09-05-2010 05:17 PM - edited 03-09-2019 11:08 PM
Hi all,
I'm running port security on a couple of 2950s and 3550s. When I check my mac-address-table there are some static mac addresses although I don't have any hard coded or sticky mac address setting. The problem is when those ports which are showing as static go to error disable I can't bring them back up. I tried to clear the mac table but there is no option for static mac addresses and it just deletes dynamic mac addresses, the only way I can get ride of them is to restart the switch which is a pain in production network. Does anyone know why this ports are showing as static and how to clear them. I'm not sure if I'm doing something stupid in my configuration. Here is a sample of my configuration for each port:
interface FastEthernet0/1
description 1A
switchport mode access
switchport port-security
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
And also an example of some static mac addresses:
1 0004.290c.7680 DYNAMIC Gi0/1
1 000b.6a15.de79 DYNAMIC Gi0/1
1 000c.f15e.f687 DYNAMIC Gi0/1
1 0011.1162.c758 DYNAMIC Gi0/1
1 0011.11c9.835b STATIC Fa0/28
1 0012.018c.f541 DYNAMIC Gi0/1
1 0012.d92e.3195 DYNAMIC Gi0/1
1 0012.d92e.3196 DYNAMIC Gi0/1
1 0012.d92e.3197 DYNAMIC Gi0/1
1 0013.21f3.d137 STATIC Fa0/5
1 0013.21fa.cc77 STATIC Fa0/36
1 0013.21fb.ac4b DYNAMIC Gi0/1
1 0014.385c.c38e DYNAMIC Gi0/1
1 0014.c2c4.451d STATIC Fa0/3
1 0014.c2c8.f845 DYNAMIC Gi0/1
1 0015.608a.2ff0 DYNAMIC Gi0/1
1 0015.62dc.ac00 DYNAMIC Gi0/1
1 0015.62dc.ac31 DYNAMIC Gi0/1
1 0015.9948.263b STATIC Fa0/14
1 0016.3561.581d DYNAMIC Gi0/1
1 0016.35a4.f98d DYNAMIC Gi0/1
1 0016.4154.1b53 STATIC Fa0/2
1 0016.d3af.2cd0 STATIC Fa0/24
1 0019.5644.d783 DYNAMIC Gi0/1
1 0019.5644.d7c0 DYNAMIC Gi0/1
1 001b.77b2.8bde DYNAMIC Gi0/1
1 001b.7827.4b08 STATIC Fa0/7
Thanks for your help.
Regards,
Reza
09-06-2010 12:33 AM
Please share the output of "sh run interface fa0/28" and "sh run | i arp"
09-06-2010 01:23 AM
Hi,
Here is the configuration:
Current configuration : 193 bytes
!
interface FastEthernet0/28
description 30A
switchport mode access
switchport port-security
switchport port-security maximum 2
spanning-tree portfast
spanning-tree bpduguard enable
end
and also there is no output for show runn | include arp as below:
NTC-ACCESS2#show running-config | i arp
NTC-ACCESS2#
Regards,
Reza
09-06-2010 01:26 AM
With port security maximum 2, it will only allow 2 MAC addresses to be seen on that particular port.
When the port went into errdisable mode, instead of reloading the whole switch, you can do a shut/no shut on that particular port, and that would take it out of errdisable mode.
09-06-2010 01:33 AM
unfotunately it doesn't. I've tried it many times. When the port shows as dynamic yes, I can run shut/no shut and it will be up but when it's static, as soon as I run "no shut" it goes to err-disable again and also the static mac address stays there for ever until I restart the switch.
Regards,
Reza
09-06-2010 01:45 AM
Please use the "errdisable recovery" command to reenable the error discovery port.
Here is the URL for your reference:
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_note09186a00806cd87b.shtml
09-06-2010 01:56 AM
I have it activated as below but it just keeps trying to bring the port back up with no result.
NTC-ACCESS2#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Enabled
bpduguard Enabled
security-violatio Enabled
channel-misconfig Enabled
vmps Enabled
pagp-flap Enabled
dtp-flap Enabled
link-flap Enabled
psecure-violation Enabled
gbic-invalid Enabled
dhcp-rate-limit Enabled
unicast-flood Enabled
loopback Enabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
NTC-ACCESS2#
Regards,
Reza
09-06-2010 02:00 AM
From the output of "show errdisable recovery", it doesn't seem to be any interfaces that are in errdisable states?
09-06-2010 02:11 AM
No there is nothing at the moment because I restarted the switch this morning and also it happens only a couple of times every month. My question is why those mac addresses are showing as static? The port goes to error disable when people connect new devices to those ports. For example let's say there is a static MAC address on a port and the user connects another 2 device to that port, in this case port goes to errdiable despite there is only 2 mac addresses connected to it but because of that static mac address switch presumes that there are 3 MACs.
Best regards,
Reza
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: