Courseiva
SecurityGlobal Config

errdisable recovery cause psecure-violation

Enables automatic recovery of ports that have been error-disabled due to port security violation (psecure-violation), allowing them to come back up after a specified timeout without manual intervention.

Syntax·Global Config
errdisable recovery cause psecure-violation

When to Use This Command

  • In an office environment where users frequently plug in unauthorized devices, causing port security violations; this command allows ports to recover automatically after a timeout, reducing helpdesk tickets.
  • In a lab or test network where port security is enabled for learning purposes, but you want ports to recover quickly after intentional violation tests.
  • In a production network with strict security policies, but where occasional false positives from legitimate device changes should not require manual re-enabling of ports.
  • When deploying port security on a large scale and you want to minimize operational overhead by automating recovery for non-critical violations.

Command Examples

Enable recovery for psecure-violation with default timer

errdisable recovery cause psecure-violation
Switch(config)#errdisable recovery cause psecure-violation
Switch(config)#

The command is entered in global configuration mode. No output is shown if successful. The default recovery timer is 300 seconds (5 minutes).

Verify errdisable recovery configuration

show errdisable recovery
ErrDisable Reason                Timer Status
-----------------                -------------
arp-inspection                   Disabled
bpduguard                        Disabled
channel-misconfig (STP)          Disabled
dhcp-rate-limit                  Disabled
dtp-flap                         Disabled
gbic-invalid                     Disabled
inline-power                     Disabled
link-flap                        Disabled
loopback                         Disabled
mac-limit                        Disabled
psecure-violation                Enabled
security-violation               Disabled
storm-control                    Disabled
udld                             Disabled
unicast-flood                    Disabled
vmps                             Disabled

Timer interval: 300 seconds

Interfaces that will be enabled at the next timeout:

The 'show errdisable recovery' output displays the status of recovery for each errdisable cause. 'psecure-violation' shows 'Enabled' indicating recovery is active. The 'Timer interval' shows the current recovery timeout (default 300 seconds). The 'Interfaces that will be enabled at the next timeout' line lists interfaces that are currently error-disabled and will be recovered when the timer expires.

Understanding the Output

The primary command 'errdisable recovery cause psecure-violation' does not produce output on success. To verify, use 'show errdisable recovery'. In the output, each errdisable reason is listed with its timer status (Enabled/Disabled). For psecure-violation, you should see 'Enabled' to confirm recovery is configured. The 'Timer interval' line shows the recovery time in seconds (default 300). The 'Interfaces that will be enabled at the next timeout' section lists interfaces currently in errdisable state due to any enabled cause; these will be automatically re-enabled after the timer expires. If no interfaces are listed, no ports are currently error-disabled for that reason. A good configuration shows psecure-violation as Enabled; a bad configuration shows Disabled or the timer set too low (causing flapping) or too high (delaying recovery). Watch for interfaces that repeatedly enter errdisable state, indicating a persistent security violation that should be investigated rather than relying on automatic recovery.

CCNA Exam Tips

1.

CCNA exam tip: Remember that 'errdisable recovery cause psecure-violation' only enables recovery for port security violations; other causes like bpduguard require separate commands.

2.

CCNA exam tip: The default recovery timer is 300 seconds; you can change it with 'errdisable recovery interval <seconds>'.

3.

CCNA exam tip: If a port is error-disabled due to psecure-violation, it will not recover until the timer expires, even if the violation is removed. Use 'shutdown' followed by 'no shutdown' to manually recover immediately.

4.

CCNA exam tip: The exam may test that 'errdisable recovery cause psecure-violation' is configured globally, not per-interface.

Common Mistakes

Mistake: Forgetting to also configure 'errdisable recovery interval' to a value other than default, leading to unexpected recovery times.

Mistake: Enabling recovery for psecure-violation but not having port security configured on any interface, making the command ineffective.

Mistake: Assuming that enabling recovery will prevent future violations; it only automates recovery, not prevention.

Related Commands

errdisable recovery interval [secs]

Configures the time interval after which a port disabled due to an error-disabled condition will automatically be re-enabled.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions