Posts Tagged ‘errdisable’

Configuring errdisable behaviour

Thursday, February 19th, 2009

When was the first time you learned that errdisable exists? Here is a short introduction!

I learned this the hard way, I had a network setup in a lab when I had a port shutdown and never come up again… You can say I am glad I learned about it before that happened in the field, but do you know what it is and how you can configure it?

What is errdisable?
Errdisable is a mechanism in Cisco equipment that will for example shutdown or suspend network ports where traffic is looping, ports with unidirectional traffic and various other causes.  This renders the port useless and no traffic is passed over it, the LED on the switch or router turns orange.

To determine if a port is in errdisable state you can issue the command:

Switch#sh int gigabitEthernet 1/0/25 status
Port Name Status Vlan Duplex Speed Type
Gi1/0/25 mynetwork err-disabled 1 auto auto 1000BaseSX SFP

Additionally to see all errdisabled interfaces that will be enabled you can use

Switch# show errdisable recovery

This command will show all errdisable causes with enabled recovery and all interfaces that will be enabled on the next timeout.

To configure errdisable recovery, you will use exactly that command

Switch#conf t
Switch(config)#errdisable recovery cause bpduguard

That command will enable recovery for the bpduguard (STP loop) cause.

errdisable recovery timer

Switch(config)#errdisable recovery interval 30

This will set a 30 second interval between timeouts, for every timeout cycle – all interfaces which are shutdown because of errdisable will be re-enabled.

If the reason for the errdisable status persists, the interface will then be shutdown and set to status errdisable again. If you set the timeout too low, you may use a lot of CPU because the interface will effectively be flapping.

Locking Down Network Ports from IOS

Sunday, October 26th, 2008

Someone connecting to your network can cause serious damage if you are sloppy with security.

port-security on switches is very flexible, first show the status of port security

Switch#show port-security interface Gi0/19
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : 001b.53b1.ffff:20
Security Violation Count : 181

Port security is disabled, violation mode is shutdown which means that the port should be shutdown if port security is tripped. There are

Let us limit this port to one MAC address, and if we see more than one; shutdown the port.

Switch#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int gi 0/19
Switch(config-if)#switchport port-security maximum 1
Switch(config-if)#switchport port-security violation shutdown
Switch(config-if)#switchport port-security
11:31:17: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/19, putting Gi0/19 in err-disable state
11:31:17: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 001b.53b1.ffff on port GigabitEthernet0/19.
11:31:18: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
11:31:19: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down

What happened here? First we limited the port to max one MAC address, then we configured that if this is violated then the port should be shutdown. And at last we turned on port-security.
As you can see, immediately the port went in an errdisable state for a security violation.

Storm control can be used to limit the amount of broadcast, unicast or multicast traffic on a port.
To show the status of storm control

Switch#show storm-control gigabitEthernet 0/19
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-

A typical broadcast storm can look like this

Switch#show interface gigabitEthernet 0/19 | i rate
Queueing strategy: fifo
5 minute input rate 106111000 bits/sec, 207129 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec

I have over 100mbit input traffic, and nothing output. I can try to apply storm-control that with shutdown the port if the amount of broadcast traffic reaches 100mbit.

Switch#conf t
Switch(config)#interface gigabitEthernet 0/19
Switch(config-if)#storm-control action shutdown
Switch(config-if)#storm-control broadcast level bps 100000000
2d10h: %PM-4-ERR_DISABLE: storm-control error detected on Gi0/19, putting Gi0/19 in err-disable state
2d10h: %STORM_CONTROL-3-SHUTDOWN: A packet storm was detected on Gi0/19. The interface has been disabled.
2d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/19, changed state to down
2d10h: %LINK-3-UPDOWN: Interface GigabitEthernet0/19, changed state to down

The interface went straight into errdisable due to the huge amount of broadcast traffic we were receiving.

You can also get the status of storm control

Switch#show storm-control
Interface Filter State Upper Lower Current
——— ————- ———– ———– ———-
Gi0/19 Link Down 100m bps 100m bps 0 bps

These are two great techniques of securing your network ports, just tune them to your preference and they will bring you a lot of good.