Exam ScenariosCCNA 200-301

Port Security Violation Mode Behaviors on Exam

Presenting Symptom

A host connected to a switchport that was previously working is now unable to communicate on the network, and the switchport shows an err-disabled state.

Network Context

A small branch office with a single Cisco Catalyst 2960 switch running IOS 15.0. The switch connects to a single access VLAN for end-user devices. Port security is enabled on the access ports with a maximum of 2 MAC addresses. The network engineer recently connected a new IP phone and PC to the same switchport, and after a few minutes, the port went down.

Diagnostic Steps

Check interface status

show interfaces GigabitEthernet0/1 status

Port      Name   Status       Vlan   Duplex Speed Type
Gi0/1           err-disabled 1      auto   auto  10/100/1000BaseTX

The port is in err-disabled state, indicating a security violation or other error condition. Normal would show 'connected' or 'notconnect'.

Check port security status

show port-security interface GigabitEthernet0/1

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Maximum MAC Addresses      : 2
Total MAC Addresses        : 3
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : xxxx.xxxx.xxxx:1
Security Violation Count   : 1

The violation mode is 'shutdown' and the total MAC addresses (3) exceed the maximum (2). This confirms a port security violation caused the err-disable. The violation count is 1.

Check the MAC address table for the port

show mac address-table interface GigabitEthernet0/1

Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
1       xxxx.xxxx.xxxx    DYNAMIC     Gi0/1
1       yyyy.yyyy.yyyy    DYNAMIC     Gi0/1
1       zzzz.zzzz.zzzz    DYNAMIC     Gi0/1

Three MAC addresses are learned on the port, exceeding the configured maximum of 2. This confirms the root cause: too many devices connected to the port.

Check the errdisable recovery status

show errdisable recovery

ErrDisable Reason    Timer Status
-----------------    ------------
psecure-violation    Enabled

If psecure-violation recovery is enabled, the port will automatically recover after a timeout. If not, manual intervention is needed. This helps determine next steps.

Root Cause

Port security is configured on the switchport with a maximum of 2 MAC addresses and violation mode 'shutdown'. When a third device (e.g., IP phone) was connected, the port learned a third MAC address, triggering a security violation. The violation mode 'shutdown' caused the port to enter err-disabled state, blocking all traffic.

Resolution

To resolve, either increase the maximum MAC addresses or change the violation mode. Steps: 1. Re-enable the port: interface GigabitEthernet0/1 shutdown no shutdown 2. To prevent recurrence, increase the maximum MAC addresses to 3: interface GigabitEthernet0/1 switchport port-security maximum 3 Or change violation mode to 'restrict' or 'protect' to avoid err-disable: switchport port-security violation restrict 3. Optionally, enable errdisable recovery for psecure-violation: errdisable recovery cause psecure-violation errdisable recovery interval 300

Verification

After applying the fix, verify with: show interfaces GigabitEthernet0/1 status Expected output: 'Status: connected' show port-security interface GigabitEthernet0/1 Expected output: 'Port Status: Secure-up', 'Security Violation Count: 0' (or no increase)

Prevention

1. Plan the number of devices per port and set the maximum MAC addresses accordingly (e.g., 3 for phone+PC). 2. Use violation mode 'restrict' instead of 'shutdown' to avoid err-disable and allow automatic recovery. 3. Enable errdisable recovery for psecure-violation to automatically restore ports after a timeout.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions (multiple choice or drag-and-drop) where a port goes err-disabled. The exam tests understanding of port security violation modes (shutdown, restrict, protect) and their effects. Key fact: 'shutdown' puts the port in err-disabled state; 'restrict' drops offending traffic but keeps the port up; 'protect' drops offending traffic without logging.

Exam Tips

Memorize the three violation modes: shutdown (err-disable), restrict (drops traffic, logs), protect (drops traffic, no log).

Remember that 'shutdown' is the default violation mode and requires manual or automatic recovery to bring the port back up.

Know that 'show port-security interface' displays the violation count and current status; a non-zero violation count indicates past violations.

Commands Used in This Scenario

show interfaces status

Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.

show mac address-table

Displays the MAC address table (also known as CAM table) on a switch, showing which MAC addresses are learned on which VLAN and port, used to verify Layer 2 forwarding and detect issues like MAC flooding or incorrect port assignments.

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions