Errdisable is an extremely cool feature on Cisco switches that can place a port into a disabled state due to some reason/errors on the port. There are many reasons a port can be disabled:
Duplex mismatch
Port channel misconfiguration
BPDU guard violation
UniDirectional Link Detection (UDLD) condition
Link-flap detection
Security violation
Port Aggregation Protocol (PAgP) flap
DHCP snooping rate-limit
Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
And many more. Here is Cisco’s Documentation :http://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html
The beauty of this feature is that if I screw something up, or if for example a I configure Port security and there’s and error it will shut down the port so that horrible things like loops or security violations are not allowed. By default Err-disable will shut down the port and it will take a manual shut/no shut of the port.
Finding out what ports and why they were put into ERRDisable
It is very frustrating to see ports come online, and then get shut off for some unknown reason. We can find out why they were shut off with a few simple commands
to find out what ports might be having errdisable problems we can do a :
show interfaces status errdisable
This command will show us all ports that are currently shutdown due to errdisable and the reason why. You can also get more specific with the :
show interfaces gig 1/0/12 status errdisable
to get more information just from that port.
You can of course also see what is happening through the logs or syslog showing something like this
%SPANTREE-SP-2-BLOCK_BPDUGUARD: Received BPDU on port GigabitEthernet4/1 with BPDU Guard enabled. Disabling port.
Auto Recovery options
So how can we make this a temporary setting – what if I was putting a switch in a school, and I want to make sure that if someone plugs up another switch, and I see a BPDU, I shutdown the port and then want that port to come back online in x amount of time. There are two parts to that problem. 1, you have to set BPDU Guard on the port or whole switch. Once that is setup, it will automatically be put into Err-disable state. Now, to bring it out of that state automatically, we have to modify the err-disable recovery option, and the cause option (unless we want all causes to automatically come back up – which might not be good). There are a few commands to help us figure out what has been set already:
Show errdisable recovery
This command will report back to you any recovery options that have been set, and the default recovery value of 300 seconds.
Show errdisable detect
This command will show you if we are detecting this error. By default all should be detecting.
So, lets say I only want BPDUguard to recovery iteself every 60 seconds. This is what I would do:
Config t
errdisable recovery cause bpduguard
errdisable recovery interval 60
This will effectively enable recovery only for BPDUguard, and will change ALL recovery times to 60 seconds.
The following is the show recovery after the change:
Errdisable is a great feature that Cisco implements in almost all of their switches. It can really save some pain if you incorrectly configure a etherchannel, or have a bad cable that is really sending a ton of CRCs.
Recent Comments