Errdisable Recovery
The Errdisable feature helps our network from subpar conditions that are introduced into the network. This could be a total accident or it could be malicious. Depending the hardware of switch, running the command show errdisable detect we can see what errdisable conditions can be triggered.
SW1#show errdisable detect
ErrDisable Reason Detection Mode
----------------- --------- ----
arp-inspection Enabled port
bpduguard Enabled port
channel-misconfig (STP) Enabled port
community-limit Enabled port
dhcp-rate-limit Enabled port
dtp-flap Enabled port
ekey Enabled port
gbic-invalid Enabled port
iif-reg-failure Enabled port
inline-power Enabled port
invalid-policy Enabled port
l2ptguard Enabled port
link-flap Enabled port
link-monitor-failure Enabled port
loopback Enabled port
lsgroup Enabled port
oam-remote-failure Enabled port
mac-limit Enabled port
pagp-flap Enabled port
port-mode-failure Enabled port
pppoe-ia-rate-limit Enabled port
psecure-violation Enabled port
security-violation Enabled port
sfp-config-mismatch Enabled port
sgacl_limitation:enforcem Enabled port
sgacl_limitation:multiple Enabled port
storm-control Enabled port
udld Enabled port
unicast-flood Enabled port
vmps Enabled port
psp Enabled port
dual-active-recovery Enabled port
evc-lite input mapping fa Enabled port
vsl-and-non-vsl-port-pair Enabled port
Recovery command: "clear Enabled port
fasthello-and-non-fasthel Enabled port
Notice that we have some flap conditions in that list, we can see the threshold and modify that if needed. Running the show errdisable flap-values.
SW1#show errdisable flap-values
ErrDisable Reason Flaps Time (sec)
----------------- ------ ----------
pagp-flap 3 30
dtp-flap 3 30
link-flap 5 10
SW1(config)#errdisable flap-setting cause ?
dtp-flap Set the variables related to detection of dtp flaps
link-flap Set the variables related to detection of link flaps
pagp-flap Set the variables related to detection of pagp flaps
Recovery
So by default if an error-condition happen the switch would automatically disable/shutdown the port. To enable the port the administrator would have to login into the switch and clear the violation manually. Usually shutting down the port with the shutdown command and then followed by the no shutdown command will bring the port out of the errdisable state.
Running the show errdisable recovery command will list what can do an auto-recovery when the timer expires. Meaning no need for an administrator to login into the switch and shutdown and re-enable the port. The port will come back up automatically once the timer expires.
SW1#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Disabled
bpduguard Disabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
l2ptguard Disabled
link-flap Disabled
mac-limit Disabled
link-monitor-failure Disabled
loopback Disabled
oam-remote-failure Disabled
pagp-flap Disabled
port-mode-failure Disabled
pppoe-ia-rate-limit Disabled
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: "clear Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
In the above output everything is disabled so the administrator will need to be manually involved in recovery errdisabled ports. If we wanted to for example bpduguard to be enabled by errdisable recovery we can run the following command errdisable recovery cause bpduguard within configuration mode.
SW1#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
arp-inspection Disabled
bpduguard Enabled
channel-misconfig (STP) Disabled
dhcp-rate-limit Disabled
dtp-flap Disabled
gbic-invalid Disabled
inline-power Disabled
l2ptguard Disabled
link-flap Disabled
mac-limit Disabled
link-monitor-failure Disabled
loopback Disabled
oam-remote-failure Disabled
pagp-flap Disabled
port-mode-failure Disabled
pppoe-ia-rate-limit Disabled
psecure-violation Disabled
security-violation Disabled
sfp-config-mismatch Disabled
storm-control Disabled
udld Disabled
unicast-flood Disabled
vmps Disabled
psp Disabled
dual-active-recovery Disabled
evc-lite input mapping fa Disabled
Recovery command: "clear Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:
Tip
You might think that why don't I just auto-recover everything? Well the entire point of errdisable to keep the network operational by safely disabling the port. If we had errdisable recovery on for everything we might introduce subpar conditions into our network thus causing additional problems. For example if a link is flapping continuously, and auto-recovers we might not even known there is a problem. Better to leave the port in errdisable state until the issue is fixed.