Switchport port-security violation restrict vs. protect
Three switch port port-security violation modes are shutdown, restrict, and protect. The Shutdown mode does exactly as the name suggest it puts the switchport into the shutdown state whenever the violation happens on the configured switchport while the other two don’t shutdown the port.
There is a minor difference between restrict and protect mode.
Restrict mode will not allow the connection from a device that is not in the allowed list however it will log the details like the Mac address of the connected device that violated the security.
Protect mode will do the same however it will not log anything.
This is the only difference between these two modes. It is better to configure the switchport with restrict mode as it will allow the administrators to check the violation details which can help them to further strengthen the network.
When to use shutdown, restrict, and protect modes
Most of the time ‘shutdown’ mode is used by the network administrator on the production network however in the testing environment where we don’t want to put our port in a shutdown state as we might be connecting different devices to the switchport for testing purposes.
If shutdown mode is configured then we have to manually change the state of the port to up whenever the violation happens on the switchport. For testing purposes, this mode is not useful however on the production network; this mode is most effective as this reduces further violations and security breach attempts by the attacker.
Restrict and protect mode can be used for testing purposes where users can switch between various endpoints while testing.
These two modes can also be used on the staging environment or on the switches that are not available to the public.
How to configure switchport port-security violation modes on Cisco switch
To configure these modes on the Cisco switch we have to enter into the interface configuration mode and use the command followed by the mode name.
We can see below that we are given three options while using this command.
After configuring the command, we can configure switchport security on the interface and we can test the switchport security if it is working as required.
Three violation modes should be working as discussed above, we can also try configuring the switch ports with all three modes to test and see how they protect the port in the case of a security violation.