In this example we will recover from a Port Security Mac Sticky violation after 30 seconds. From the output below you can see that we can recover from multiple different types of failures.
Pre-Configuration:
Switch# interface GigabitEthernet0/0 switchport mode access switchport port-security mac-address sticky switchport port-security mac-address sticky 0050.7966.6802 switchport port-security ! Switch#show port-security interface g0/0 Port Security : Enabled Port Status : Secure-up Violation Mode : Shutdown Aging Time : 0 mins Aging Type : Absolute SecureStatic Address Aging : Disabled Maximum MAC Addresses : 1 Total MAC Addresses : 1 Configured MAC Addresses : 0 Sticky MAC Addresses : 1 Last Source Address:Vlan : 0050.7966.6802:1 Security Violation Count : 0 ! ! interface Vlan1 ip address 192.168.1.1 255.255.255.0
Error Disable Recovery Configuration:
Switch(config)#errdisable ?
detect Error disable detection
flap-setting Error disable flap detection setting
recovery Error disable recovery
!
Switch(config)#errdisable recovery ?
cause Enable error disable recovery for application
interval Error disable recovery timer value
!
Switch(config)#errdisable recovery cause ?
all Enable timer to recover from all error causes
arp-inspection Enable timer to recover from arp inspection error
disable state
bpduguard Enable timer to recover from BPDU Guard error
channel-misconfig Enable timer to recover from channel misconfig error
(STP)
dhcp-rate-limit Enable timer to recover from dhcp-rate-limit error
dtp-flap Enable timer to recover from dtp-flap error
gbic-invalid Enable timer to recover from invalid GBIC error
inline-power Enable timer to recover from inline-power error
l2ptguard Enable timer to recover from l2protocol-tunnel error
link-flap Enable timer to recover from link-flap error
link-monitor-failure Enable timer to recover from link monitoring failure
loopback Enable timer to recover from loopback error
mac-limit Enable timer to recover from mac limit disable state
oam-remote-failure Enable timer to recover from OAM detected remote
failure
pagp-flap Enable timer to recover from pagp-flap error
port-mode-failure Enable timer to recover from port mode change failure
pppoe-ia-rate-limit Enable timer to recover from PPPoE IA rate-limit error
psecure-violation Enable timer to recover from psecure violation error
psp Enable timer to recover from psp
security-violation Enable timer to recover from 802.1x violation error
sfp-config-mismatch Enable timer to recover from SFP config mismatch error
storm-control Enable timer to recover from storm-control error
udld Enable timer to recover from udld error
unicast-flood Enable timer to recover from unicast flood error
vmps Enable timer to recover from vmps shutdown error
!
Switch(config)#errdisable recovery cause psecure-violation
!
Switch(config)#errdisable recovery interval ?
<30-86400> timer-interval(sec)
!
Switch(config)#errdisable recovery interval 30Now we will disconnect PC-1 and connect PC-2 to port G0/0 and see the errdisable recovery take place.
Switch# *Oct 10 06:34:38.756: %PM-4-ERR_DISABLE: psecure-violation error detected on Gi0/0, putting Gi0/0 in err-disable state *Oct 10 06:34:38.759: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0050.7966.6803 on port GigabitEthernet0/0. *Oct 10 06:34:39.758: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to down *Oct 10 06:34:40.776: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to down Switch# Switch# *Oct 10 06:35:08.748: %PM-4-ERR_RECOVER: Attempting to recover from psecure-violation err-disable state on Gi0/0 *Oct 10 06:35:10.776: %LINK-3-UPDOWN: Interface GigabitEthernet0/0, changed state to up *Oct 10 06:35:11.775: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/0, changed state to up
Verifications:
Switch#show errdisable detect ErrDisable Reason Detection Mode ----------------- --------- ---- arp-inspection Enabled port bpduguard Enabled port channel-misconfig (STP) Enabled port community-limit Enabled port dhcp-rate-limit Enabled port dtp-flap Enabled port ekey Enabled port gbic-invalid Enabled port iif-reg-failure Enabled port inline-power Enabled port invalid-policy Enabled port l2ptguard Enabled port link-flap Enabled port link-monitor-failure Enabled port loopback Enabled port lsgroup Enabled port oam-remote-failure Enabled port mac-limit Enabled port pagp-flap Enabled port port-mode-failure Enabled port pppoe-ia-rate-limit Enabled port psecure-violation Enabled port security-violation Enabled port sfp-config-mismatch Enabled port sgacl_limitation:enforcem Enabled port sgacl_limitation:multiple Enabled port storm-control Enabled port udld Enabled port unicast-flood Enabled port vmps Enabled port psp Enabled port dual-active-recovery Enabled port evc-lite input mapping fa Enabled port vsl-and-non-vsl-port-pair Enabled port Recovery command: "clear Enabled port fasthello-and-non-fasthel Enabled port ! Switch#show errdisable recovery ErrDisable Reason Timer Status ----------------- -------------- arp-inspection Disabled bpduguard Disabled channel-misconfig (STP) Disabled dhcp-rate-limit Disabled dtp-flap Disabled gbic-invalid Disabled inline-power Disabled l2ptguard Disabled link-flap Disabled mac-limit Disabled link-monitor-failure Disabled loopback Disabled oam-remote-failure Disabled pagp-flap Disabled port-mode-failure Disabled pppoe-ia-rate-limit Disabled psecure-violation Enabled security-violation Disabled sfp-config-mismatch Disabled storm-control Disabled udld Disabled unicast-flood Disabled vmps Disabled psp Disabled dual-active-recovery Disabled evc-lite input mapping fa Disabled Recovery command: "clear Disabled Timer interval: 30 seconds Interfaces that will be enabled at the next timeout: !
