Sunday, December 31, 2017

Cisco CCNP:300-115 - 1.1 Configure and verify switch administration: 1.1.c Troubleshoot Err-disable recovery

Recently I needed to renew my Cisco CCNPs, that is both CCNP Routing and Switching as well as CCNP Security. While working with Cisco products (well now they own SourceFire, so exclude these) is not within my daily duties, I still thought it was important for me to maintain these two credentials. As a result, I've put together my notes below focusing on the key points I used to study. I believe that someone else may find them useful.

        - To see the current status of all interfaces, use:
          SecurityNik#show interfaces status
        - To see the current status of an interface, use:
          SecurityNik#show interfaces fast1/0/22 status
        - If your configuration shows a port as enabled but the software detects an error on the port, the software shuts down the port
        - Switch ports are automatically disabled by the switch OS when error conditions are detected on a port
        - Ports in "err-disabled" state are effectively shutdown. No traffic is sent or received on the port in question
        - Port LED is set to orange colour
        - The "show interface status" will show the port as "err-disabled"
        - Syslog and Console messages may also be seen on he screen when an error condition is detected
        - The error disable function serves the following two purposes:
            - Notifies the administrator of a port problem
            - Eliminates the possibility of this port causing other ports to fail because of monopolization of resources thus causing serious network issues
        Error-disable detection is enabled by default for all of the causes below:
          - Cable which is out of specification
          - Bad interface card. Can include driver or physical card issues
          - duplex misconfiguration
          - Port Channel misconfiguration
          - BPDU guard violation
          - UniDirectional Link Detection(UDLD) conditions
          - Late-Collision detection
          - Link-flat detection
          - Security Violation
          - Port Aggregation Protocol (PAgP) flap
          - Layer 2 Tunneling Protocol (L2TP) guard
          - DHCP snooping rate-limited
          - Incorrect GBIC / Small Form-Factor Pluggable (SFP) module or cable
          - Address Resolution Protocol (ARP) Inspection
          - Inline Power
        To see the current state of all err-disable reason/condititon/detection
          SecurityNik#show errdisable detect
        To see the current recovery condition use:
          SecurityNik#show errdisable recovery
        By default, the system recovers after 300 seconds (5 minutes). However, this timeout is also disabled by default
        To Determine the reason for the Errdisabled state, you can review the messages generated on the console or via syslog or use:
          SecurityNik#show errdisable recovery
       -  To recover a port from Errdisabled state, you should fix the problem before re-eneabling the port. If not the port will once again go back to "err-disabled" state
       -  As can be seen above, there are a number of reasons why a port may be shutdown. However, here is some further elaboration:
        - Etherchannels Misconfiguration
            - For EtherChannels to work, their configuration must be consistent
              - Ports must have the same VLAN
              - Ports must have the same trunk mode
              - Ports must have the same speed
              - Ports must have the same duplex, etc
            - If one switch is configured for EtherChannel and the other is not, the spanning tree process can shutdown the channel ports on the side which is configured for EtherChannel because the currently configured switch thinks there is a loop
            - Set the channel mode to "desirable"  on both sides of the connection
            - Each side will only form a channel if they both agree to channel
            - If they do not agree, then the ports on both sides continue to function as normal ports
       -  Duplex Mismatch
            - Typically caused by failure to auto negotiate speed and duplex properly
            - Full duplex devices transmit whenever they have something to send regardless of other devices
            - Ensure the that both sides of the swich has the same speed and duplex configuration
            - CDP version 2 can also warn about duplex mismatch before the port is placed in error-disabled state
       -  BPDU Port Guard
            - Ports with Portfast must only be connected to an endpoint device such as a workstation or server and not to other devices like switches, routers, bridges, etc, that generates spanning tree BPDU
            - If spanning tree BPDU is received on a port configured for "SW1(config-if)#spanning-tree portfast" and "SW1(config-if)#spanning-tree bpduguard enable" the switch is placed in "err-disable" mode in order to guard against potential loops
            - BPDU Guard helps to ensure the LAN stays loop free on ports which are configured for PortFast
       - UniDirectional Link Detection (UDLD)
           -  Used with fiber-optic or copper Ethernet cables (i.e. Cat 5)
           -  Used to monitor physical configuration of the cable and detects when a link is unidirectional
           -  When unidirectional link is detected, the port is shutdown and the user is notified
           -  UniDirectional links can cause spanning tree loops among other problems
           -  Note: Both devices on the link must support UDLD and have it enabled. Having UDLD configured only on one side of a link may result in the configured link moving to an errdisable state
       Link Flap
          - Interface constantly going up and down
          - If the interface flaps more than 5 times in 10 seconds, it goes into the errdisabled state
          - Common cause for link flapping is Layer 1 issues such as bad cable, duplex mismatch bad GBIC card, etc.
          - Messages may be logged to the console or to a Syslog server
          - To see current flap value configuration:
          SecurityNik#show errdisable flap-values
            ErrDisable Reason    Flaps    Time (sec)
            -----------------    ------   ----------
            pagp-flap              3       30
            dtp-flap               3       30
            link-flap              5       10
        - From above we see "link-flap" is configure for 5 flaps in 10 seconds, while "pagp-flap" and "dtp-flap" are configured for 3 times in 30 seconds
       - Loopback Error
          - Keepalive packet is looped back to the port that sent the keepalive
          - Results in the port being moved to errdisabled
      - Port Security Violation
        - Can be used with both dynamically learned and statistically configured mac addresses, in order to restrict traffic on a port
        - Use the following command to configure port security violation and its options:       
          SW1(config-if)#switchport port-security violation ?
            protect   Security violation protect mode
            restrict  Security violation restrict mode
            shutdown  Security violation shutdown mode
        - To shutdown or put the port in errdisable state, use the following:
          SW1(config-if)#switchport port-security violation shutdown
        - Security violation can occur for any of the following:
            1.  Max number of secure MAC addresses reached
                - This leverages the configured port security violation
            2.  When a secure mac address which is configured or learned on one port attempts to access another secure port on the same VLAN
              - This results in the shutdown violation mode
        - L2pt Guard
            - The interface goes to errdisabled when an encapsulated PDU (packet with a proprietary destination MAC address) is received from a tunnel port or access port with Layer 2 tunneling enabled
        - Incorrect SFP cable
        - 802.1x Security Violation
           -  Port configured for a single host seeing a different MAC address on that interface
           -  Can use "Multidomain Authentication Mode" on a switchport if you need to use an IP Phone with a host behind it
           -  "Multidomain" refers to voice and data
            - "Multidomain" allows only 2 MAC addresses per port
       - For ports which have transitioned to "err-disabled" you must issue the "shutdown" followed by the "no shutdown" commands in the interface mode, eg:
            SW1(config)#int fa1/0/22
            SW1(config-if)#no shutdown
       -  To configure "errdisable recovery cause" for any of the options specify the options at the end. Below example enables recovery for "psecure-violation"
       SW1(config)#errdisable recovery cause psecure-violation
      - Note that one or more of the options have to be enabled and that error condition has to be met before the timeout can be taken advantage of


1 comment:

  1. This comment has been removed by a blog administrator.