10-12-2012 06:43 PM - edited 03-07-2019 09:26 AM
We have a Cisco switch in each office and every now and then the port that has the D-Link Wireless AP (DAP-1522) connected to it goes to err-disable state. Actually sometimes even a regular port that has a cisco phone connected may also go to err-disable state (less often). So I have to telnet into the switch and issue shut and no shut command on that interface to get it back to life, then it works for a few days or weeks until it happens again. Can you guys recommend a suitable configuraiton for that interface, that would prevent that from happening or a workaround ?
Here's the info:
Model: cisco WS-C3560-24PS and cisco WS-C3560-48PS
Image:c3560-ipbase-mz.122-35.SE5.bin
This is the log from one switch:
31w5d: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state
31w5d: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 74e2.f592.f7f2 on port FastEthernet0/2.
31w5d: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/2, changed state to down
And from another, which is almost the same:
5d10h: %PM-4-ERR_DISABLE: psecure-violation error detected on Fa0/3, putting Fa0/3 in err-disable state
5d10h: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d8a2.5e31.2cf6 on port FastEthernet0/3.
5d10h: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
5d10h: %LINK-3-UPDOWN: Interface FastEthernet0/3, changed state to down
Here's the configuration of fe interfaces (they are all alike):
interface FastEthernet0/2
description Voice & Data Combo Port
switchport access vlan 11
switchport mode access
switchport voice vlan 15
switchport port-security maximum 4
switchport port-security maximum 3 vlan access
switchport port-security maximum 1 vlan voice
switchport port-security
switchport port-security aging time 1
srr-queue bandwidth share 10 10 60 20
srr-queue bandwidth shape 10 0 0 0
mls qos trust device cisco-phone
mls qos trust cos
auto qos voip cisco-phone
spanning-tree portfast
I'd appriciate any help.
Thank you!
10-12-2012 10:12 PM
Hello,
These ports have Port Security configured. I am not sure how well you are acquainted with that feature - basically, it allows the port to learn only a limited number of source MAC addresses, and subsequently accept only frames sourced by these addresses. If a frame with a new source MAC address arrives and the limit of MAC addresses is not reached yet, this source MAC address will be added into the list of allowed MAC addresses and the frame will be processed as usual. If, however, the limit of MAC addresses has been reached, arrival of a frame with a new source MAC address will cause a so-called security violation. The port may react in different ways, based on the configuration - it may either silently drop the frame, or drop the frame and log the occurence, or shut itself down (this is the default behavior and happens also to you).
A security violation also occurs when a frame arrives onto a Port Security-enabled port whose source MAC address is already learned on a different Port Security-enabled interface in the same VLAN (i.e. a station may not appear to be simultaneously connected to two different secured ports).
Your issues are therefore either caused by someone plugging too many devices into a single secured port, or by devices moving between the WiFi and wired network while maintaining their MAC address. It can be easily seen that a port with an access point may see several source MAC addresses - each WiFi client associated to this access point has its own MAC. If too many clients associate to the AP, the port will experience a security violation. Also, if the client is disassociated from one AP and moved to other, or if it gets connected to a wired network but keeps the same MAC address, it may also cause a security violation.
Just out of curiosity, I've checked both MAC addresses you indicated - and they are both Apple.
There are many workarounds to this problem - preventing the port from shutting itself down and dropping the violating frames instead, or make it shutdown and revive itself automatically after a minute or so. However, it is not solving your primary issue - that either too many clients connect to a single port when they should not, or that they appear to roam around. First, you have to define what is allowed and what is not, only then we can suggest and implement a solution.
Looking forward to your answer.
Best regards,
Peter
10-12-2012 10:13 PM
Hello,
Well I can sure tell you increase the amount of mac address that the interface will learn but the question here is do you know how many MAC addresses this switch is supposed to learn over that interface???
Also you can use the err-disable setup to perform the port transition to up automatically without your intervention with the shut and no shut if that is what you are looking for.
Remember to rate all of the helpful answers
Julio
10-13-2012 07:30 AM
Hi,
As you said, after issuing shut and no shut..this works for for few days and week may be then it will again go to err-disable mode.
Hence as Peter suggested, check the total mac -address learned on that interface and actual capability of learned mac-address on that port by default or maximum ...and if it is reaching to more than allowed Mac then you supposed to restrict the Mac-address learning on that port by entreing a valuable digits under that port.
Thanks.
Amit
*****Please rate valuable post*******
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide