac-address <mac>'. Alternatively, you can let the switch dynamically learn MAC addresses up to the maximum count. Sticky learning with 'switchport port-security mac-address sticky' adds the first learned MAC to the running config.
Configure the violation mode
Use 'switchport port-security violation {protect | restrict | shutdown}'. This sets the action the switch takes when an unauthorized MAC appears or the maximum is exceeded. This is the core decision that affects network behavior during a security event.
Verify the configuration
Use 'show port-security interface <interface>' to see the current settings, including the violation mode, current violation count, and operational status. Also use 'show running-config interface <interface>' to confirm the configuration is saved.
Test the configuration
Connect an unauthorized device to the port. Observe whether the traffic is dropped (protect/restrict) or the port goes into errdisable state (shutdown). Check syslog messages if configured. This step validates that the violation mode behaves as expected.
Recover from shutdown violations (if applicable)
If using shutdown mode, you must manually recover the port by entering interface configuration mode and issuing 'shutdown' followed by 'no shutdown'. Alternatively, configure automatic recovery globally with 'errdisable recovery cause psecure-violation' and set a recovery interval.
Practical Mini-Lesson
Violation mode is often misunderstood because it works hand-in-hand with the concept of 'sticky MAC addresses' and the 'maximum' setting. When you enable port security, the switch begins monitoring the source MAC addresses of incoming frames. If you use 'switchport port-security mac-address sticky', the switch learns the first MAC address it sees on the port and adds it to the running configuration as if you typed it manually. This is useful for small environments where you do not want to manually type MAC addresses, but it can cause problems if the device is replaced without resetting the port.
In practice, when a security violation occurs, different switches may behave slightly differently. On older Catalyst switches, protect mode might drop only the violating frames but still forward other traffic. However, on some models, protect mode might cause high CPU utilization if many violations occur, because it has to process each frame before dropping it. Restrict mode also processes and drops frames but adds the overhead of generating a syslog message each time. If a port is experiencing a flood of unauthorized traffic, restrict mode could generate many log messages, potentially filling up the syslog buffer. Some administrators avoid restrict mode in high-traffic areas for this reason.
Shutdown mode is the most common choice for security-conscious environments because it completely stops the attack vector. However, it can be a double-edged sword. If a user mistakenly plugs a personal device into a port that is set to shutdown, they lose all connectivity, and the IT staff must be called to physically or remotely re-enable the port. This can lead to user frustration and increased support tickets. To mitigate this, some organizations set the violation mode to shutdown but also configure an automatic recovery timer of 30 minutes using 'errdisable recovery interval 1800' and 'errdisable recovery cause psecure-violation'. This way, the port automatically comes back after a half hour, potentially after the unauthorized device has been removed.
Professionals should also know that port security and violation modes can be applied to both access and trunk ports, though it is most common on access ports. On trunk ports, port security can be used, but it is tricky because trunk ports typically carry VLAN tags, and the MAC addresses seen are often from multiple devices. Some switches do not support port security on dynamic trunk ports. Always check the specific platform's documentation.
Finally, when troubleshooting a mysterious port failure, always check 'show port-security' first. A port that is in errdisable state from a violation will not show up in 'show interfaces' as 'up/up'. It will show 'errdisable' status. Knowing how to quickly identify and resolve this issue is a hallmark of a skilled network technician.
Memory Tip
Think of the three modes as levels of reaction: Protect (Polite) - drops traffic silently, Restrict (Report) - drops traffic and logs it, Shutdown (Shut it down) - disables the port completely.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
200-301Cisco CCNA →N10-009CompTIA Network+ →Related Glossary Terms
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
Frequently Asked Questions
What is the default violation mode on a Cisco switch?
The default violation mode is 'shutdown'. When you enable port security without specifying a mode, any violation will cause the port to enter an errdisable state.
Does protect mode drop all traffic on the port?
No, protect mode only drops traffic from the unauthorized MAC address. Traffic from authorized MAC addresses continues to be forwarded normally.
Can I recover a port automatically after a shutdown violation?
Yes, you can configure automatic recovery by using the global command 'errdisable recovery cause psecure-violation' and optionally setting the recovery interval with 'errdisable recovery interval <seconds>'.
Does restrict mode generate syslog messages for every violation?
Yes, restrict mode generates a syslog message and an SNMP trap for each violation. This can generate many messages if a port is under attack.
Is port security the same as MAC address filtering?
Port security is a more advanced implementation of MAC address filtering. It includes the ability to set a maximum number of MAC addresses, sticky learning, and actions for violations. Simple MAC address filtering only allows or denies specific addresses.
Can I use port security on a trunk port?
Yes, but it is less common and may have platform-specific limitations. It is typically used on access ports where a single device connects.
Summary
Violation mode is a critical component of Cisco's port security feature, giving network administrators control over how a switch responds when an unauthorized device attempts to connect to a secured port. The three modes-protect, restrict, and shutdown-offer a spectrum of responses from silent packet dropping to complete port disablement. Each mode serves a distinct purpose: protect for silent security, restrict for security with logging, and shutdown for maximum security requiring human intervention.
Understanding the differences between these modes is essential for both practical network management and for passing major IT certification exams like the CCNA. Exam questions frequently test your ability to match the correct behavior to each mode, troubleshoot an errdisabled port, and choose the right mode for a given scenario. Mistakes often come from confusing the logging behaviors or assuming automatic recovery.
In real-world environments, the choice of violation mode affects network availability and security incident response. Restrict mode is often preferred for user-facing ports to avoid unnecessary outages, while shutdown mode is favored for high-security areas like server rooms or public kiosks. Regardless of the mode chosen, port security with appropriate violation settings is a simple and effective first line of defense against unauthorized network access. Mastering this concept will not only help you pass your exams but also make you a more competent and confident network administrator.