For non-vPC ports or
port channels, whenever a learn event comes for a new endpoint, a verification
is made to see if a new learn is allowed. If the corresponding interface has a
port security policy not configured or disabled, the endpoint learning behavior
is unchanged with what is supported. If the policy is enabled and the limit is
reached, the current supported action is as follows:
If the limit is not
reached, the endpoint is learned and a verification is made to see if the limit
is reached because of this new endpoint. If the limit is reached, and the learn
disable action is configured, learning will be disabled in the hardware on that
interface (on the physical interface or on a port channel or vPC). If the limit
is reached and the learn disable action is not configured, the endpoint will be
installed in hardware with a drop action. Such endpoints are aged normally like
any other endpoints.
When the limit is
reached for the first time, the operational state of the port security policy
object is updated to reflect it. A static rule is defined to raise a fault so
that the user is alerted. A syslog is also raised when the limit is reached.
In case of vPC,
when the MAC limit is reached, the peer leaf switch is also notified so
learning can be disabled on the peer. As the vPC peer can be rebooted any time
or vPC legs can become unoperational or restart, this state will be reconciled
with the peer so vPC peers do not go out of sync with this state. If they get
out of sync, there can be a situation where learning is enabled on one leg and
disabled on the other leg.
By default, once the limit is reached and learning is disabled, it will be automatically re-enabled after the default timeout
value of 60 seconds.