Port goes into error disable state 3750

Answered Question
Jun 30th, 2012

Can you please help with the following

We have a number of 3750 stacks used as access layer switches connecting Siemens VOIP phones and then a PC that connects to the phone.

For example if I plug PC A to the phone that connects to port 13 I pick up an IP addressand all works as predicted now if I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state ITs like the switch is holding my PC mac address and locks it down with the port which in my case is Gi2/0/13.

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security maximum 10

switchport port-security

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

Any help is much appreciated

I have this problem too.
0 votes
Correct Answer by Karsten Iwen about 1 year 9 months ago

A switch will not be automatically blocked. But it will if more than X (with X=1 as you didn't specify any maximum in your new config) MAC-addresses are seen.

If you also want to protect your infrastructure against rougue switches you could also consider Rootguard or even BPDUguard.

Correct Answer by Leo Laohoo about 1 year 9 months ago

switchport port-security maximum 2

switchport port-security

Something is missing here ...

Ok, you've enabled port-security and you've specified up to 2 MAC addresses allowed.  My question is what will the switch DO when three or more MAC addresses are learnt from a port?  Specifically, what ACTIONS did you specify the switchport to do when this event happens.  I believe the default is "error-disable".

Add the following lines and see what happens:

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Karsten Iwen Sat, 06/30/2012 - 08:29

The disabling of the port is caused by port-security. The MAC is learned and kept by the switch for the port.

For these situations where PCs are roaming, you can put an idle-time on the port-security-entries:

switchport port-security aging time 2

switchport port-security aging type inactivity

Leo Laohoo Sat, 06/30/2012 - 20:31
For example if I plug PC A to the phone that connects to port 13

Your configuration doesn't have any Voice VLAN.

I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state

Can you please post the output to the command "sh interface status err"?

zeeshan.siddiqui Sun, 07/01/2012 - 04:31

Hi Karsten,

Many Thanks for your response the new config will look like

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security aging time 2

switchport port-security aging type inactivity

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

The Phones work and do not reboot when move from one phone to another

Will the config above block a rogue switch if connected to the port ?

Correct Answer
Karsten Iwen Mon, 07/02/2012 - 14:12

A switch will not be automatically blocked. But it will if more than X (with X=1 as you didn't specify any maximum in your new config) MAC-addresses are seen.

If you also want to protect your infrastructure against rougue switches you could also consider Rootguard or even BPDUguard.

zeeshan.siddiqui Sun, 07/01/2012 - 05:06

Hi leolaohoo,

The switch port voice vlan command is replced by

network-policy 766

Pls see config for the policy below

network-policy profile 766

voice vlan 766

voice-signaling vlan 766 cos 3

voice-signaling vlan 766 dscp 24

Below is the output from a test phone

HS-1FB-C3K-1#sh int status err-disabled

Port      Name               Status       Reason               Err-disabled Vlans

Gi1/0/5                      err-disabled psecure-violation

HS-1FB-C3K-1#

HS-1FB-C3K-1#

Below is the original config I had on the ports

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security maximum 2

switchport port-security

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

ITs like the switch holds the MAC address fixed to the switch port number when I plug in the same PC to another phone it goes to error disable

Kind Regards,

Zee

Correct Answer
Leo Laohoo Sun, 07/01/2012 - 15:26

switchport port-security maximum 2

switchport port-security

Something is missing here ...

Ok, you've enabled port-security and you've specified up to 2 MAC addresses allowed.  My question is what will the switch DO when three or more MAC addresses are learnt from a port?  Specifically, what ACTIONS did you specify the switchport to do when this event happens.  I believe the default is "error-disable".

Add the following lines and see what happens:

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

Actions

Login or Register to take actions

This Discussion

Posted June 30, 2012 at 8:08 AM
Stats:
Replies:7 Avg. Rating:5
Views:2250 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
155
77
70
69
50