SwitchFirewall - Free Network Security Tools & Configuration Hub

Introduction

Error-disabled mode is a security feature on Cisco switches that automatically shuts down a port when it detects certain types of errors or violations. When a port enters this state, it stops forwarding traffic and shows as "err-disabled" in the port status. Understanding this feature is essential for network administrators to maintain network stability and security.

This article will guide you through what error-disabled mode is, common causes, how to identify it, and the comprehensive steps to troubleshoot and recover from it including cable diagnostics, physical layer troubleshooting, and all possible scenarios.

What is Error-Disabled Mode?

Error-disabled is a port state that Cisco switches use as a protective mechanism. When the switch detects a critical error condition on a port, it automatically disables that port to prevent potential network issues from spreading. The port remains disabled until an administrator manually intervenes or automatic recovery is configured.

Key Characteristics

Port status shows as "err-disabled"
Port stops forwarding all traffic
LED indicator typically shows amber/orange
Requires manual intervention or automatic recovery timer
Logged in system messages for tracking
Can be caused by both configuration and physical layer issues

Common Causes of Error-Disabled State

1. Port Security Violation

This occurs when port security is configured and the switch detects more MAC addresses than allowed, or an unauthorized MAC address attempts to connect to the port.

2. BPDU Guard Violation

When BPDU Guard is enabled on a port configured as an access port (typically for PortFast), receiving a Bridge Protocol Data Unit (BPDU) triggers error-disabled state. This usually happens when a switch is accidentally connected to an access port.

3. EtherChannel Misconfiguration

Inconsistent EtherChannel configurations between two switches can cause ports to enter error-disabled state. This includes mismatched channel modes, different numbers of ports, or incompatible port settings.

4. Duplex Mismatch

When duplex settings don't match on both ends of a link, excessive collisions and errors can trigger error-disabled state.

5. Loopback Detection

If the switch detects that frames sent out a port are being received back on the same port, indicating a network loop.

6. Link Flapping

When a port repeatedly goes up and down in a short period, the switch may disable it to prevent instability. This can be caused by faulty cables, bad SFP modules, or power issues.

7. UDLD (UniDirectional Link Detection)

UDLD detects when traffic can only flow in one direction on a link, which can cause Layer 2 loops.

8. Storm Control

When broadcast, multicast, or unicast traffic exceeds configured thresholds.

9. Inline Power (PoE) Issues

Power oversubscription or inline power faults can cause ports to enter error-disabled state.

10. ARP Inspection or DHCP Snooping Violations

Security features detecting spoofed or malicious packets.

Identifying Error-Disabled Ports

Check Port Status

The most straightforward way to identify error-disabled ports is to check the interface status:

show interface status

Look for ports showing "err-disabled" in the Status column.

Check Specific Interface Details

For more detailed information about a specific interface:

show interface GigabitEthernet0/1 status

View Error-Disabled Reason

To see why a port was disabled:

show interfaces status err-disabled

This command displays all error-disabled ports along with the reason for their disabled state.

Detailed Interface Information

Get comprehensive details about the interface:

show interface GigabitEthernet0/1

Check System Logs

Review the switch logs for error-disabled events:

show logging | include err-disable

show logging | include GigabitEthernet0/1

The logs will provide timestamps and specific details about what triggered the error-disabled state, which is crucial for troubleshooting.

Physical Layer Troubleshooting

Check Cable Status and Errors

Before diving into configuration issues, always check the physical layer first:

show interface GigabitEthernet0/1

Look for these indicators in the output:

Input errors, CRC errors, frame errors
Output errors, collisions
Late collisions (indicates duplex mismatch)
Runts, giants (malformed packets)

Check Interface Counters

show interface GigabitEthernet0/1 counters

show interface GigabitEthernet0/1 counters errors

Run Cable Diagnostics (TDR - Time Domain Reflectometer)

Cisco switches support TDR testing to diagnose cable issues. This test can identify:

Cable length
Short circuits
Open circuits
Impedance mismatches
Broken or damaged cables

To run cable diagnostics:

test cable-diagnostics tdr interface GigabitEthernet0/1

Wait a few seconds, then view the results:

show cable-diagnostics tdr interface GigabitEthernet0/1

Cable diagnostics can only be run when the interface is up. If the interface is down, bring it up first, run the test, then check results.

Understanding TDR Results

The output shows the status for each pair in the cable:

Normal: Cable is functioning correctly
Open: Cable is disconnected or broken
Short: Cable has a short circuit
ImpedanceMis: Impedance mismatch detected
Not Completed: Test couldn't complete (interface might be down)

Check Transceiver Information (SFP/SFP+ Modules)

For fiber connections or copper SFP modules:

show interface GigabitEthernet0/1 transceiver

show interface transceiver

Check for:

Temperature (should be within normal range)
Voltage levels
Transmit and receive power (for fiber)
Module compatibility

Check for Light Levels (Fiber Connections)

show interface GigabitEthernet0/1 transceiver detail

Low or no light levels indicate fiber issues, dirty connectors, or failed transceivers.

Speed and Duplex Troubleshooting

Check Current Speed and Duplex Settings

show interface GigabitEthernet0/1

show interface GigabitEthernet0/1 status

Look for the speed and duplex settings. Common issues:

One side set to auto, other side hardcoded
Mismatched speeds (1000 vs 100)
Duplex mismatch (full vs half)

Check for Late Collisions (Duplex Mismatch Indicator)

show interface GigabitEthernet0/1 | include collision

Late collisions are a strong indicator of duplex mismatch. If you see late collisions, check duplex settings on both ends immediately.

Configure Speed and Duplex

Option 1: Set to Auto-Negotiation (Recommended)

configure terminal
interface GigabitEthernet0/1
speed auto
duplex auto
exit

Option 2: Hardcode Speed and Duplex (Both Sides Must Match)

configure terminal
interface GigabitEthernet0/1
speed 1000
duplex full
exit

For 100Mbps:

configure terminal
interface GigabitEthernet0/1
speed 100
duplex full
exit

When hardcoding speed and duplex, BOTH ends of the link must have identical settings. Mixing auto and manual settings will cause duplex mismatch.

Test Different Speed Settings

If experiencing issues at gigabit speed, try forcing 100Mbps to isolate cable or hardware issues:

configure terminal
interface GigabitEthernet0/1
speed 100
duplex full
exit

Monitor the interface:

show interface GigabitEthernet0/1

If the interface is stable at 100Mbps but not at 1000Mbps, you likely have:

A marginal cable (Cat5 instead of Cat5e/Cat6)
Cable length exceeding specifications
Bad SFP module
EMI (Electromagnetic Interference)

Detailed Troubleshooting Steps by Cause

Step 1: Identify the Cause

First, determine why the port entered error-disabled state:

show interfaces status err-disabled

Or check the specific interface:

show interface GigabitEthernet0/1

Step 2: Investigate Based on the Cause

For Port Security Violations:

show port-security interface GigabitEthernet0/1

show port-security address

show port-security address interface GigabitEthernet0/1

For BPDU Guard:

show spanning-tree interface GigabitEthernet0/1 detail

show spanning-tree summary

For EtherChannel Issues:

show etherchannel summary

show interfaces GigabitEthernet0/1 etherchannel

show etherchannel port-channel

For Duplex Mismatch:

show interface GigabitEthernet0/1 | include duplex

show interface GigabitEthernet0/1 | include collision

For UDLD:

show udld GigabitEthernet0/1

show udld neighbors

For Storm Control:

show storm-control

show storm-control GigabitEthernet0/1

For PoE Issues:

show power inline

show power inline GigabitEthernet0/1

show power inline police

For Link Flap:

show interface GigabitEthernet0/1 | include line protocol

show logging | include GigabitEthernet0/1 | include UPDOWN

Step 3: Fix the Underlying Issue

Before re-enabling the port, you must fix the root cause. Here are common fixes:

Port Security - Adjust MAC Address Limit:

configure terminal
interface GigabitEthernet0/1
no switchport port-security maximum 1
switchport port-security maximum 2
exit

Port Security - Clear Learned MAC Addresses:

clear port-security dynamic interface GigabitEthernet0/1

BPDU Guard - Disable on Trunk Ports:

configure terminal
interface GigabitEthernet0/1
no spanning-tree bpduguard enable
exit

EtherChannel - Ensure Matching Configuration:

configure terminal
interface range GigabitEthernet0/1-2
channel-group 1 mode active
exit

Duplex Mismatch - Set to Auto:

configure terminal
interface GigabitEthernet0/1
duplex auto
speed auto
exit

UDLD - Reset or Disable:

udld reset

Or disable UDLD:

configure terminal
interface GigabitEthernet0/1
no udld port
exit

Storm Control - Adjust Thresholds:

configure terminal
interface GigabitEthernet0/1
storm-control broadcast level 70.00
storm-control multicast level 70.00
exit

Cable Replacement and Physical Layer Fixes

When to Replace Cables

Replace the cable if you observe:

TDR test shows "Open" or "Short"
High CRC or frame errors
Interface works at 100Mbps but not 1Gbps
Intermittent connectivity
Physical damage visible on cable

Cable Testing Procedure

Step 1: Document Current State

show interface GigabitEthernet0/1

show interface GigabitEthernet0/1 counters errors

Step 2: Run Cable Diagnostics

test cable-diagnostics tdr interface GigabitEthernet0/1

Wait 10-15 seconds, then:

show cable-diagnostics tdr interface GigabitEthernet0/1

Step 3: Clear Counters

clear counters GigabitEthernet0/1

Step 4: Replace Cable

Ensure you're using the correct cable category:

Cat5e: Gigabit up to 100 meters
Cat6: 10 Gigabit up to 55 meters, Gigabit up to 100 meters
Cat6a: 10 Gigabit up to 100 meters

Step 5: Test New Cable

configure terminal
interface GigabitEthernet0/1
shutdown
no shutdown
exit

Wait 30 seconds, then verify:

show interface GigabitEthernet0/1 status

show interface GigabitEthernet0/1 counters errors

Step 6: Run TDR Again

test cable-diagnostics tdr interface GigabitEthernet0/1

show cable-diagnostics tdr interface GigabitEthernet0/1

If the new cable shows "Normal" on all pairs and no errors accumulate, the issue is resolved.

SFP Module Troubleshooting

Check SFP Status:

show interface GigabitEthernet0/1 transceiver

Verify SFP Compatibility:

show inventory

Always use Cisco-approved SFP modules. Third-party modules may cause compatibility issues.

Clean Fiber Connectors:

Power off the port before cleaning
Use proper fiber cleaning tools
Never use compressed air
Inspect with a fiber microscope if available

Test with Known-Good SFP:

Document current SFP serial number
Shut down the interface
Replace with known-good SFP
Bring interface up and test

configure terminal
interface GigabitEthernet0/1
shutdown
! Replace SFP module physically
no shutdown
exit

Recovering from Error-Disabled State

Manual Recovery

After fixing the underlying issue, manually recover the port with these commands:

configure terminal
interface GigabitEthernet0/1
shutdown
no shutdown
exit

Verify the port is now active:

show interface GigabitEthernet0/1 status

show interface GigabitEthernet0/1

Always ensure you've resolved the root cause before re-enabling the port. Simply re-enabling without fixing the issue will cause the port to enter error-disabled state again.

Recovery for Multiple Interfaces

If multiple interfaces are error-disabled:

configure terminal
interface range GigabitEthernet0/1-5
shutdown
no shutdown
exit

Automatic Recovery

You can configure the switch to automatically recover error-disabled ports after a specified time period. This should be used cautiously as it may mask recurring problems.

To enable error-disabled recovery for specific causes:

configure terminal
errdisable recovery cause psecure-violation
errdisable recovery interval 600
exit

Enable recovery for multiple causes:

configure terminal
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause udld
errdisable recovery cause link-flap
errdisable recovery interval 300
exit

To check the current error-disabled recovery configuration:

show errdisable recovery

Available Recovery Causes

You can enable automatic recovery for these causes:

configure terminal
errdisable recovery cause all
! Or individually:
errdisable recovery cause bpduguard
errdisable recovery cause security-violation
errdisable recovery cause channel-misconfig
errdisable recovery cause udld
errdisable recovery cause link-flap
errdisable recovery cause storm-control
errdisable recovery cause inline-power
errdisable recovery cause loopback
errdisable recovery cause dhcp-rate-limit
errdisable recovery cause arp-inspection
exit

Be cautious when using automatic recovery for all causes. It's better to enable it selectively for specific, well-understood scenarios.

Advanced Diagnostics and Monitoring

Monitor Interface in Real-Time

Watch interface status changes in real-time:

terminal monitor

debug interface GigabitEthernet0/1

Use debug commands sparingly in production. They can impact switch performance. Always disable debug when done.

To disable debugging:

no debug all

Check Environmental Conditions

Sometimes error-disabled states are caused by environmental issues:

show environment all

show environment temperature

show environment power

Verify Switch Resources

High CPU or memory usage can cause interface issues:

show processes cpu sorted

show memory

show version

Check for Software Bugs

Verify IOS version and check for known bugs:

show version

Compare against Cisco's bug search tool at cisco.com with your IOS version.

Packet Capture for Advanced Troubleshooting

On newer switches with EPC (Embedded Packet Capture):

monitor capture CAP interface GigabitEthernet0/1 both
monitor capture CAP match any
monitor capture CAP buffer size 10
monitor capture CAP start
! Let it run for 30-60 seconds
monitor capture CAP stop
show monitor capture CAP buffer brief

Export capture for analysis:

monitor capture CAP export tftp://192.168.1.100/capture.pcap

Verification Commands

Complete Verification Checklist

After resolving an error-disabled issue, verify with these commands:

show errdisable detect

show errdisable recovery

show interfaces status err-disabled

show interface GigabitEthernet0/1 status

show interface GigabitEthernet0/1

show interface GigabitEthernet0/1 counters errors

show cable-diagnostics tdr interface GigabitEthernet0/1

show logging | include GigabitEthernet0/1

Clear Counters for Fresh Monitoring

clear counters GigabitEthernet0/1

Create Interface Monitoring Script

Monitor an interface continuously for 5 minutes:

terminal length 0
! Run this command every 30 seconds manually or create EEM script

Check if errors are incrementing:

show interface GigabitEthernet0/1 | include error

Common Scenarios and Complete Solutions

Scenario 1: User Connects Personal Switch to Access Port

Problem: Port enters error-disabled due to BPDU Guard.

Symptoms:

Port shows err-disabled
Logs show BPDU received on PortFast port
User reports no connectivity

Diagnosis:

show interfaces status err-disabled
show spanning-tree interface GigabitEthernet0/15 detail
show logging | include GigabitEthernet0/15

Solution:

Locate and remove the unauthorized switch
Educate the user about network policies
Re-enable the port

configure terminal
interface GigabitEthernet0/15
shutdown
no shutdown
exit

Verify:

show interface GigabitEthernet0/15 status
show spanning-tree interface GigabitEthernet0/15 detail

Scenario 2: MAC Address Spoofing Attack

Problem: Port security violation due to excessive MAC addresses.