Errdisable recovery

Errdisable recovery

- in Enterprise Infrastructure
1754
0

Switches can automatically detect error conditions on each of their ports. When an error is detected, the switch puts the port in “errdisable” state and is disabled.

This feature is enabled by default, and several error conditions can trigger this state:

  • All: detects all possible causes
  • arp-inspection: detects errors with dynamic ARP inspection
  • bpduguard: detects when a Spanning-tree bridge-protocol data unit (BPDU) is received on a port configured with PortFast
  • dhcp-rate-limit: detects an error with DHCP snooping
  • dtp-flap: detects when trunking encapsulation is changing from one type to another
  • gbic-invalid: detects the presence of an invalid GBIC or SFP module
  • inline-power: detects an error when offering PoE inline power
  • l2ptguard: detects an error with layer2 protocol tunneling
  • link-flap: detects when the port link state is “flapping” between up and down states
  • pagp-flap: detects when ports in an EtherChannel group do not have consistent configurations
  • pppoe-ia-rate-limit: detects errors with PPPoE Intermediate Agent limiting the rate
  • psecure-violation: detects conditions that trigger security configured on a port
  • security-violation: detects 802.1X security-related errors
  • storm-control: detects when a storm control has been exceeded on a port
  • udld: detects when a link is seen to be unidirectional (data passes in one direction only)

By default, administrative intervention is required to restore the state of the port.

The interface must be shut down and turned back on (no shut) to clear the error. The root cause must be mitigated to prevent the errdisable state from reappearing.

To validate the conditions that can currently send a port to errdisable, let’s use the following command:

# sh errdisable detect

!Example:

Switch# sh errdisable detect 
ErrDisable Reason    Detection status
-----------------    ----------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
psecure-violation    Enabled
mac-limit            Enabled
unicast-flood        Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
arp-inspection       Enabled
inline-power         Enabled
packet-buffer        Enabled
transceiver-incom    Enabled

Switch#

This behavior can be globally adjusted so that only specific causes trigger the disabling of any port, for example:

Switch(config)# errdisable detect cause arp-inspection 
Switch(config)# errdisable detect cause storm-control

By default, errdisable is enabled with the following command:

Switch (config)# errdisable detect cause all

Let’s use the following command with the keyword no to disable a specific cause or all of them at once:

Switch (config)# [no] errdisable detect cause all | cause-name
 
RECOVERY

Since the default errdisable state recovery is manual, the switches offer a function to program them to automatically rehabilitate the errdisable state by specifying all or some of the available causes, the command is as follows:

!
Switch(config)# errdisable recovery cause all

The above command applies to all causes every 300 seconds (5 minutes) by default.

We can validate the recovery with the following command:

Switch# show errdisable recovery 
ErrDisable Reason    Timer Status
-----------------    --------------
udld                 Enabled
bpduguard            Enabled
security-violatio    Enabled
channel-misconfig    Enabled
pagp-flap            Enabled
dtp-flap             Enabled
link-flap            Enabled
l2ptguard            Enabled
psecure-violation    Enabled
gbic-invalid         Enabled
dhcp-rate-limit      Enabled
mac-limit            Enabled
unicast-flood        Enabled
arp-inspection       Enabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

The recovery interval applies to all causes and all ports; the interval can be modified from a value of 30 to 86400 seconds (24 hours).

Let’s modify the auto-recovery value to 45 seconds with the following command:

Switch (config)# errdisable recovery interval 45

With the above command, the switch will wait 45 seconds to remove the errdisable from the port; if it has problems again, the port is put back to errdisable and the timer is restarted again.

Validation commands for the errdisable state:

Switch# show interfaces errdisable

Switch# show interfaces status

Switch# show interfaces g0/1 status

Port    Name               Status       Vlan       Duplex  Speed Type
Gi0/1                      err-disabled  10         full   1000  1000BaseT

More information:
https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol/69980-errdisable-recovery.html

Facebook Comments

You may also like

What is a network and its components?

A computer network is a group of computers