A violation response is a response to a MAC security violation or a failed attempt to dynamically learn a MAC address due to an address violation. MAC security violations are of two types:
Type 1 Violation --The address of the ingress frame cannot be dynamically learned due to a deny list, or because doing so would cause the maximum number of secure addresses to be exceeded (see the MAC Address Limiting and Learning).
Type 2 Violation --The address of the ingress frame cannot be dynamically learned because it is already "present" on another secured service instance (see the MAC Move and MAC Locking).
There are three possible sets of actions that can be taken in response to a violation:
- Shutdown
- The ingress frame is dropped.
- The service instance on which the offending frame arrived is shut down.
- The violation count is incremented, and the violating address is recorded for later CLI display.
- The event and the response are logged to SYSLOG.
- Restrict
- The ingress frame is dropped.
- The violation count is incremented, and the violating address is recorded for display.
- The event and the response are logged to SYSLOG.
- Protect
- The ingress frame is dropped.
If a violation response is not configured, the default response mode is shutdown. The violation response can be configured to protect or restrict mode. A "no" form of a violation response, sets the violation response to the default mode of shutdown.
You are allowed to configure the desired response for a Type 1 and Type 2 violations on a service instance. For a Type 1 violation on a bridge domain (that is, if the learn attempt conforms to the policy configured on the service instance, but violates the policy configured on the bridge domain), the response is always "Protect." This is not configurable.
In shutdown mode, the service instance is put into the error disabled state immediate, an SNMP trap notification is transmitted, and a message is sent to the console and SYSLOG as shown below:
%ETHER_SERVICE-6-ERR_DISABLED:
Mac security violation - shutdown service instance 100 on interface gig 0/0/0
To bring a service instance out of the error-disabled state, use errdisable recovery cause mac-securitycommand to set the auto recovery timer, or re-enable it using the EXEC command clear ethernet service instance id id interface type number errdisable.
In Restrict mode, the violation report is sent to SYSLOG at level LOG_WARNING.
Support for the different types of violation responses depends on the capabilities of the platform. The desired violation response can be configured on the service instance. The configured violation response does not take effect unless and until MAC security is enabled using the mac security command.