In HCIP Datacom Campus Network security design,port securityis used to limit the number of MAC addresses that can be learned on an access interface, preventing unauthorized device access and MAC address spoofing. When the number of learned MAC addresses reaches the configured upper limit, the switch behavior depends on the configuredviolation mode.
One possible action isshutdown mode, where the switch sets the interface to an error-down state and generates an alarm. This corresponds to option A. The interface must be manually or automatically recovered before normal communication can resume. This mode provides the highest level of security and clear fault notification.
Another supported behavior isprotect mode, in which the switch silently discards packets from unknown source MAC addresses after the limit is reached. No alarms are generated in this case, which matches option C. This mode minimizes network disruption while still blocking unauthorized devices.
Therestrict modeis also supported. In this mode, the switch discards packets with unknown source MAC addresses and generates an alarm or log entry, corresponding to option D. This allows administrators to detect violations without shutting down the interface.
Option B is incorrect because when an interface enters the error-down state due to a port security violation, an alarm or log notification is always generated according to HCIP Datacom Campus Network behavior. Therefore, the valid actions are A, C, and D.