Question:

Why does the switch learn new mac addresses on a port when a user configures one static mac-address on a port, and enables port security and sets max-mac-count as 1 ?

For example,

Console#con
Console(config)#mac-address-table static 20-6A-8A-1C-96-C1 interface ethernet 1/1 vlan 1
Console(config)#interface ethernet 1/1
Console(config-if)#port security
Console(config-if)#port security max-mac-count 1
Console(config-if)#end

Switch can still learn one mac address when the client injects packets on port1.

Console#show mac-address-table
Interface MAC Address       VLAN Type     Life Time
--------- ----------------- ---- -------- -----------------
  CPU      70-72-CF-C8-56-4F    1 CPU      Delete on Reset
  
  Eth 1/ 1 20-6A-8A-1C-96-C1    1 Config   Permanent
Console#

Solution:

It's normal behavior of port security max-mac-count. It only limits the dynamic mac address. The static address will still be there.

If user does not want to learn any new mac addresses by port security, set the max-mac-count as 0.

Only the incoming traffic with source addresses which are already stored in the static address table will be accepted.