Switch Errdisable Recovery

February 27, 2021 - Reading time: 4 minutes

In this tutorial we look at errdisable recovery and highlight it on the PocketCLI Network Simulator. Errdisable recovery is a feature on Cisco switches that allows network administrators to automatically activate an err-disabled port after a specified timeout period. 

A common cause for an interface to be placed in err-disable status is a port security violation. Please reference the tutorial Port Security - Configuration for more details. The port in the err-disabled state needs an administrator to manually restore the port back to operation. Activation of the port will be accomplished by issuing the command shutdown followed by the no shutdown command.

The topology below will be used for this tutorial:

Switch0 is configured with port security on interface fastethernet 0/1:

Switch0(config)#interface fastethernet 0/1
Switch0(config-if)#switchport mode access
Switch0(config-if)#switchport port-security
Switch0(config-if)#switchport port-security mac-address sticky

Ping Host1 from Host0 to dynamically associate the mac address of Host0 to fastethernet 0/1.

The sticky command binds Host0's mac address to the port. Fastethernet 0/1 will now block traffic if it comes from an unidentified source and be placed on err-disable status. Change the mac address of Host0. On our lab, we changed the last number of the mac address from 4 to 3:

Pinging Host1 from Host0 once again will result in fastethernet 0/1 to be shutdown now that traffic is coming from a different source device. 

Examine the results of the show interfaces status command. The status for Fa0/1 is err-disabled.

Configure errdisable automatic recovery on Switch0 by typing the command errdisable recovery cause psecure-violation in global configuration mode:

Switch(config)# errdisable recovery cause psecure-violation

The above command activates the autorecovery from a port security violation allowing the user an opportunity to fix the issue by unplugging the offending device. The default wait time is 300 seconds or 5 minutes. Verify our configuration with the privileged command show errdisable recovery.

Modify the interval time to 30 seconds with the global configuration command  errdisable recovery interval 30 to allow for speedy testing of the feature.

Switch(config)# errdisable recovery interval 30

Changing the mac address of Host0 back to the original: A2:ED:1D:EC:A3:F4 will allow us to communicate with Host1 when the interface has been recovered after the specified timer interval.

PocketCLI: errdisable recovery on Fastethernet 0/1

The above PocketCLI system message will display on the console of Switch0 following a change of interface status. You may also verify using the show interfaces status command: 

Switch Errdisable Recovery | PocketCLI