How to re-enable an Errdisable port?
Bridging & Switching, Security — By CCIETalk on September 25, 2008 at 5:34 pm
So you have configured port-security on one of your ports and we all know that by default if the violation occurs, the port will be put in shutdown-errdisable mode. One way to get the port back up is to do a manual shut-noshut on it. In today's world, this might become an administrative nightmare.
What you can also do is configure automatic recovery of the port by using the global config command "errdisable". This will let you define a "cause" and then modify the interval. Let's take a look at all the "causes" or "errors" that we can recover the port from:
RSRack1SW1(config)#errdisable recovery cause ?
all Enable timer to recover from all error causes
arp-inspection Enable timer to recover from arp inspection error
disable state
bpduguard Enable timer to recover from BPDU Guard error
channel-misconfig Enable timer to recover from channel misconfig error
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
dtp-flap Enable timer to recover from dtp-flap error
gbic-invalid Enable timer to recover from invalid GBIC error
inline-power Enable timer to recover from inline-power error
l2ptguard Enable timer to recover from l2protocol-tunnel error
link-flap Enable timer to recover from link-flap error
loopback Enable timer to recover from loopback error
mac-limit Enable timer to recover from mac limit disable state
pagp-flap Enable timer to recover from pagp-flap error
port-mode-failure Enable timer to recover from port mode change failure
psecure-violation Enable timer to recover from psecure violation error
security-violation Enable timer to recover from 802.1x violation error
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
small-frame Enable timer to recover from small frame error
storm-control Enable timer to recover from storm-control error
udld Enable timer to recover from udld error
vmps Enable timer to recover from vmps shutdown error
In my case, I was working with a port-security violation so I picked psecure-violation option. Once you choose the cause, then you can even specify the number of seconds after which the port will be enabled. pretty cool eh?
RSRack1SW1(config)#errdisable recovery cause psecure-violation
RSRack1SW1(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)RSRack1SW1(config)#errdisable recovery interval 60
I think this is pretty neat and worth thinking about when you are dealing with port-security in the real network.
Tags: CCIE, errdisable, Port Security, psecure-violation
Tweet This
Digg This
Save to delicious
Stumble it








4 Comments
I really like this feature, best tool to find out who wants to build their own network by putting in a foreign switch…
is this applicable if the client/suplicant connect through AP
I have not tested that. You are more than welcome to take a stab at it
very usefull tips.. thanks alot..