Courseiva
SecurityInterface Config

switchport port-security maximum [n]

Sets the maximum number of secure MAC addresses allowed on a switch port, limiting the number of devices that can connect through that port.

Syntax·Interface Config
switchport port-security maximum [n]

When to Use This Command

  • Limit an access port to a single device (e.g., a user PC) to prevent unauthorized hubs or switches from being connected.
  • Allow up to 10 devices on a port used for a small office or conference room with multiple devices.
  • Restrict a trunk port to a specific number of VLANs or devices for security in a multi-tenant environment.
  • Set a maximum of 2 MAC addresses on a port connecting to a VoIP phone and a PC (phone daisy-chained).

Command Examples

Limit port to one device

Switch(config-if)# switchport port-security maximum 1

No output is generated; the command configures the port to allow only one secure MAC address. If more than one device attempts to send traffic, a security violation occurs.

Set maximum to 5 MAC addresses

Switch(config-if)# switchport port-security maximum 5

No output; the port now allows up to 5 secure MAC addresses. Any additional MAC addresses will trigger a violation.

Understanding the Output

The command itself produces no output. To verify the configuration, use 'show port-security interface [interface]'. The output shows 'Maximum MAC Addresses' field indicating the configured limit. A value of 1 means only one device is allowed; higher values allow multiple devices. If the 'Current MAC Addresses' count exceeds the maximum, a violation is logged. In a real network, you would check this to ensure the port is not allowing more devices than intended, which could indicate a security breach or misconfiguration.

CCNA Exam Tips

1.

Remember that the default maximum is 1 when port security is enabled, but you can change it with this command.

2.

The maximum value can be set from 1 to 3072, but the switch's hardware resources may limit the actual number.

3.

CCNA exam may test that you must also configure 'switchport port-security' to enable the feature; this command alone does not enable it.

4.

Be aware that setting a maximum does not automatically set the violation mode; you must configure that separately.

Common Mistakes

Setting a maximum without first enabling port security with 'switchport port-security' — the command is accepted but has no effect until port security is enabled.

Setting the maximum too high, allowing too many devices and defeating the purpose of port security.

Forgetting that the maximum includes dynamically learned MAC addresses; if you set it to 2 and have two sticky MACs, no new devices can connect.

Related Commands

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions