InterfacesCCNA 200-301

Interface in err-disabled State — Cannot Bring Up

Presenting Symptom

A switch port that was previously operational is now down, and the interface status shows 'err-disabled'.

Network Context

This issue occurs in a small branch office with a Cisco Catalyst 2960 switch running IOS 15.0. The switch connects to an access layer switch in the enterprise campus via a trunk port. The err-disabled state is observed on the trunk interface after a network event such as a loop or a security violation.

Diagnostic Steps

Check interface status

show interfaces status

Port      Name               Status       Vlan       Duplex Speed Type
Gi0/1                        err-disabled trunk      auto    auto  10/100/1000BaseTX

The interface status shows 'err-disabled' instead of 'connected' or 'notconnect'. This confirms the port is in error-disabled state.

Identify the cause of err-disable

show interfaces status err-disabled

Port      Cause                 Recovery
Gi0/1     psecure-violation     Yes

This command shows the reason the port was placed in err-disabled state. Common causes include 'psecure-violation' (port security), 'bpduguard' (BPDU guard), 'channel-misconfig' (EtherChannel misconfiguration), 'udld' (UniDirectional Link Detection), or 'loopback'.

Check port security configuration (if cause is psecure-violation)

show port-security interface gi0/1

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Maximum MAC Addresses      : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : 0011.2233.4455:10
Security Violation Count   : 1

If the cause is psecure-violation, this output shows that port security is enabled, the violation mode is shutdown, and a security violation has occurred. The last source MAC address indicates which device triggered the violation.

Check for BPDU guard (if cause is bpduguard)

show spanning-tree interface gi0/1 detail

Port 1 (GigabitEthernet0/1) of VLAN0001 is broken down (BPDU guard)
  Port path cost 4, Port priority 128, Port Identifier 128.1.
  Designated root has priority 32768, address aaaa.bbbb.cccc
  Designated bridge has priority 32768, address aaaa.bbbb.cccc
  Designated port id is 128.1, designated path cost 4
  Timers: message age 0, forward delay 0, hold 0
  Number of transitions to forwarding state: 0
  BPDU: sent 0, received 1

If BPDU guard caused the err-disable, the output shows 'broken down (BPDU guard)' and that BPDUs were received on an access port. This indicates an unauthorized switch was connected.

Root Cause

The interface entered err-disabled state due to a port security violation (psecure-violation) triggered when an unauthorized device with MAC address 0011.2233.4455 connected to the port, exceeding the allowed maximum MAC addresses.

Resolution

1. Identify the offending MAC address and determine if it should be allowed. 2. If the device is authorized, add its MAC address to the port security configuration: interface gi0/1 switchport port-security mac-address 0011.2233.4455 3. Re-enable the interface by shutting it down and bringing it back up: interface gi0/1 shutdown no shutdown 4. Alternatively, if the violation was accidental, clear the err-disable state with: clear errdisable interface gi0/1 (Note: This requires errdisable recovery to be configured or manual intervention.)

Verification

Run 'show interfaces status' and confirm the port status is 'connected'. Also run 'show port-security interface gi0/1' to verify the security violation count is 0 and the port status is 'Secure-up'.

Prevention

1. Configure port security with the 'sticky' option to dynamically learn MAC addresses and avoid violations from known devices. 2. Set errdisable recovery to automatically recover ports after a timeout: 'errdisable recovery cause psecure-violation' and 'errdisable recovery interval 300'. 3. Use BPDU guard only on access ports that should never receive BPDUs, and ensure trunk ports are properly configured.

CCNA Exam Relevance

On the CCNA 200-301 exam, this scenario appears in troubleshooting questions where you must identify why a port is err-disabled and select the correct cause from multiple choices. The exam tests knowledge of common err-disable causes (port security, BPDU guard, UDLD, EtherChannel misconfig) and the commands to diagnose them. A key fact is that 'shutdown/no shutdown' or 'clear errdisable' can recover the port, but the root cause must be fixed first.

Exam Tips

Memorize the common err-disable causes: psecure-violation, bpduguard, channel-misconfig, udld, loopback.

Know that 'show interfaces status err-disabled' lists the cause; 'show port-security' and 'show spanning-tree' help confirm.

Remember that errdisable recovery can be automatic if configured, but the default is manual recovery via shutdown/no shutdown.

Commands Used in This Scenario

show interfaces status

Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.

show port-security

Displays the port security configuration and status on switch interfaces, used to verify and troubleshoot port security settings.

show spanning-tree

Displays the Spanning Tree Protocol (STP) state and configuration for all VLANs or a specific VLAN, used to verify root bridge, port roles, and STP topology.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions