Security Violations and Actions
Port security triggers security violations when either of the following events occurs:
MAC Count Violation
Ingress traffic arrives at an interface from a nonsecure MAC address, and learning the address would
exceed the applicable maximum number of secure MAC addresses.
When an interface has both a VLAN maximum and an interface maximum configured, a violation occurs
when either maximum is exceeded. For example, consider the following on a single interface configured
with port security:
• VLAN 1 has a maximum of five addresses
• The interface has a maximum of ten addresses
The device detects a violation when any of the following occurs:
• The device has learned five addresses for VLAN 1, and inbound traffic from a sixth address arrives
at the interface in VLAN 1.
• The device has learned ten addresses on the interface, and inbound traffic from an eleventh address
arrives at the interface.
The possible actions that the device can take are as follows:
Shutdown
Shuts down the interface that received the packet triggering the violation. The interface is error disabled.
This action is the default. After you reenable the interface, it retains its port security configuration,
including its secure MAC addresses.
You can use the
errdisable
global configuration command to configure the device to reenable the interface
automatically if a shutdown occurs, or you can manually reenable the interface by entering the
shutdown
and
no shutdown
interface configuration commands.
Restrict
Drops ingress traffic from any nonsecure MAC addresses.
The device keeps a count of the number of dropped MAC addresses, which is called the security violation
count. Address learning continues until the maximum security violations have occurred on the interface.
Traffic from addresses learned after the first security violation is dropped.
MAC Move Violation
Ingress traffic from a secure MAC address arrives at a different interface in the same VLAN as the
interface on which the address is secured.
You see a mac move notification only when the the logging level of Layer2 Forwarding Module (L2FM)
is increased to 4 or 5
When a MAC move violation occurs, the device increments the security violation counter for the interface,
and irrespective of the violation mode configured, the interface is error disabled. If the violation mode
is configured as Restrict or Protect, the violation is logged in the system log.
Because a MAC move violation results in the interface being error disabled, irrespective of the violation
mode configured, we recommend using the
errdisable
command to enable automatic errdisable recovery.
Cisco Nexus 9000 Series NX-OS Security Configuration Guide, Release 9.x
306
Configuring Port Security
Security Violations and Actions