A violation response
is a response to a MAC security violation or a failed attempt to dynamically
learn a MAC address due to an address violation. MAC security violations are of
--The address of the ingress frame cannot be dynamically learned
due to a deny list, or because doing so would cause the maximum number of
secure addresses to be exceeded
--The address of the ingress frame cannot be dynamically learned because it is already “present” on another secured service instance
in the same bridge-domain.
There are three
possible sets of actions that can be taken in response to a violation:
The ingress frame is dropped.
The service instance on which the offending frame arrived is shut down.
The event and the response are logged to SYSLOG.
The Restrict and Protect modes are applied on EFP level to discard the traffic. Both the modes are not applied on the Erroneous MAC level.
If a violation
response is not configured, the default response mode is shutdown. The
violation response can be configured to protect or restrict mode. A “no” form
of a violation response, sets the violation response to the default mode of
You are allowed to
configure the desired response for a Type 1 and Type 2 violations on a service
instance. For a Type 1 violation on a bridge domain (that is, if the learn
attempt conforms to the policy configured on the service instance, but violates
the policy configured on the bridge domain), the response is always “Protect.”
This is not configurable.
In Restrict mode, the
violation report is sent to SYSLOG at level LOG_WARNING.
Support for the
different types of violation responses depends on the capabilities of the
platform. The desired violation response can be configured on the service
instance. The configured violation response does not take effect unless and
until MAC security is enabled using the