Port security is one of the most frequently tested Layer 2 security features on the CCNA 200-301 exam, and it's a real-world tool that prevents unauthorized devices from connecting to your network. Understanding how to troubleshoot port security violations is critical because a misconfigured port can either block legitimate traffic or leave a security hole. This chapter covers exam objective 2.7, focusing on the three violation modes—shutdown, restrict, and protect—and the diagnostic steps to identify and resolve violations.
Jump to a section
Imagine you manage a hotel with 100 rooms, each with a digital lock that accepts only one key card per guest. When a guest checks in, you program a key card for their room. If the guest loses the card and finds another, that second card won't work because the lock is programmed to accept only the first card's unique ID. Now suppose a guest tries to enter a room with a card from a different room—the lock might do one of three things: (1) Shut down completely (like a shutdown violation), requiring a front desk reset; (2) Sound an alarm but still allow entry (like restrict, sending a syslog message); or (3) Silently ignore the invalid card (like protect, dropping the frame without notification). In networking terms, the switch port is the lock, the MAC address is the key card ID, and the violation mode determines the response. If a technician accidentally swaps key cards between rooms, the locks will trigger violations—just like when a switch sees a new MAC address on a secured port. The hotel manager (network admin) checks the lock status (show port-security) to see which rooms are in violation, then re-programs the keys (clears the secure MAC addresses).
What is Port Security?
Port security is a Cisco switch feature that restricts which MAC addresses can send traffic through a specific switch port. It's a Layer 2 security mechanism that helps prevent unauthorized devices from connecting to the network. The feature is configured on access ports (not trunks) and can be used to limit the number of MAC addresses learned on a port, or to specify exactly which MAC addresses are allowed.
Why It Exists
In an enterprise network, you don't want a random laptop or rogue access point plugged into an office jack to gain full network access. Port security provides a first line of defense by allowing only known devices. It's also useful for preventing MAC flooding attacks, where an attacker sends thousands of fake MAC addresses to overflow the switch's MAC address table and force it into fail-open mode.
How It Works Step by Step
When port security is enabled on an interface, the switch monitors the source MAC addresses of incoming frames. The switch maintains a list of secure MAC addresses for that port. By default, the port learns MAC addresses dynamically up to a maximum of 1. When a frame arrives with a source MAC address that is not in the secure list, and the port has reached its maximum secure MAC count, a violation occurs.
The switch then takes action based on the configured violation mode:
Shutdown (default): The interface is placed in an error-disabled state. It stops forwarding all traffic. The port LED turns orange. The switch generates a syslog message and an SNMP trap. The port remains down until manually re-enabled (shutdown/no shutdown) or automatically recovered via errdisable recovery.
Restrict: The port remains up and forwarding, but the switch drops frames from the offending MAC address. It also generates a syslog message, an SNMP trap, and increments the violation counter. This mode allows legitimate traffic to continue while alerting the admin.
Protect: The port remains up and forwarding, and drops frames from the offending MAC address. However, no syslog message or SNMP trap is generated. The violation counter is also not incremented. This is the stealth mode—useful if you want to silently block unauthorized devices without generating logs.
Key States, Timers, and Defaults
Default maximum secure MAC addresses: 1
Default violation mode: shutdown
Default aging type: absolute (after a configured time, the MAC is removed)
Default aging time: 0 (disabled)
Sticky MAC learning: When enabled, dynamically learned MAC addresses are converted to sticky secure MAC addresses and added to the running configuration.
Error-disabled state: The port is in errdisable state. Recovery can be manual (shutdown/no shutdown) or automatic via errdisable recovery cause psecure-violation with a default recovery timer of 300 seconds (configurable).
IOS CLI Verification Commands
To verify port security configuration and violations, use the following commands:
show port-security
show port-security interface <interface>
show port-security address
show interfaces <interface> status
show errdisable recoveryExample output for show port-security interface FastEthernet0/1:
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 0a1b.2c3d.4e5f:10
Security Violation Count : 1How It Interacts with Related Protocols
STP (Spanning Tree Protocol): Port security is typically configured on access ports, which are often in STP forwarding state. A violation that puts the port into errdisable also stops STP BPDUs, which can cause topology changes.
VLAN Trunking: Port security is not supported on trunk ports (except in some switch models with specific configurations). It is designed for access ports.
DHCP Snooping: Port security and DHCP snooping can work together. DHCP snooping builds a binding table of IP-MAC addresses; port security can be used to enforce MAC addresses. However, they are independent features.
802.1X: Port security can be used alongside 802.1X for additional MAC-based filtering, but 802.1X is the primary authentication method.
Identify the Violation Symptom
The most common symptom of a port security violation is a port that goes down unexpectedly. Users report loss of connectivity. The switch port LED may be orange (errdisable). Alternatively, if the violation mode is restrict or protect, the port remains up but traffic from unauthorized devices is dropped. Check the switch logs or syslog server for messages like '%PORT_SECURITY-2-PSECURE_VIOLATION' which indicates a violation occurred. Also check the show interfaces status command for 'err-disabled' state.
Verify Port Security Status
Use `show port-security interface <interface>` to see the current port security status. Look for 'Port Status' field: if it says 'Secure-down' or 'Secure-shutdown', the port is in violation. Also check 'Security Violation Count'—if it's greater than 0, violations have occurred. The 'Last Source Address:Vlan' shows the MAC address that caused the last violation. This is key to identifying the offending device.
Check the Violation Mode
Use `show port-security interface <interface>` and look for 'Violation Mode'. It will be one of shutdown, restrict, or protect. If shutdown, the port is likely in errdisable. If restrict or protect, the port is still up but dropping frames from unauthorized MACs. Knowing the mode helps determine the next steps: for shutdown, you need to re-enable the port; for restrict/protect, you need to decide whether to allow the new MAC or remove it.
Identify the Offending MAC Address
From the 'Last Source Address:Vlan' field in the port-security output, note the MAC address. You can also use `show mac address-table interface <interface>` to see all MAC addresses learned on that port. Compare the secure MAC list (from `show port-security address`) with the current MAC table. The offending MAC is one that is present in the MAC table but not in the secure list, or it caused the violation count to increment.
Determine the Cause and Correct
Common causes: (1) A new device was plugged in, exceeding the maximum MAC limit. (2) The MAC address of a legitimate device changed (e.g., NIC replacement). (3) A switch or router was inadvertently connected, learning multiple MACs. Solution: Either increase the maximum MAC addresses, add the new MAC to the secure list (using `switchport port-security mac-address <mac>`), or clear the secure MACs and allow re-learning. For sticky MAC, use `switchport port-security mac-address sticky` to convert dynamically learned MACs to sticky.
Re-enable the Port if in Errdisable
If the violation mode is shutdown, the port is in errdisable state. To re-enable: first correct the cause (e.g., remove unauthorized device). Then, either manually do `shutdown` followed by `no shutdown` on the interface, or configure errdisable recovery: `errdisable recovery cause psecure-violation` and set a timer with `errdisable recovery interval <seconds>`. Verify recovery with `show interfaces <interface> status`. After re-enabling, monitor for further violations.
In an enterprise campus network, port security is commonly deployed on user-facing access ports to prevent unauthorized devices from connecting. For example, a company might have cubicles with Ethernet jacks. Employees are issued laptops with known MAC addresses. The network team configures port security with sticky MAC learning on each port, allowing only the first MAC that connects to be authorized. This prevents a visitor from plugging in their own laptop and gaining network access.
Another scenario is in a conference room where multiple devices may need to connect. The port might be configured with a maximum MAC count of 5 and violation mode restrict. This allows up to five devices to connect, but if a sixth tries, its frames are dropped and a syslog alert is sent. The network admin can then decide whether to increase the limit or investigate.
A common misconfiguration is forgetting to set the violation mode to restrict or protect on critical ports (like a printer or IP phone). If the port goes into errdisable because of a temporary MAC change, the device loses connectivity until the admin manually re-enables the port. This is especially problematic for devices that are hard to reach physically. Best practice is to use restrict mode on ports where you expect occasional MAC changes, and configure errdisable recovery to automatically bring the port back after a timeout.
Scale considerations: On a large network with thousands of ports, managing static MAC entries is impractical. Sticky MAC learning simplifies this by automatically converting learned MACs to sticky entries in the running config. However, the running config can become very large. Also, if a switch reloads, sticky MACs are lost unless saved to startup config. Performance impact is minimal as the switch just does a simple MAC lookup per frame.
When misconfigured, port security can cause more harm than good. For example, setting maximum MAC to 1 on a port connected to a VoIP phone (which has a built-in switch for a PC) will block the PC traffic because the phone's MAC is already learned. The fix is to either increase the maximum or use a voice VLAN configuration that separates phone and PC traffic.
The CCNA 200-301 exam tests port security under objective 2.7 (Troubleshoot Layer 2 security features). Expect scenario-based questions where you must interpret show command output to determine the violation mode, the offending MAC, and the corrective action. The exam loves to test the differences between shutdown, restrict, and protect—especially that protect does not generate syslog or increment the violation counter, while restrict does. A common trap: a question shows a port in errdisable state and asks why. The wrong answer might be 'STP loop' or 'duplex mismatch', but the correct answer is 'port security violation with shutdown mode'.
Common wrong answers and why candidates choose them: 1. 'The violation mode is protect' when the port is in errdisable—candidates confuse protect with shutdown. Protect does not cause errdisable. 2. 'The maximum MAC addresses is exceeded' but the question shows the violation count is 0—candidates forget that restrict and protect do not increment the counter in protect mode. 3. 'The port needs to be shut and no shut' when errdisable recovery is configured—candidates don't know that recovery can be automatic. 4. 'Sticky MAC addresses are saved in startup config'—they are not; they are only in running config unless you save the config.
Specific values to memorize: default maximum MAC = 1, default violation mode = shutdown, default errdisable recovery interval = 300 seconds (if enabled). The command to set violation mode: switchport port-security violation {shutdown | restrict | protect}.
For scenario questions, use this decision tree:
Is the port down? If yes, violation mode is shutdown (or errdisable from another cause). Check port-security output.
Is the port up but traffic from some devices is dropped? If yes, mode is restrict or protect. Check if syslog is generated: if yes, restrict; if no, protect.
To fix, identify the offending MAC and either allow it or remove the device. If shutdown, re-enable the port after correcting the cause.
Port security default violation mode is shutdown, which places the port in errdisable state.
Default maximum secure MAC addresses per port is 1.
Restrict mode drops offending frames, generates syslog, and increments violation counter.
Protect mode drops offending frames silently—no syslog, no counter increment.
Use 'show port-security interface <int>' to see violation mode, count, and last offending MAC.
Sticky MAC addresses are converted to secure MACs but are not saved to startup config unless you copy running-config startup-config.
Errdisable recovery can be configured with 'errdisable recovery cause psecure-violation' and a timer.
Port security is configured on access ports, not trunk ports.
These come up on the exam all the time. Here's how to tell them apart.
Shutdown Violation Mode
Port goes to errdisable state
All traffic stops on the port
Generates syslog and SNMP trap
Increments violation counter
Requires manual or automatic recovery
Restrict Violation Mode
Port remains up and forwarding
Only offending frames are dropped
Generates syslog and SNMP trap
Increments violation counter
No recovery needed; port stays up
Mistake
Port security with protect mode places the port in errdisable state.
Correct
Protect mode does not cause errdisable; the port remains up and forwarding legitimate traffic. Only shutdown mode causes errdisable.
Candidates often think all violation modes disable the port, but protect is designed to be stealthy.
Mistake
Sticky MAC addresses are automatically saved to the startup configuration.
Correct
Sticky MAC addresses are stored in the running configuration, but they are lost on reload unless you explicitly save the running config to startup config.
The word 'sticky' implies permanence, but it only means the MAC is converted to a secure MAC entry in running config.
Mistake
The 'show port-security' command shows the MAC addresses learned on all ports.
Correct
The 'show port-security' command shows a summary per interface, including violation count and mode. To see the actual secure MAC addresses, use 'show port-security address'.
Candidates confuse the summary with the address table.
Mistake
Port security can be configured on trunk ports to secure multiple VLANs.
Correct
Port security is supported only on access ports (or in some cases on trunk ports with specific restrictions, but CCNA assumes access ports only).
Candidates think because trunk ports carry multiple VLANs, they need more security, but the feature is designed for single-VLAN access ports.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Both restrict and protect modes drop frames from unauthorized MAC addresses while keeping the port up. The key difference is that restrict mode generates a syslog message and increments the violation counter, while protect mode does neither. Restrict is useful when you want to be alerted about violations; protect is for stealth blocking. In the exam, remember: restrict = logs, protect = silent.
To clear the violation counter and remove secure MAC addresses, you can use 'clear port-security sticky <interface>' to remove only sticky entries, or 'clear port-security dynamic <interface>' to remove dynamically learned entries. To reset the entire port security configuration, you can use 'no switchport port-security' followed by re-enabling. If the port is in errdisable, you must also re-enable it with 'shutdown' and 'no shutdown'.
In Cisco IOS, port security is not supported on trunk ports by default. It is designed for access ports. Some switch models may allow it with specific configurations, but for the CCNA exam, assume port security is configured on access ports only. If you need to secure a trunk, consider other features like private VLANs or 802.1X.
It depends on the violation mode. If shutdown, the port goes into errdisable. If restrict, the new device's frames are dropped but the port stays up, and a syslog is generated. If protect, the frames are dropped silently. The existing secure MAC addresses continue to work normally.
Use the command 'switchport port-security maximum <number>' to set the maximum number of secure MAC addresses allowed on the interface. For example, 'switchport port-security maximum 5' allows up to 5 MAC addresses. You can also specify the MAC addresses statically or use sticky learning.
The default recovery interval is 300 seconds (5 minutes) when errdisable recovery is enabled. You can change it with the command 'errdisable recovery interval <seconds>'. If recovery is not configured, the port remains in errdisable until manually recovered.
If the port goes into errdisable, the violation mode is likely shutdown, not restrict. Verify with 'show port-security interface <int>'. Possibly you misconfigured the mode. Also, errdisable can be caused by other reasons like loopguard or UDLD. Check 'show errdisable detect' for all causes.
You've just covered Troubleshoot: Port Security Violation — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?