A violation response
is a response to a MAC security violation or a failed attempt to dynamically
learn a MAC address due to an address violation. MAC security violations are of
--The address of the ingress frame cannot be dynamically learned
due to a deny list, or because doing so would cause the maximum number of
secure addresses to be exceeded
--The address of the ingress frame cannot be dynamically learned because it is already “present” on another secured service
in the same bridge-domain.
There are three
possible sets of actions that can be taken in response to a violation:
The ingress frame is dropped.
The service instance on which the offending frame arrived is shut down.
The event and the response are logged to SYSLOG.
The Restrict and Protect modes are applied on EFP level to discard the traffic. Both the modes are not applied on the Erroneous
If a violation
response is not configured, the default response mode is shutdown. The
violation response can be configured to protect or restrict mode. A “no” form
of a violation response, sets the violation response to the default mode of
You are allowed to
configure the desired response for a Type 1 and Type 2 violations on a service
instance. For a Type 1 violation on a bridge domain (that is, if the learn
attempt conforms to the policy configured on the service instance, but violates
the policy configured on the bridge domain), the response is always “Protect.”
This is not configurable.
In shutdown mode, the service instance is put into the error
disabled state immediate, an SNMP trap notification is transmitted, and a
message is sent to the console and SYSLOG as shown below:
Mac security violation - shutdown service instance 100 on interface gig 0/0/0
To bring a service instance out of error-disabled state,
no shutdown of
In Restrict mode, the
violation report is sent to SYSLOG at level LOG_WARNING.
Support for the
different types of violation responses depends on the capabilities of the
platform. The desired violation response can be configured on the service
instance. The configured violation response does not take effect unless and
until MAC security is enabled using the