1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. NCS 4200 Series
  6. Configuration manual

Violation Response Configuration - Cisco NCS 4200 Series Configuration Manual

Layer 2
Hide thumbs Also See for NCS 4200 Series:
Table of Contents

Advertisement

Violation Response Configuration

In all other cases, the configuration of the denied address is accepted. Typical cases include:
• The address is configured as a permitted address on another service instance in the same bridge domain,
• The address is present in the MAC table of the bridge domain as a dynamically learned address on the
Violation Response Configuration
A violation response is a response to a MAC security violation or a failed attempt to dynamically learn a MAC
address due to an address violation. MAC security violations are of two types:
Type 1 Violation --The address of the ingress frame cannot be dynamically learned due to a deny list, or
because doing so would cause the maximum number of secure addresses to be exceeded .
Type 2 Violation --The address of the ingress frame cannot be dynamically learned because it is already
"present" on another secured service instance in the same bridge-domain.
There are three possible sets of actions that can be taken in response to a violation:
1 Shutdown
2 Restrict
3 Protect
The Restrict and Protect modes are applied on EFP level to discard the traffic. Both the modes are not
Note
applied on the Erroneous MAC level.
If a violation response is not configured, the default response mode is shutdown. The violation response can
be configured to protect or restrict mode. A "no" form of a violation response, sets the violation response to
the default mode of shutdown.
You are allowed to configure the desired response for a Type 1 and Type 2 violations on a service instance.
For a Type 1 violation on a bridge domain (that is, if the learn attempt conforms to the policy configured on
Layer 2 Configuration Guide for Cisco NCS 4200 Series
40
or the address has been learned and saved as a sticky address on another service instance.
specific service instance and is deleted from the MAC table before the configuration is accepted.
• The ingress frame is dropped.
• The service instance on which the offending frame arrived is shut down.
• The event and the response are logged to SYSLOG.
• The ingress frame is dropped.
• The event and the response are logged to SYSLOG.
• The ingress frame is dropped.
The ingress frame is dropped silently, without sending any violation report to the
Note
SYSLOG.
Configuring MAC Address Security on Service Instances and EVC Port Channels

Advertisement

Table of Contents
loading

Related Manuals for Cisco NCS 4200 Series

Related Content for Cisco NCS 4200 Series

Table of Contents