Proper procedure to reset a ERR-DISABLED

Posted on 2011-05-11
Last Modified: 2012-05-11
Our IP phones are running on a stack of three Cisco Catalyst 3750's.    They are running IOS Version 12.2(25)SEE2).    We have port security and sticky mac-addresses enabled on all interfaces.   We recently replaced a phone in one office, and the port went into a err-disabled state, as expected.

But what is the proper way to reset it when you are plugging in a different device?   "shut / no shut" only works if we plug in the old phone.  I have also issued a "shut" on the interface, removed all port security from the interface (including the sticky mac address), and then issued "no shut".   When I do that, the phone comes up fine, but when I reapply port security and the sticky mac-address, the port goes into err-disabled again.    I even tried waiting overnight, hoping the old mac-address would flush out of the mac address table after a few hours.  But that did not work.

I know I can hard code the mac-address on the port, but that would just be a work around.   I really want to know the proper procedure when using sticky mac-addresses.    I've searched Cisco's web site for an answer.  And I've found tons of documentation about port security, but I've been unable to find an answer to this seemingly simple question.
Question by:asd-dave
    LVL 21

    Expert Comment

    You need to set the switchports so they clear the old mac address from the table after a few minutes in inactivity.  Something like this:

    switchport port-security
    switchport port-security maximum 2
    switchport port-security aging time 5
    switchport port-security violation restrict/protect  // (restrict logs the event, protect drops packets)
    switchport port-security aging type inactivity

    Author Comment

    Do you know if the default aging time is infinite?    If so, do you know how I would clear the mac address if we wanted to keep it infinite?  Thanks.
    LVL 21

    Accepted Solution

    To clear a particular sticky MAC address, enter config mode, then enter the interface, then type:

    no switchport port-security mac-address xxxx.xxxx.xxxx
    LVL 21

    Expert Comment

    And yes, the default value is infinite.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    Healthcare organizations in the United States must adhere to the guidance of both the HIPAA (Health Insurance Portability and Accountability Act) and HITECH (Health Information Technology for Economic and Clinical Health Act) for securing and protec…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now