putting Fa0/2 in err-disable state

ennajibrahim · ‎03-29-2012

Hello,

I have a Catalyst 2950G when I activate the switchport port-security, but I want to empty the black list of mac address because every time I connect a device, the port is automatically désacative, here is the port configuration:

!

interface FastEthernet0 / 2

switchport access vlan 17

switchport mode access

switchport voice vlan 51

switchport port-security maximum 3

switchport port-security

switchport port-security aging time 5

switchport port-security aging inactivity kind

no cdp enable

spanning-tree portfast

end

I tried the following commands to clear the blacklist mac address of that port, but the problem is still relevant:

# Clear mac-address-table dynamic int fa0 / 2

# clear port-security all int fastethernet 0/2

# clear errdisable interface fa0 / 2 vlan

Thank you in advance for your support

Parvesh Paliwal · ‎03-29-2012

Can you please confirm the device you try to connect to it ??

Regards,

Parvesh

eder.cisco · ‎03-30-2012

If you are connecting a IP PHONE, try to enable CDP.

ennajibrahim · ‎03-30-2012

Hi Parvesh,

Thank you for your replay,the device is OK.

ennajibrahim · ‎03-30-2012

Hello Eder,

thank you for replayin,exactly i put a IP Phone,but waht CDP you mean?

eder.cisco · ‎03-30-2012

I mean try to enable CDP on the Interface where you are connecting the devive, btw what is the device that you are trying to connect to this port Fast0/2?

BR.

ennajibrahim · ‎03-30-2012

i try to connect IP PHONE AVAYA 4610,i enable CDP (#cdp enable),but no change,the problem is still relevant,this is the configuration of the port:

!

interface FastEthernet0/2

switchport access vlan 17

switchport mode access

switchport voice vlan 51

switchport port-security maximum 5

switchport port-security

switchport port-security aging time 5

switchport port-security aging type inactivity

spanning-tree portfast

end

thank you

vijay.swaminathan · ‎03-30-2012

can you try configuring "switchport port security mac address sticky" on the Switch, perform shut and no shut and then connect the AVAYA Phone?

Let me know if that helps.

-Vijay

eder.cisco · ‎03-30-2012

OK. When you enable port security on an interface that is also configured with voice VLAN, the maximun number of secure MAC address that should be set on the port is the default value, plase validate with this..

ennajibrahim · ‎03-30-2012

It stil disable the port:

psecure-violation error detected on Fa0/2, putting Fa0/2 in err-disable state

jszapipes · ‎03-30-2012

Turn port security off of the interface. Then reset the port. You dont need CDP since it is unique to Cisco. LLDP would need to be used for the AVAYA phones which would be done globally on the switch with the lldp run command provided the 2950 supports it.

interface fa0/2

no switchport port-security

shut

no shut

ennajibrahim · ‎04-03-2012

Hi jszapipes ,

i can't trun off the switchport security i have to secure the switch against the haubs and I should only allow 3 mac address to the max.

Hi jszapipes ,

i can't trun off the switchport security i have to secure the switch against the haubs and I should only allow 3 mac address to the max.

joaniesylvain · ‎03-30-2012

Hi Brahim,

Follow what Vijay stated previously.(in regards to the mac-address sticky)

According to the documentation for the 2950G port-security mac-address sticky is disabled by default:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_22_ea2/configuration/guide/swtrafc.html

That means you are currently telling the switch i want you to secure this port only to the specified mac-addresses but yet you haven't specified any mac-addresses so the switch will block the port for any mac-addresses. So in other words the behaviour you are experiencing is totally normal and expected.

So you either configure static mac-address entries or set it to dynamically learn the mac addresses using the sticky command.

switchport port-security mac-address {mac-address of the phone}

-or-

switchport port-security mac-address sticky

Once one of those command is entered perform a shut/no shut and all should be fine.

HTH

Jonathan S

Leo Laohoo · ‎03-30-2012

 but I want to empty the black list of mac address because every time I connect a device, the port is automatically désacative,

How do you know this? I mean how can you tell the err-disable is not cause by something else? Can you post the output to the command "sh inter status err"?

jszapipes · ‎03-30-2012

To take the port out of err-disabled state you issue the command "shut" then "no shut" while in interface config mode of int fas0/2. While in interface config mode issue the command " no switchport port-security". Plug the device back in, if it goes back into err-disabled state it's not port security causing the issue. BPDU guard if enabled can also cause ports to go into err-disabled state when switching loops occur. This happens a lot with Cisco phones when the cable is connected to the pc port on the phone rather than the link port.

Sent from Cisco Technical Support iPhone App