Solved: Port goes into error disable state 3750

Zeeshan Siddiqui · ‎06-30-2012

Can you please help with the following

We have a number of 3750 stacks used as access layer switches connecting Siemens VOIP phones and then a PC that connects to the phone.

For example if I plug PC A to the phone that connects to port 13 I pick up an IP addressand all works as predicted now if I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state ITs like the switch is holding my PC mac address and locks it down with the port which in my case is Gi2/0/13.

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security maximum 10

switchport port-security

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

Any help is much appreciated

Leo Laohoo · ‎07-01-2012

switchport port-security maximum 2

switchport port-security

Something is missing here ...

Ok, you've enabled port-security and you've specified up to 2 MAC addresses allowed. My question is what will the switch DO when three or more MAC addresses are learnt from a port? Specifically, what ACTIONS did you specify the switchport to do when this event happens. I believe the default is "error-disable".

Add the following lines and see what happens:

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

View solution in original post

Karsten Iwen · ‎07-02-2012

A switch will not be automatically blocked. But it will if more than X (with X=1 as you didn't specify any maximum in your new config) MAC-addresses are seen.

If you also want to protect your infrastructure against rougue switches you could also consider Rootguard or even BPDUguard.

View solution in original post

Karsten Iwen · ‎06-30-2012

The disabling of the port is caused by port-security. The MAC is learned and kept by the switch for the port.

For these situations where PCs are roaming, you can put an idle-time on the port-security-entries:

switchport port-security aging time 2

switchport port-security aging type inactivity

Leo Laohoo · ‎06-30-2012

For example if I plug PC A to the phone that connects to port 13

Your configuration doesn't have any Voice VLAN.

I plug in PC A to any other VOIP phone that connect to another port on the same switch it goes in error disable state

Can you please post the output to the command "sh interface status err"?

Zeeshan Siddiqui · ‎07-01-2012

Hi Karsten,

Many Thanks for your response the new config will look like

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security aging time 2

switchport port-security aging type inactivity

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

The Phones work and do not reboot when move from one phone to another

Will the config above block a rogue switch if connected to the port ?

Karsten Iwen · ‎07-02-2012

A switch will not be automatically blocked. But it will if more than X (with X=1 as you didn't specify any maximum in your new config) MAC-addresses are seen.

If you also want to protect your infrastructure against rougue switches you could also consider Rootguard or even BPDUguard.

Zeeshan Siddiqui · ‎07-01-2012

Hi leolaohoo,

The switch port voice vlan command is replced by

network-policy 766

Pls see config for the policy below

network-policy profile 766

voice vlan 766

voice-signaling vlan 766 cos 3

voice-signaling vlan 766 dscp 24

Below is the output from a test phone

HS-1FB-C3K-1#sh int status err-disabled

Port Name Status Reason Err-disabled Vlans

Gi1/0/5 err-disabled psecure-violation

HS-1FB-C3K-1#

Below is the original config I had on the ports

interface GigabitEthernet2/0/13

switchport access vlan 726

switchport mode access

switchport port-security maximum 2

switchport port-security

network-policy 766

priority-queue out

mls qos trust dscp

spanning-tree portfast

ITs like the switch holds the MAC address fixed to the switch port number when I plug in the same PC to another phone it goes to error disable

Kind Regards,

Zee

Leo Laohoo · ‎07-01-2012

switchport port-security maximum 2

switchport port-security

Something is missing here ...

Ok, you've enabled port-security and you've specified up to 2 MAC addresses allowed. My question is what will the switch DO when three or more MAC addresses are learnt from a port? Specifically, what ACTIONS did you specify the switchport to do when this event happens. I believe the default is "error-disable".

Add the following lines and see what happens:

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

Zeeshan Siddiqui · ‎07-03-2012

All,

Many thnank for your support and helping out

Many Thanks again