In this example we will recover from a Port Security Mac Sticky violation after 30 seconds. From the output below you can see that we can recover from multiple different types of failures.
Pre-Configuration:
Switch#
interface GigabitEthernet0/0
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0050.7966.6802
switchport port-security
!
Switch#show port-security interface g0/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 1
Last Source Address:Vlan : 0050.7966.6802:1
Security Violation Count : 0
!
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0Error Disable Recovery Configuration:
Switch(config)#errdisable ?
detect Error disable detection
flap-setting Error disable flap detection setting
recovery Error disable recovery
!
Switch(config)#errdisable recovery ?
cause Enable error disable recovery for application
interval Error disable recovery timer value
!
Switch(config)#errdisable recovery cause ?
all Enable timer to recover from all error causes
arp-inspection Enable timer to recover from arp inspection error
disable state
bpduguard Enable timer to recover from BPDU Guard error
channel-misconfig Enable timer to recover from channel misconfig error
(STP)
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
dtp-flap Enable timer to recover from dtp-flap error
gbic-invalid Enable timer to recover from invalid GBIC error
inline-power Enable timer to recover from inline-power error
l2ptguard Enable timer to recover from l2protocol-tunnel error
link-flap Enable timer to recover from link-flap error
link-monitor-failure Enable timer to recover from link monitoring failure
loopback Enable timer to recover from loopback error
mac-limit Enable timer to recover from mac limit disable state
oam-remote-failure Enable timer to recover from OAM detected remote
failure
pagp-flap Enable timer to recover from pagp-flap error
port-mode-failure Enable timer to recover from port mode change failure
pppoe-ia-rate-limit Enable timer to recover from PPPoE IA rate-limit error
psecure-violation Enable timer to recover from psecure violation error
psp Enable timer to recover from psp
security-violation Enable timer to recover from 802.1x violation error
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
storm-control Enable timer to recover from storm-control error
udld Enable timer to recover from udld error
unicast-flood Enable timer to recover from unicast flood error
vmps Enable timer to recover from vmps shutdown error
!
Switch(config)#errdisable recovery cause psecure-violation
!
Switch(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)
!
Switch(config)#errdisable recovery interval 30Now we will disconnect PC-1 and connect PC-2 to port G0/0 and see the errdisable recovery take place.
Switch#
*Oct 10 06:34:38.756: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state
*Oct 10 06:34:38.759: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6803 on port GigabitEthernet0/0.
*Oct 10 06:34:39.758: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down
*Oct 10 06:34:40.776: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down
Switch#
Switch#
*Oct 10 06:35:08.748: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Gi0/0
*Oct 10 06:35:10.776: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up
*Oct 10 06:35:11.775: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to upVerifications:
Switch#show errdisable detect
ErrDisable Reason Detection Mode
----------------- --------- ----
arp-inspection Enabled port
bpduguard Enabled port
channel-misconfig (STP) Enabled port
community-limit Enabled port
dhcp-rate-limit Enabled port
dtp-flap Enabled port
ekey Enabled port
gbic-invalid Enabled port
iif-reg-failure Enabled port
inline-power Enabled port
invalid-policy Enabled port
l2ptguard Enabled port
link-flap Enabled port
link-monitor-failure Enabled port
loopback Enabled port
lsgroup Enabled port
oam-remote-failure Enabled port
mac-limit Enabled port
pagp-flap Enabled port
port-mode-failure Enabled port
pppoe-ia-rate-limit Enabled port
psecure-violation Enabled port
security-violation Enabled port
sfp-config-mismatch Enabled port
sgacl_limitation:enforcem Enabled port
sgacl_limitation:multiple Enabled port
storm-control Enabled port
udld Enabled port
unicast-flood Enabled port
vmps Enabled port
psp Enabled port
dual-active-recovery Enabled port
evc-lite input mapping fa Enabled port
vsl-and-non-vsl-port-pair Enabled port
Recovery command: "clear Enabled port
fasthello-and-non-fasthel Enabled port
!
Switch#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
l2ptguard Disabled
link-flap Disabled
mac-limit Disabled
link-monitor-failure Disabled
loopback Disabled
oam-remote-failure Disabled
pagp-flap Disabled
port-mode-failure Disabled
pppoe-ia-rate-limit Disabled
psecure-violation Enabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: "clear Disabled
Timer interval: 30 seconds
Interfaces that will be enabled at the next timeout:
!
Topic discussion at CLI Warriors - Forum