Meaning of switchport port-security maximum 2 with example lab
Switchport port security has the option to allow or deny access based on the Mac address, ‘switchport port-security maximum’ command can be used to define the number of devices that can connect with the switchport of switch.
‘Switchport port-security maximum 2’ commands allow only two devices that can be connected to the switchport. We can define it as per our requirements.
After configuring this command, when we connect the end device like PC, server, etc, the switch will learn the Mac address of the device and the switch will do the same for the second device that we will connect to the switchport. Now, if we connect a third device, the switch will block the connection because we have only allowed two devices on the switchport.
We can also define the behavior of the switch when the switchport violation takes place. For example, a switch can be configured to shut down the port if a security breach happens.
Meaning of switchport port-security maximum 1
The above command does the same thing however it only allows 1 device to be attached to the Switchport so another device with a different Mac address will not be allowed to connect.
After configuring the switch using the command ‘switchport port-security maximum 2’, we can check the configuration by using the following command.
Switch#show port-security interface fastEthernet 0/1
Lots of important information is available in the output.
We can see that port security is enabled and that the status of the port is secure and up.
Violation mode is set to shutdown.
The maximum number of Mac addresses allowed is 2.
The security violation count is 0 which means that no violation has happened till now, if a violation happens then we will see the count increase.
Example lab
In the practice lab, we can configure a switch with port security and use the command switchport port-security maximum 2.
Now, we can connect two devices with the same switchport and we should be able to successfully use those devices on the configured switchport however, now we have to disconnect these devices and connect any other device. This time switch should reject the connection.
This lab scenario does not work in the packet tracer, either we have to emulate a switch on GNS3 or use a real Cisco switch to practice this.
