Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

putting Fa0/2 in err-disable state

Hello,

I have a Catalyst 2950G when I activate the switchport port-security, but I want to empty the black list of mac address because every time I connect a device, the port is automatically désacative, here is the port configuration:

!

interface FastEthernet0 / 2

  switchport access vlan 17

  switchport mode access

  switchport voice vlan 51

  switchport port-security maximum 3

  switchport port-security

  switchport port-security aging time 5

  switchport port-security aging inactivity kind

  no cdp enable

  spanning-tree portfast

end

  I tried the following commands to clear the blacklist mac address of that port, but the problem is still relevant:

# Clear mac-address-table dynamic int fa0 / 2

# clear port-security all int fastethernet 0/2

# clear errdisable interface fa0 / 2 vlan

Thank you in advance for your support

17 REPLIES
New Member

putting Fa0/2 in err-disable state

Can you please confirm the device you try to connect to it ??

Regards,

Parvesh         

New Member

putting Fa0/2 in err-disable state

If you are connecting a IP PHONE, try to enable CDP.

New Member

putting Fa0/2 in err-disable state

Hi Parvesh,

Thank you for your replay,the device is OK.

New Member

Re: putting Fa0/2 in err-disable state

Hello Eder,

thank you for replayin,exactly i put a IP Phone,but waht CDP you mean?

New Member

Re: putting Fa0/2 in err-disable state

I mean try to enable CDP on the Interface where you are connecting the devive, btw what is the device that you are trying to connect to this port Fast0/2?

BR.

New Member

Re: putting Fa0/2 in err-disable state

i try to connect IP PHONE AVAYA 4610,i enable CDP (#cdp enable),but no change,the problem is still relevant,this is the configuration of the port:

!

interface FastEthernet0/2

switchport access vlan 17

switchport mode access

switchport voice vlan 51

switchport port-security maximum 5

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity

spanning-tree portfast

end

thank you

New Member

Re: putting Fa0/2 in err-disable state

can you try configuring "switchport port security mac address sticky" on the Switch, perform shut and no shut and then connect the AVAYA Phone?

Let me know if that helps.

-Vijay

New Member

Re: putting Fa0/2 in err-disable state

OK. When you enable port security on an interface that is also configured with voice VLAN, the maximun number of secure MAC address that should be set  on the port is the default value, plase validate with this..

New Member

Re: putting Fa0/2 in err-disable state


It stil disable the port:

psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state

New Member

Re: putting Fa0/2 in err-disable state

Turn port security off of the interface. Then reset the port. You dont need CDP since it is unique to Cisco. LLDP would need to be used for the AVAYA phones which would be done globally on the switch with the lldp run command provided the 2950 supports it.

interface fa0/2

no switchport port-security

shut

no shut

New Member

Re: putting Fa0/2 in err-disable state

Hi jszapipes ,

i can't trun off the switchport security i have to secure the switch against the haubs and I should only allow 3 mac address to the max.

Hi jszapipes ,

i can't trun off the switchport security i have to secure the switch against the haubs and I should only allow 3 mac address to the max.

New Member

Re: putting Fa0/2 in err-disable state

Hi Brahim,

Follow what Vijay stated previously.(in regards to the mac-address sticky)

According to the documentation for the 2950G port-security mac-address sticky is disabled by default:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swtrafc.html

That means you are currently telling the switch i want you to secure this port only to the specified mac-addresses but yet you haven't specified any mac-addresses so the switch will block the port for any mac-addresses. So in other words the behaviour you are experiencing is totally normal and expected.

So you either configure static mac-address entries or set it to dynamically learn the mac addresses using the sticky command.

switchport port-security mac-address {mac-address of the phone}

-or-

switchport port-security mac-address sticky

Once one of those command is entered perform a shut/no shut and all should be fine.

HTH

Jonathan S

Hall of Fame Super Gold

putting Fa0/2 in err-disable state

 but I want to empty the black list of mac address because every time I connect a device, the port is automatically désacative,

How do you know this?  I mean how can you tell the err-disable is not cause by something else?  Can you post the output to the command "sh inter status err"?

New Member

Re: putting Fa0/2 in err-disable state

To take the port out of err-disabled state you issue the command "shut" then "no shut" while in interface config mode of int fas0/2. While in interface config mode issue the command " no switchport port-security". Plug the device back in, if it goes back into err-disabled state it's not port security causing the issue. BPDU guard if enabled can also cause ports to go into err-disabled state when switching loops occur. This happens a lot with Cisco phones when the cable is connected to the pc port on the phone rather than the link port.

Sent from Cisco Technical Support iPhone App

New Member

Re: putting Fa0/2 in err-disable state

Hi jszapipes,

The terminal monitor error received when he plugged in the device confirms it's port-security putting the port in err-disable

psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state

Otherwise the message would've said that it received a BPDU packet on a portfast port and it would disable it not a psecure(port-security) statement.

Jonathan S

New Member

Re: putting Fa0/2 in err-disable state

The port- security max 5 statement, correct me if I'm wrong, should allow the switchport to recognize and allow only the first 5 macs it sees. But if the port was disabled when the port stated max 3 you must first bring the port out of err-disabled state for any other devices to be recognized.

Sent from Cisco Technical Support iPhone App

New Member

Re: putting Fa0/2 in err-disable state

Hello,

first i have to disable switchport port-security (no switchport port-security) then i put

#switchport port-security mac-address sticky

it working now,the port is enable:

switchport access vlan 17

switchport mode access

switchport voice vlan 51

switchport port-security maximum 3

switchport port-security aging time 5

switchport port-security aging type inactivity

switchport port-security mac-address sticky

switchport port-security mac-address sticky d067.e523.b24f

spanning-tree portfast

end

But i well test if the ports well be disable after connecting to it an other switch who have a lot of adresse mac wiche are connected to it(flood of adresse mac),if it well be disable so it's ok for me :-)

i informe you any way.

thank you

1679
Views
0
Helpful
17
Replies
CreatePlease to create content