SecurityCCNA 200-301

Port Security Triggering err-disabled on User Port

Presenting Symptom

A user's PC connected to a switch port loses network connectivity, and the port LED shows solid amber; the switch reports the port is in err-disabled state.

Network Context

This occurs in a small branch office with a single Cisco Catalyst 2960-X switch running IOS 15.2. The switch connects 20 users on access ports. Port security is enabled on all access ports with a maximum of 1 MAC address. The user's PC was replaced, and the new PC has a different MAC address, causing a security violation that triggered err-disable.

Diagnostic Steps

Check interface status

show interfaces status

Port      Name               Status       Vlan    Duplex Speed Type
Gi0/1     User-PC            err-disabled 10      auto   auto  10/100/1000BaseTX

The port shows err-disabled status, indicating a violation or error condition. Normal status would be 'connected' or 'notconnect'.

Check port security details

show port-security interface GigabitEthernet0/1

Port Security              : Enabled
Port Status                : Secure-down
Violation Mode             : Shutdown
Maximum MAC Addresses      : 1
Sticky MAC Addresses       : 0
Last Source Address:Vlan   : aaaa.bbbb.cccc:10
Security Violation Count   : 1

Port security is enabled, violation mode is shutdown (causing err-disable), and a security violation count of 1 indicates a MAC address violation occurred. The last source MAC address is shown.

Check MAC address table for the port

show mac address-table interface GigabitEthernet0/1

Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    aaaa.bbbb.cccc    DYNAMIC     Gi0/1

The MAC address table shows the old MAC address (or the violating MAC) learned on the port. If the port is err-disabled, no new MAC should appear. Compare with the actual PC MAC to identify the mismatch.

Check errdisable recovery status

show errdisable recovery

ErrDisable Reason    Timer Status
-----------------    -------------
psecure-violation    Disabled

The errdisable recovery for psecure-violation is disabled, meaning the port will not automatically recover. This confirms manual intervention is needed.

Root Cause

Port security is configured with violation mode shutdown, and the maximum MAC address count is set to 1. When the user replaced their PC, the new PC's MAC address differed from the previously learned (sticky or dynamic) MAC, causing a security violation. The switch placed the port in err-disabled state, blocking all traffic.

Resolution

1. Re-enable the port: `interface GigabitEthernet0/1` then `shutdown` then `no shutdown`. 2. (Optional) Clear the learned MAC: `clear port-security sticky interface GigabitEthernet0/1` or `clear mac address-table dynamic interface GigabitEthernet0/1`. 3. (Optional) Configure sticky MAC learning to automatically learn the new MAC: `switchport port-security mac-address sticky`. 4. (Optional) Enable errdisable recovery: `errdisable recovery cause psecure-violation` and `errdisable recovery interval 300`.

Verification

Run `show interfaces status` and verify the port status is 'connected'. Run `show port-security interface GigabitEthernet0/1` and confirm 'Port Status' is 'Secure-up' and 'Security Violation Count' is 0. Run `show mac address-table interface GigabitEthernet0/1` to confirm the correct MAC address is learned.

Prevention

1. Use sticky MAC learning to automatically update the allowed MAC when a device is replaced. 2. Set the maximum MAC addresses to a reasonable number (e.g., 2) to allow for a replacement without violation. 3. Enable errdisable recovery for psecure-violation with a short interval to minimize downtime.

CCNA Exam Relevance

On the CCNA 200-301 exam, port security and errdisable scenarios appear in troubleshooting questions, often as drag-and-drop or multiple-choice. The exam tests understanding of violation modes (shutdown, restrict, protect) and the commands to verify and recover from errdisable. Key fact: shutdown mode causes err-disable, restrict drops traffic but does not err-disable, protect silently drops unknown MACs.

Exam Tips

Remember that 'shutdown' violation mode puts the port in err-disabled state; 'restrict' and 'protect' do not.

Know the command 'show port-security interface' to check violation count and last source MAC.

Be able to distinguish between sticky and dynamic MAC learning; sticky MACs are saved in running-config.

Commands Used in This Scenario

show interfaces status

Displays a summary of all switch interfaces including their status, VLAN, duplex, speed, and type, used to quickly verify interface connectivity and configuration.

show mac address-table

Displays the MAC address table (also known as CAM table) on a switch, showing which MAC addresses are learned on which VLAN and port, used to verify Layer 2 forwarding and detect issues like MAC flooding or incorrect port assignments.

show port-security interface [intf]

Displays port security configuration and status for a specific interface, including secure MAC addresses, violation counts, and action taken.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions