Today, I am going to share with you a small lab that illustrates a trick called "Errdisable recovery." Although this trick can be used in several cases, I will limit myself to its use in the context of port security.
As you know, when configuring port security in violation shutdown mode, the administrator must intervene manually to restore the functional state of the interface using the "shutdown" and "no shutdown" commands! : Administrative Down.
Today, I will show you through a small lab how to automatically restore the functional state of the interface in the same situation using the errdisable recovery command. Here is the topology used with a simple configuration. We have a switch and three PCs. The interface connected to PC1 will be configured with port security in shutdown violation mode, and the TEST PC will be used for testing purposes.
It is important to note that the default maximum number of allowed physical addresses is 01, and shutdown violation is the default violation mode.
As you can see, auto errdisable recovery is disabled by default for all causes, including port security violations (psecure-violation).
Before enabling it and reducing the timer interval, it is useful to provide a demonstration as a reminder. We can reach PC2 from PC1.
The SW switch has correctly registered the physical address of PC1.
For now, everything is fine.
We will now replace PC1 with TEST to observe the effect of the configuration made. From the SW console, we can already see a security violation detection, and port G0/0 transitions to Errdisable mode.
You can see that the port status is "Secure-shutdown" and that the Last Source Address: vlan is different!
Now, the only way to restore the state of the interface is to reconnect PC1 to interface G0/0 by executing the "shutdown" and then "no shutdown" commands (which forces the Administrative Down mode).
So far, everything was manual. We are now moving on to auto errdisable recovery! First, we need to enable it for the "psecure-violation" case.
Now we can check it.
300 seconds is a lot; let’s reduce that interval to 30 seconds.
Now let’s proceed to the test. SW has detected an intrusion, and port G0/0 has gone into err-disable mode.
But after 30 seconds, Auto errdisable recovery has restored the functional state of G0/0.
However, as long as TEST is connected to G0/0, this interface will return to Err-disable state each time, because the switch has registered the physical address of PC1 as the only legitimate one!
Now, to restore the functional state of G0/0, the administrator only needs to connect PC1 to G0/0 WITHOUT having to manually intervene to force the administrative state to "down" as in the previous case. Everything will happen automatically. Although this technique can be used in different circumstances, I have only presented its application in its simplest form!
Thank you and see you soon!
