Cisco, clearing mac address after err-disabled

In a Cisco environment that has implemented port security, the focus is to prevent computer systems from plugging into and accessing the network. When a device is plugged into the network its mac address is broadcast out to let the network devices know of its presence. If err-disabled is enabled on the switch, the port on the switch that the device is plugged into will be disabled if the mac address is unknown to that port.

In this example, a computer was associated with a port on a switch and then the computer was moved to a different location. The new location goes into err-disabled state after being plugged in. The technician that moved the computer, contacts the network administrator who checks port security by running the “sh port-security” command. (Long command “show port-security”)

sh port-security
	g1/0/1 err-disabled

The network admin can see that the g1/0/1 has changed to an err-disabled state and needs to remove the old mac address that was associated with this port. To find the associated mac address the network administrator runs the “sh run int g1/0/1” command. (Long command “show run interface g1/0/1”

sh run int g1/0/1
	no mac address

The command shows that the err-disabled port does not have a mac address associated with it that has caused the err-disable. This means that the mac address of the moved computer is located somewhere else on the same switch. The network admin needs to find the original port location and clear the mac from that port in order to bring the new port location out of err-disabled state and runs the sh port-security int g1/0/1 (show port-security interface g1/0/1)

sh port-security int g1/0/1

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Aging Time                 : 0 mins
Aging Type                 : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses      : 1
Total MAC Addresses        : 0
Configured MAC Addresses   : 0
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 1803.73b1.52e9:38
Security Violation Count   : 1

The last known mac address for this port was 1803.73b1.52e9 which is the mac for the moved computer. To find the associated interface the admin runs the same command, but instead of an interface the admin uses a pipe to include the last four of the mac address. The command is “sh port-security address | inc 52e9” (show port-security address | include 52e9)

sh port-security address | inc 52e9
  32    74fe.483c.52e9    SecureSticky                  Gi4/0/14 

The output shows that the mac address can be found on the Gi4/0/14 port which was the previously unknown port the computer used to reside on before being moved. Now the network administrator needs to navigate to the old port and run the “no port-security” and then “port-security” commands to clear the mac and then run the same commands on the g1/0/1 to give it a new home.

Leave a Reply

Your email address will not be published. Required fields are marked *