Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1070
  • Last Modified:

Proper procedure to reset a ERR-DISABLED

Our IP phones are running on a stack of three Cisco Catalyst 3750's.    They are running IOS Version 12.2(25)SEE2).    We have port security and sticky mac-addresses enabled on all interfaces.   We recently replaced a phone in one office, and the port went into a err-disabled state, as expected.

But what is the proper way to reset it when you are plugging in a different device?   "shut / no shut" only works if we plug in the old phone.  I have also issued a "shut" on the interface, removed all port security from the interface (including the sticky mac address), and then issued "no shut".   When I do that, the phone comes up fine, but when I reapply port security and the sticky mac-address, the port goes into err-disabled again.    I even tried waiting overnight, hoping the old mac-address would flush out of the mac address table after a few hours.  But that did not work.

I know I can hard code the mac-address on the port, but that would just be a work around.   I really want to know the proper procedure when using sticky mac-addresses.    I've searched Cisco's web site for an answer.  And I've found tons of documentation about port security, but I've been unable to find an answer to this seemingly simple question.
  • 3
1 Solution
You need to set the switchports so they clear the old mac address from the table after a few minutes in inactivity.  Something like this:

switchport port-security
switchport port-security maximum 2
switchport port-security aging time 5
switchport port-security violation restrict/protect  // (restrict logs the event, protect drops packets)
switchport port-security aging type inactivity
asd-daveAuthor Commented:
Do you know if the default aging time is infinite?    If so, do you know how I would clear the mac address if we wanted to keep it infinite?  Thanks.
To clear a particular sticky MAC address, enter config mode, then enter the interface, then type:

no switchport port-security mac-address xxxx.xxxx.xxxx
And yes, the default value is infinite.

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now