Everything about the err-disabled status
I. Role of the err-disabled status: Generally, if the vswitch is running normally, one of the ports is enabled. however, if the software of the switch (Cisco IOS/CatOS) detects some port errors, the port will be closed immediately. that is to say, when the operating system of the switch detects some errors on the switch port, the switch will automatically close the port.
When the port is in the err-disabled status, no traffic is forwarded from the port and no inbound traffic is received. from the appearance of the switch, the corresponding led status light on the port will also change from normal Green to dark yellow (or orange, I am blind, the official statement is Amber, Amber ). run the show interfaces command to check the port status. The port is in the err-disabled status. in other cases, when the switch is disabled due to an error, the following log information is usually displayed:
% SPANTREE-SP-2-BLOCK_BPDUGUARD:
Received BPDU on port gigabitethernet2/1 with BPDU guard enabled. Disabling port.
% PM-SP-4-ERR_DISABLE:
BpduguardError DetectedOn gi2/1, putting gi2/1 in err-Disable state
Err-Disabled has two functions:
1. An error occurred while notifying the administrator of the port status.
2. Eliminate all ports or module function errors caused by a port error.
Ii. Cause of err-disabled status:
This feature was initially used to deal with specific conflict situations, such as excessive collisison and late collision ). because of the CSMA/CD mechanism, frames will be discarded after 16 conflicts, and excessive collision will occur. Late collision means that after the sender sends 64 bytes, normal and legal conflicts cannot occur. theoretically, normal network propagation will be completed before that, but if the line is too long, a conflict will occur after the first 64 bytes are completed, the most obvious difference between a later conflict and a conflict between the first 64 bytes is that the latter NIC will automatically re-transmit normal conflicting frames, but will not re-transmit the later conflicting frames. later conflicts occur at the time-out and remote end of the repeater. in general, such a conflict is identified as a frame verification sequence (FCS) error in the primary network segment. possible causes of this error include:
1. nonstandard use of cables, such as exceeding the maximum transmission distance or using an incorrect cable type.
2. Abnormal NIC (physical damage or driverProgram).
3. incorrect port duplex mode configuration, such as Duplex mismatch.
The following are the reasons why the port is in the err-disabled status:
1. duplex mismatch.
2. incorrect port channel configuration.
3. Violation of the BPDU guard feature.
4. Unidirectional link detection (udld ).
5. Later conflicts are detected.
6. Link oscillation.
7. Some security policies are violated.
8. oscillation of the port aggregation protocol (pagp.
9. Layer 2 Tunneling Protocol (L2TP) Guard (L2TP Guard ).
10. DHCP listening speed limit.
3. Check whether the port is in the err-disabled status:
You can use the show interfaces command to view the port status, for example:
Nuaiko # Show interfaces gigabitethernet 2/1 status
Port name status VLAN duplex Speed Type
Gi2/1 err-disabled 100 full 1000 1000 basesx
When a port of a vswitch is in the err-disabled status, the switch sends the log information for this operation to the Console port. You can also use show log to view system logs, such:
% SPANTREE-SP-2-BLOCK_BPDUGUARD:
Received BPDU on port gigabitethernet2/1 with BPDU guard enabled. Disabling port.
% PM-SP-4-ERR_DISABLE:
BpduguardError DetectedOn gi2/1, putting gi2/1 in err-Disable state
% SPANTREE-2-CHNMISCFG: STP loop-channel 11/1-2 is disabled in VLAN 1
If the errdisable recovery function is enabled, you can use the show errdisable recovery command to view the reasons for the err-disabled status, for example:
Nuaiko # Show errdisable recovery
Errdisable reason timer status
????????????????? ??????????????
Udld Enabled
Bpduguard Enabled
Security-violation Enabled
Channel-misconfig Enabled
Pagp-flap Enabled
DTP-flap Enabled
Link-flap Enabled
L2ptguard Enabled
Specified cure-violation Enabled
GBIC-invalid Enabled
DHCP-rate-limit Enabled
Mac-limit Enabled
Unicast-flood Enabled
ARP-inspection Enabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next Timeout:
Interface errdisable reason time left (SEC)
????????? ????????????????????? ??????????????
Fa2/4 bpduguard 273
4. Restore the err-disabled status:
When the err-disabled status appears, you must first find the root cause of the status and re-enable the port. If the order is inconsistent, this port will enter the err-disabled status again.
Find out the root cause of the problem and take the following common examples:
1. Incorrect Ethernet channel (EC) Configuration:
To enable the EC to work normally, the configuration of the ports bound to the EC must be consistent, such as the same VLAN, the same trunk mode, and matching of the speed and duplex modes. if the EC is configured on one end, but the EC is not configured on the other end, STP closes the port configured on the EC side to participate in the EC. in addition, when the pagp mode is in the on mode, the switch will not send pagp information for negotiation (it considers the other party to be in the EC ). in this case, STP determines that a loop problem occurs, so the port is set to err-disabled. for example:
% SPANTREE-2-CHNL_MISCFG:DetectedLoop due to etherchannel misconfiguration
Of gi2/1
As shown in the following figure, the number of channel groups used for viewing the EC information is 0:
Nuaiko # Show etherchannel Summary
Flags: D-down p-in Port-Channel
I-stand-alone s-susponded
H-hot-standby (lacp only)
R-layer3 S-Layer2
U-in use F-failed to allocate aggregator
U-unsuitable for bundling
Number of channel-groups in use: 0
Number of aggregators: 0
The EC does not work properly because the port is set to err-Disabled:
Nuaiko # Show interfaces gigabitethernet 2/1 status
Port name status VLAN duplex Speed Type
Gi2/1 err-disabled 100 full 1000 1000 basesx
To find out why the EC is not working properly, STP detects the loop based on the error message. as mentioned before, this happens because one party has configured the EC and set the pagp mode to the on mode. This mode is the opposite of the desirable mode, while the other party has not configured the EC. therefore, to solve this problem, set the EC pagp mode to the desirable mode that can be actively negotiated ., then re-enable the port. as follows:
!
Interface gigabitethernet 2/1
Channel-group 1 mode desirable non-silent
!
2. Duplex Mode Mismatch:
Duplex Mode Mismatch is a common problem. Due to the failure of automatic rate negotiation and duplex mode negotiation, this problem often occurs. you can use the show interfaces command to view the speed and duplex mode of both ports. later versions of CDP can also send a warning log before the port is in the err-disabled status. in addition, abnormal Nic settings will also cause mismatch of the duplex mode. solution: if the two parties cannot negotiate automatically, use the duplex command (Cisco IOS and CatOS are different) to modify the duplex mode of both parties to make them consistent.
3. bpdu guard:
Usually, ports with the fast port (portfast) feature are used to directly connect to end devices such as workstations that do not generate BPDU. the portfast feature assumes that the port of the switch does not generate a physical loop. Therefore, when the port with portfast and BPDU guard enabled receives the BPDU, the port enters the err-disabled state, used to avoid potential loops.
If we connect two 6509 switches, enable the portfast feature on one of them and enable the BPDU guard feature:
!
Interface gigabitethernet 2/1
Spanning-tree bpduguard enable
Spanning-tree portfast enable
!
The following log information is displayed:
PM-SP-4-ERR_DISABLE: bpduguardError DetectedOn gi2/1, putting gi2/1 in
Err-Disable state.
Verification:
Nuaiko # Show interfaces gigabitethernet 2/1 status
Port name status VLAN duplex Speed Type
Gi2/1 err-disabled 100 full 1000 1000 basesx
In this case, the portfast feature cannot be enabled, so disabling this feature can solve this problem.
4. udld:
The udld protocol allows devices connected to optical fiber or copper wires to monitor the physical configuration of cables and detect the presence of unidirectional links. if one-way link is detected, the udld closes the port and sends a warning log. one-way links can cause a series of problems. The most common problem is the STP topology loop. note: To enable udld, both parties must support this Protocol and enable udld on each port separately. if you only enable udld on one side, the port will also enter the err-disabled status, for example:
% PM-SP-4-ERR_DISABLE: udld.Error DetectedOn gi2/1, putting gi2/1 in
Err-Disable state.
5. Link oscillation error:
In a short period of time, the port is always in the up/down state. If the port continuously oscillates for five times within 10 seconds, the port is set to err-disabled, for example:
% PM-4-ERR_DISABLE: Link-flapError DetectedOn gi2/1, putting gi2/1 in
Err-Disable state
You can run the following command to view the different oscillating values:
Nuaiko # Show errdisable flap-Values
errdisable reason flaps time (SEC)
????????????????? ?????? ??????????
pagp-flap 3 30
DTP-flap 3 30
link-flap 5 10
The common cause of link fluctuation may be physical layer problems, such as GBIC hardware faults. Therefore, to solve this problem, we usually start with the physical layer.
6. loopback error:
When the keepalive information is sent from the outbound port of the vswitch and received from this interface, a loopback error occurs. by default, the vswitch sends keepalive information from all ports. however, because STP fails to block some ports, the information may be forwarded back to form a logical loop. in this case, the port enters the err-disabled status, for example:
% PM-4-ERR_DISABLE: loopback.Error DetectedOn gi2/1, putting gi2/1 in
Err-Disable state
In Versions later than Cisco IOS 12.2se, keepalive information will no longer be sent from the optical fiber or upstream port. Therefore, the solution to this problem is to upgrade the Cisco IOS software version to 12.2se or a later version. for more information, see Cisco Bug ID cscea46385 (CCO with certain permissions ).
7. Violation of port security policy:
Port security features provide dynamic protection of the switch port based on the MAC address. if this policy is violated, the port enters the err-disabled status. the principles and configurations of port security will not be described here. If you are interested, you can go to the documentation CD of Cisco (if you are still lazy than me, you can add me Q: 13030130, I will tell you ).
5. re-enable the port that enters the err-disabled status:
After finding the root cause of the err-disabled state, if the errdisable recovery is not configured, the port is still disabled. in this case, you must manually restart these ports (in the interface, shutdown before no shutdown ).
Errdisable recovery allows you to automatically re-enable the port after a certain period of time (the default value is 300 seconds) based on the error type. Use the show errdisable recovery command to view the default settings of this feature:
Nuaiko # Show errdisable recovery
Errdisable reason timer status
????????????????? ??????????????
Udld disabled
Bpduguard disabled
Security-violation disabled
Channel-misconfig Disabled
Pagp-flap disabled
DTP-flap disabled
Link-flap disabled
L2ptguard disabled
Specified cure-violation disabled
GBIC-invalid disabled
DHCP-rate-limit disabled
Mac-limit disabled
Unicast-flood disabled
ARP-inspection disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next Timeout:
Interface errdisable reason time left (SEC)
????????? ????????????????????? ??????????????
Fa2/4 bpduguard 273
The timeout feature is disabled by default. Enable errdisable recovery and select the appropriate conditions as follows:
Nuaiko # errdisable recovery cause?
Where? Corresponds to "errdisable reason" in the output content of show errdisable recovery:
Nuaiko # Show errdisable recovery
Errdisable reason timer status
????????????????? ??????????????
Udld disabled
Bpduguard Enabled
Security-violation disabled
Channel-misconfig Disabled
Pagp-flap disabled
DTP-flap disabled
Link-flap disabled
L2ptguard disabled
Specified cure-violation disabled
GBIC-invalid disabled
DHCP-rate-limit disabled
Mac-limit disabled
Unicast-flood disabled
ARP-inspection disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next Timeout:
Interface errdisable reason time left (SEC)
????????? ????????????????????? ??????????????
Fa2/4 bpduguard 273
Note the output above. We can see that BPDU guard causes fa2/4 to enter the err-disabled status. if any errdisable condition is enabled, the port will be re-enabled after 300 seconds by default. this time can be modified through errdisable recovery interval {SEC.