A network administrator configures the port security feature on a switch. The security policy specifies that each access port should allow up to two MAC addresses. When the maximum number of MAC addresses is reached, a frame with the unknown source MAC address is dropped and a notification is sent to the syslog server. Which security violation mode should be configured for each access port?

The port security violation mode that fits the security policy described by the network administrator is restrict.

In restrict mode, when the maximum number of allowed MAC addresses is reached on the port, the port will continue to forward traffic for the currently learned MAC addresses but will drop packets with unknown source MAC addresses and increment the security violation count. It also has the capability to send a syslog message.

Here’s a brief explanation of each violation mode for clarity:

• Protect: When the maximum number of MAC addresses is reached, frames with unknown source addresses are dropped until some MAC addresses are removed from the address table. There is no notification sent that a security violation has occurred.
• Restrict: Similar to protect mode, but it also increments the violation counter and logs a syslog message.
• Shutdown: The port is errdisabled (administratively shut down) and it must be manually reenabled or automatically recovered if auto-recovery is configured. It also sends a syslog message.
• Warning: This is not a standard port security violation mode on Cisco switches.

Given the requirements for the security policy—dropping frames with unknown source MAC addresses upon reaching the limit and sending a notification without shutting down the port—the correct mode to use is restrict.