Port with WAP goes to err-disable

wstsergeykrum · ‎10-12-2012

We have a Cisco switch in each office and every now and then the port that has the D-Link Wireless AP (DAP-1522) connected to it goes to err-disable state. Actually sometimes even a regular port that has a cisco phone connected may also go to err-disable state (less often). So I have to telnet into the switch and issue shut and no shut command on that interface to get it back to life, then it works for a few days or weeks until it happens again. Can you guys recommend a suitable configuraiton for that interface, that would prevent that from happening or a workaround ?

Here's the info:

Model: cisco WS-C3560-24PS and cisco WS-C3560-48PS

Image:c3560-ipbase-mz.122-35.SE5.bin

This is the log from one switch:

31w5d: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state

31w5d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 74e2.f592.f7f2 on port FastEthernet0/2.

31w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down

And from another, which is almost the same:

5d10h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state

5d10h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d8a2.5e31.2cf6 on port FastEthernet0/3.

5d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down

5d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down

Here's the configuration of fe interfaces (they are all alike):

interface FastEthernet0/2

description Voice & Data Combo Port

switchport access vlan 11

switchport mode access

switchport voice vlan 15

switchport port-security maximum 4

switchport port-security maximum 3 vlan access

switchport port-security maximum 1 vlan voice

switchport port-security

switchport port-security aging time 1

srr-queue bandwidth share 10 10 60 20

srr-queue bandwidth shape 10 0 0 0

mls qos trust device cisco-phone

mls qos trust cos

auto qos voip cisco-phone

spanning-tree portfast

I'd appriciate any help.

Thank you!

Peter Paluch · ‎10-12-2012

Hello,

These ports have Port Security configured. I am not sure how well you are acquainted with that feature - basically, it allows the port to learn only a limited number of source MAC addresses, and subsequently accept only frames sourced by these addresses. If a frame with a new source MAC address arrives and the limit of MAC addresses is not reached yet, this source MAC address will be added into the list of allowed MAC addresses and the frame will be processed as usual. If, however, the limit of MAC addresses has been reached, arrival of a frame with a new source MAC address will cause a so-called security violation. The port may react in different ways, based on the configuration - it may either silently drop the frame, or drop the frame and log the occurence, or shut itself down (this is the default behavior and happens also to you).

A security violation also occurs when a frame arrives onto a Port Security-enabled port whose source MAC address is already learned on a different Port Security-enabled interface in the same VLAN (i.e. a station may not appear to be simultaneously connected to two different secured ports).

Your issues are therefore either caused by someone plugging too many devices into a single secured port, or by devices moving between the WiFi and wired network while maintaining their MAC address. It can be easily seen that a port with an access point may see several source MAC addresses - each WiFi client associated to this access point has its own MAC. If too many clients associate to the AP, the port will experience a security violation. Also, if the client is disassociated from one AP and moved to other, or if it gets connected to a wired network but keeps the same MAC address, it may also cause a security violation.

Just out of curiosity, I've checked both MAC addresses you indicated - and they are both Apple.

There are many workarounds to this problem - preventing the port from shutting itself down and dropping the violating frames instead, or make it shutdown and revive itself automatically after a minute or so. However, it is not solving your primary issue - that either too many clients connect to a single port when they should not, or that they appear to roam around. First, you have to define what is allowed and what is not, only then we can suggest and implement a solution.

Looking forward to your answer.

Best regards,

Peter

Julio Carvajal · ‎10-12-2012

Hello,

Well I can sure tell you increase the amount of mac address that the interface will learn but the question here is do you know how many MAC addresses this switch is supposed to learn over that interface???

Also you can use the err-disable setup to perform the port transition to up automatically without your intervention with the shut and no shut if that is what you are looking for.

Remember to rate all of the helpful answers

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

ciscoamit_497 · ‎10-13-2012

Hi,

As you said, after issuing shut and no shut..this works for for few days and week may be then it will again go to err-disable mode.

Hence as Peter suggested, check the total mac -address learned on that interface and actual capability of learned mac-address on that port by default or maximum ...and if it is reaching to more than allowed Mac then you supposed to restrict the Mac-address learning on that port by entreing a valuable digits under that port.

Thanks.

Amit

*****Please rate valuable post*******