Errdisable Recovery on Cisco Switches

Errdisable recovery is a feature that helps network administrators to recover the err-disabled state to enable state. In this lesson we will learn, how to configure Err-disabled auto-recovery in Cisco catalyst switches.

Err-disabled Recovery

Before going into details, first we should understand what is error-disabled state of an interface. Errdisabled is a feature on Cisco switches, which automatically disable an interface on certain condition. When it happens, no traffic will be passed through that port unless you manually shutdown and then no shutdown.

Cisco-SW#show interfaces status

Port      Name               Status          Vlan       Duplex  Speed Type
Gi0/0                        connected       10           auto   auto unknown
Gi0/1                        disabled          1            auto   auto unknown
Gi0/2                        disabled          1            auto   auto unknown
Gi0/3                        err-disabled 10           auto   auto unknown
Gi0/4                        disabled          1            auto   auto unknown
Gi0/5                        disabled          1            auto   auto unknown

So, what is the reason for an interface to go Errdisabled state? There is lots of reason to go Err-disabled like- UDLD failure, a broadcast storm or port-security violation, etc. In our LAB setup, we have configured port-security, so that when port-security violation occur, it can go Error-disabled state. Below are the current configuration of interface gig0/3.

Advertisements
Cisco-SW#show running-config interface gigabitEthernet 0/3
Building configuration...

Current configuration : 332 bytes
!
interface GigabitEthernet0/3
 switchport access vlan 10
 switchport mode access
 switchport port-security maximum 2
 switchport port-security mac-address sticky
 switchport port-security
end

So, whenever more than 2 MAC address hits gig0/3 interface, it goes err-disabled mode.

*Jun 12 09:38:11.586: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/3, putting Gi0/3 in err-disable state
*Jun 12 09:38:11.593: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port GigabitEthernet0/3.
*Jun 12 09:38:12.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down
*Jun 12 09:38:13.594: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down

Until, we do the shutdown and no shutdown manually, it will remain err-disable state and no traffic will pass through even for permitted host.

Cisco-SW#show interfaces gigabitEthernet 0/3
GigabitEthernet0/3 is down, line protocol is down (err-disabled)
  Hardware is iGbE, address is 0c06.eb8e.8803 (bia 0c06.eb8e.8803)
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set

We can automatically enable this interface using Err-disabled Recovery feature. By default, recovery for all ErrDisable causes are disabled. We need to enable them as per requirements. We have below options to enable auto-recovery.

Cisco-SW#show errdisable recovery
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Disabled
channel-misconfig (STP)      Disabled
dhcp-rate-limit              Disabled
dtp-flap                     Disabled
gbic-invalid                 Disabled
inline-power                 Disabled
l2ptguard                    Disabled
link-flap                    Disabled
mac-limit                    Disabled
link-monitor-failure         Disabled
loopback                     Disabled
oam-remote-failure           Disabled
pagp-flap                    Disabled
port-mode-failure            Disabled
pppoe-ia-rate-limit          Disabled
psecure-violation            Disabled
security-violation           Disabled
sfp-config-mismatch          Disabled
storm-control                Disabled
udld                         Disabled
unicast-flood                Disabled
vmps                         Disabled
psp                          Disabled
dual-active-recovery         Disabled
evc-lite input mapping fa    Disabled
Recovery command: "clear     Disabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

In our case, it is PSECURE_VIOLATION. So, we will enable recovery for psecure-violation only. This is lab environment, so to make recovery faster we will configure recovery timer 30 seconds.

Cisco-SW(config)#errdisable recovery cause psecure-violation
Cisco-SW(config)#errdisable recovery interval 30

Now, let’s check recovery reason and status again by using show errdisable recovery command.

Advertisements
Cisco-SW#show errdisable recovery
ErrDisable Reason            Timer Status
-----------------            --------------
arp-inspection               Disabled
bpduguard                    Disabled
channel-misconfig (STP)      Disabled
dhcp-rate-limit              Disabled
dtp-flap                     Disabled
gbic-invalid                 Disabled
inline-power                 Disabled
l2ptguard                    Disabled
link-flap                    Disabled
mac-limit                    Disabled
link-monitor-failure         Disabled
loopback                     Disabled
oam-remote-failure           Disabled
pagp-flap                    Disabled
port-mode-failure            Disabled
pppoe-ia-rate-limit          Disabled
psecure-violation            Enabled
security-violation           Disabled
sfp-config-mismatch          Disabled
storm-control                Disabled
udld                         Disabled

Interface       Errdisable reason       Time left(sec)
---------       -----------------       --------------
unicast-flood                Disabled
vmps                         Disabled
psp                          Disabled
dual-active-recovery         Disabled
evc-lite input mapping fa    Disabled
Recovery command: "clear     Disabled

Timer interval: 30 seconds

Interfaces that will be enabled at the next timeout:

Interface       Errdisable reason       Time left(sec)
---------       -----------------       --------------
Gi0/3          psecure-violation          23

It’s clearly showing psecure-violation is enabled. If needed, you can enable for all reason using below command-

errdisable recovery cause all

After 23 seconds, we have seen interface is up again.

*Jun 12 15:30:16.575: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up
*Jun 12 15:30:17.582: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up

You can learn more about Errdisable Recovery from Cisco TechNotes.

Leave a Comment

Your email address will not be published. Required fields are marked *

4 thoughts on “Errdisable Recovery on Cisco Switches”

  1. I`m designing cisco9300 L2 LAN network for mission critical network, should i enable errdisable recovery all

Scroll to Top