Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6778
Views
0
Helpful
7
Replies

Port goes into error disable state 3750

Go to solution
Zeeshan Siddiqui
Level 1
Level 1

‎06-30-2012 08:08 AM - edited ‎03-07-2019 07:32 AM

Can you please help with the following

We have a number of 3750 stacks used as access layer switches connecting Siemens VOIP phones and then a PC that connects to the phone.

For example if I plug PC A to the phone that connects to port 13 I pick up an IP addressand all works as predicted now if I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state ITs like the switch is holding my PC mac address and locks it down with the port which in my case is Gi2/0/13.

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security maximum 10

switchport port-security

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

Any help is much appreciated

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Zeeshan Siddiqui

‎07-01-2012 03:26 PM 

switchport port-security maximum 2
 switchport port-security

Something is missing here ...

Ok, you've enabled port-security and you've specified up to 2 MAC addresses allowed.  My question is what will the switch DO when three or more MAC addresses are learnt from a port?  Specifically, what ACTIONS did you specify the switchport to do when this event happens.  I believe the default is "error-disable".

Add the following lines and see what happens:

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

View solution in original post

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Zeeshan Siddiqui

‎07-02-2012 02:12 PM

A switch will not be automatically blocked. But it will if more than X (with X=1 as you didn't specify any maximum in your new config) MAC-addresses are seen.

If you also want to protect your infrastructure against rougue switches you could also consider Rootguard or even BPDUguard.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Karsten Iwen
VIP
VIP

‎06-30-2012 08:29 AM

The disabling of the port is caused by port-security. The MAC is learned and kept by the switch for the port.

For these situations where PCs are roaming, you can put an idle-time on the port-security-entries:

switchport port-security aging time 2

switchport port-security aging type inactivity

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame

‎06-30-2012 08:31 PM 

For example if I plug PC A to the phone that connects to port 13

Your configuration doesn't have any Voice VLAN.

I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state

Can you please post the output to the command "sh interface status err"?

0 Helpful

Go to solution
Zeeshan Siddiqui
Level 1
Level 1
In response to Leo Laohoo

‎07-01-2012 04:31 AM

Hi Karsten,

Many Thanks for your response the new config will look like

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security aging time 2

switchport port-security aging type inactivity

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

The Phones work and do not reboot when move from one phone to another

Will the config above block a rogue switch if connected to the port ?

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Zeeshan Siddiqui

‎07-02-2012 02:12 PM

A switch will not be automatically blocked. But it will if more than X (with X=1 as you didn't specify any maximum in your new config) MAC-addresses are seen.

If you also want to protect your infrastructure against rougue switches you could also consider Rootguard or even BPDUguard.

0 Helpful

Go to solution
Zeeshan Siddiqui
Level 1
Level 1
In response to Leo Laohoo

‎07-01-2012 05:06 AM

Hi leolaohoo,

The switch port voice vlan command is replced by

network-policy 766

Pls see config for the policy below

network-policy profile 766

voice vlan 766

voice-signaling vlan 766 cos 3

voice-signaling vlan 766 dscp 24

Below is the output from a test phone

HS-1FB-C3K-1#sh int status err-disabled

Port      Name               Status       Reason               Err-disabled Vlans

Gi1/0/5                      err-disabled psecure-violation

HS-1FB-C3K-1#

HS-1FB-C3K-1#

Below is the original config I had on the ports

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security maximum 2

switchport port-security

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

ITs like the switch holds the MAC address fixed to the switch port number when I plug in the same PC to another phone it goes to error disable

Kind Regards,

Zee

0 Helpful

Go to solution
Leo Laohoo
Hall of Fame
Hall of Fame
In response to Zeeshan Siddiqui

‎07-01-2012 03:26 PM 

switchport port-security maximum 2
 switchport port-security

Something is missing here ...

Ok, you've enabled port-security and you've specified up to 2 MAC addresses allowed.  My question is what will the switch DO when three or more MAC addresses are learnt from a port?  Specifically, what ACTIONS did you specify the switchport to do when this event happens.  I believe the default is "error-disable".

Add the following lines and see what happens:

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

0 Helpful

Go to solution
Zeeshan Siddiqui
Level 1
Level 1
In response to Leo Laohoo

‎07-03-2012 04:12 AM

All,

Many thnank for your support and helping out

Many Thanks again

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card