Errdisable recovery is a feature that helps network administrators to recover the err-disabled state to enable state. In this lesson we will learn, how to configure Err-disabled auto-recovery in Cisco catalyst switches.
Before going into details, first we should understand what is error-disabled state of an interface. Errdisabled is a feature on Cisco switches, which automatically disable an interface on certain condition. When it happens, no traffic will be passed through that port unless you manually shutdown and then no shutdown.
Cisco-SW#show interfaces status Port Name Status Vlan Duplex Speed Type Gi0/0 connected 10 auto auto unknown Gi0/1 disabled 1 auto auto unknown Gi0/2 disabled 1 auto auto unknown Gi0/3 err-disabled 10 auto auto unknown Gi0/4 disabled 1 auto auto unknown Gi0/5 disabled 1 auto auto unknown
So, what is the reason for an interface to go Errdisabled state? There is lots of reason to go Err-disabled like- UDLD failure, a broadcast storm or port-security violation, etc. In our LAB setup, we have configured port-security, so that when port-security violation occur, it can go Error-disabled state. Below are the current configuration of interface gig0/3.
Cisco-SW#show running-config interface gigabitEthernet 0/3 Building configuration... Current configuration : 332 bytes ! interface GigabitEthernet0/3 switchport access vlan 10 switchport mode access switchport port-security maximum 2 switchport port-security mac-address sticky switchport port-security end
So, whenever more than 2 MAC address hits gig0/3 interface, it goes err-disabled mode.
*Jun 12 09:38:11.586: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/3, putting Gi0/3 in err-disable state *Jun 12 09:38:11.593: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6802 on port GigabitEthernet0/3. *Jun 12 09:38:12.587: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to down *Jun 12 09:38:13.594: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to down
Until, we do the shutdown and no shutdown manually, it will remain err-disable state and no traffic will pass through even for permitted host.
Cisco-SW#show interfaces gigabitEthernet 0/3
GigabitEthernet0/3 is down, line protocol is down (err-disabled)
Hardware is iGbE, address is 0c06.eb8e.8803 (bia 0c06.eb8e.8803)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not setWe can automatically enable this interface using Err-disabled Recovery feature. By default, recovery for all ErrDisable causes are disabled. We need to enable them as per requirements. We have below options to enable auto-recovery.
Cisco-SW#show errdisable recovery ErrDisable Reason Timer Status ----------------- -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled l2ptguard Disabled link-flap Disabled mac-limit Disabled link-monitor-failure Disabled loopback Disabled oam-remote-failure Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Disabled security-violation Disabled sfp-config-mismatch Disabled storm-control Disabled udld Disabled unicast-flood Disabled vmps Disabled psp Disabled dual-active-recovery Disabled evc-lite input mapping fa Disabled Recovery command: "clear Disabled Timer interval: 300 seconds Interfaces that will be enabled at the next timeout:
In our case, it is PSECURE_VIOLATION. So, we will enable recovery for psecure-violation only. This is lab environment, so to make recovery faster we will configure recovery timer 30 seconds.
Cisco-SW(config)#errdisable recovery cause psecure-violation Cisco-SW(config)#errdisable recovery interval 30
Now, let’s check recovery reason and status again by using show errdisable recovery command.
Cisco-SW#show errdisable recovery ErrDisable Reason Timer Status ----------------- -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled l2ptguard Disabled link-flap Disabled mac-limit Disabled link-monitor-failure Disabled loopback Disabled oam-remote-failure Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Enabled security-violation Disabled sfp-config-mismatch Disabled storm-control Disabled udld Disabled Interface Errdisable reason Time left(sec) --------- ----------------- -------------- unicast-flood Disabled vmps Disabled psp Disabled dual-active-recovery Disabled evc-lite input mapping fa Disabled Recovery command: "clear Disabled Timer interval: 30 seconds Interfaces that will be enabled at the next timeout: Interface Errdisable reason Time left(sec) --------- ----------------- -------------- Gi0/3 psecure-violation 23
It’s clearly showing psecure-violation is enabled. If needed, you can enable for all reason using below command-
errdisable recovery cause all
After 23 seconds, we have seen interface is up again.
*Jun 12 15:30:16.575: %LINK-3-UPDOWN: Interface GigabitEthernet0/3, changed state to up *Jun 12 15:30:17.582: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/3, changed state to up
You can learn more about Errdisable Recovery from Cisco TechNotes.
I`m designing cisco9300 L2 LAN network for mission critical network, should i enable errdisable recovery all
This varies based on your requirements and the nature of the problems you’re facing.
Well Explained.
Thank You
Thanks Tayyab 🙂