SecurityCCNA 200-301

Port Security Violation Mode Set Wrong — No Shutdown on Violation

Presenting Symptom

A host connected to a switch port is unable to communicate on the network, and the port shows an err-disabled state after a security violation, but the port does not automatically recover.

Network Context

This issue occurs in a small branch office with a single Cisco Catalyst 2960 switch running IOS 15.0. The switch connects several workstations and printers. Port security is enabled on an access port to limit MAC addresses, but the violation mode is incorrectly set to 'shutdown' instead of 'restrict' or 'protect', and the 'errdisable recovery' feature is not configured.

Diagnostic Steps

Check interface status

show interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi0/1                        err-disabled 10         auto    auto  10/100/1000BaseTX

The port is in err-disabled state, indicating a security violation occurred. Normal state would be 'connected' or 'notconnect'.

Check port security configuration on the interface

show port-security interface gigabitEthernet 0/1

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 1
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0011.2233.4455:10
Security Violation Count   : 1

Violation Mode is 'Shutdown', which causes the port to err-disable upon violation. The Security Violation Count shows 1, confirming a violation occurred. The desired mode for automatic recovery would be 'Restrict' or 'Protect'.

Check errdisable recovery settings

show errdisable recovery

ErrDisable Reason Timer Status
----------------- -------------
all                  Disabled
...
psecure              Disabled

The errdisable recovery for 'psecure' (port security) is disabled, so the port will not automatically recover from errdisable state. To enable automatic recovery, the timer must be enabled.

Check the MAC address table for the violating address

show mac address-table interface gigabitEthernet 0/1

Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0011.2233.4455    DYNAMIC     Gi0/1

The MAC address 0011.2233.4455 is learned on the port. If this is an unauthorized device, it caused the violation. The port is now err-disabled, so traffic is blocked.

Root Cause

The port security violation mode is set to 'shutdown', which places the port in errdisable state upon a violation. Additionally, errdisable recovery for port security is not enabled, so the port remains down until manually recovered. The network engineer expected the port to automatically recover after the violating device is removed, but the default behavior of 'shutdown' mode requires manual intervention or errdisable recovery configuration.

Resolution

To resolve the issue, change the violation mode to 'restrict' (which drops traffic from unauthorized MACs but keeps the port up) or enable errdisable recovery for port security. Steps: 1. Enter configuration mode: configure terminal 2. Change violation mode: interface gigabitEthernet 0/1 switchport port-security violation restrict 3. (Optional) Enable errdisable recovery: errdisable recovery cause psecure errdisable recovery interval 300 4. Recover the port manually: shutdown no shutdown 5. Exit: end Alternatively, if the violating MAC is legitimate, add it as a secure MAC address: switchport port-security mac-address 0011.2233.4455

Verification

Run 'show port-security interface gigabitEthernet 0/1' to confirm Violation Mode is now 'Restrict'. Run 'show interfaces status' to verify the port is 'connected'. Run 'show errdisable recovery' to confirm psecure recovery is enabled and the timer interval is set.

Prevention

1. Use 'restrict' or 'protect' violation modes instead of 'shutdown' to avoid errdisable state. 2. Enable errdisable recovery for port security with an appropriate interval. 3. Implement sticky MAC learning to dynamically learn and secure authorized MAC addresses.

CCNA Exam Relevance

On the CCNA 200-301 exam, port security violation modes are tested in multiple-choice and drag-and-drop questions. Candidates must know the three modes (shutdown, restrict, protect) and their behaviors. The exam often asks which mode causes an errdisable state (shutdown) and which drops traffic without alerting (protect). Understanding errdisable recovery configuration is also important.

Exam Tips

Remember: 'shutdown' mode err-disables the port; 'restrict' drops traffic and logs; 'protect' drops traffic silently.

The default violation mode is 'shutdown' — be aware that this can cause unexpected outages.

Know the command 'show port-security interface' to check violation count and mode.

Commands Used in This Scenario

show interfaces status

Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions