In today's network security technology, there are two main types of protection; layer 2, or Media Access Control (MAC), protection, or layer 3, or Internet Protocol (IP) protection.
Layer 2 protection incorporates feature where when the maximum number of secure MAC addresses is reached on a secure port and the source MAC address of the ingress traffic is different from any of the identified secure MAC addresses, or if the traffic with a secure MAC address as its source that is already configured or learned on another secure port attempts to ingress through a different secure port, a security violation is generated. This practice is known as port security and is a layer 2 recommended best practice for security.
When Layer 3 routing is pushed to the access layer, the access switches not directly connected to the end device, get to see the IP addresses and not the MAC addresses of connected devices, as the routing protocols only distribute the IP addresses. While this allows for layer 3 IP protection protocols to be in effect, it breaks the layer 2 protection security protocols. Pushing routing to the access layer, has another undesired side effect, in that it eliminates the possibility of the network infrastructure devices (like switches) present in the earlier (before pushing routing to the access layer) layer 2 network from validating the binding of the source MAC address and source IP address for the data traffic, and identifying conditions when an IP address is, for example, being spoofed.