Back to All Scenarios
PASSEDvendor / cisco_port_security
Cisco Port Security Violation — MAC Spoofing
An attacker spoofs a MAC address to bypass network access control. Port security detects the violation and shuts down the port, but not before the attacker exfiltrates data for 30 seconds.
Pattern
CISCO_EVENT
Severity
CRITICAL
Confidence
95%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | CISCO_EVENT | CISCO_EVENT | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 9 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Cisco 3850 access switch. Port security with sticky MAC and violation mode shutdown. Attacker on Gi1/0/15. Maximum 2 MACs allowed per port.
Injected Error Messages (1)
Cisco port security violation on Gi1/0/15 — unauthorized MAC address detected, %PORT_SECURITY-2-PSECURE_VIOLATION, port shutdown mode activated, 3rd MAC address attempted on port with max 2
Neural Engine Root Cause Analysis
Cisco switch Access-SW2 port Gi1/0/15 has detected a port security violation where an unauthorized MAC address attempted to connect, exceeding the configured maximum of 2 MAC addresses per port. The port security feature has automatically shut down the port in violation mode, causing network connectivity loss for devices connected to this port. This is likely caused by a new device being connected, MAC address spoofing, or a legitimate device with a changed MAC address.
Remediation Plan
1. Investigate the unauthorized MAC address to determine if it's a legitimate device or security threat. 2. Review port security configuration on Gi1/0/15 to verify if MAC limit and violation action are appropriate. 3. If legitimate, either increase MAC address limit or add the MAC to the allowed list. 4. Clear the port security violation and bring the port back online using 'clear port-security violation interface gi1/0/15' and 'shutdown/no shutdown'. 5. Monitor for recurring violations and implement proper network access control if this represents a security incident.
Tested: 2026-03-30Monitors: 1 | Incidents: 1Test ID: cmncjd9up00fcobqexzhdnejc