Objective 1.1.c Troubleshoot Err-disable Recovery

Err-disable RecoveryThe content on this page are my notes on objective 1.1.c – Troubleshoot Err-disable Recovery – of the CCNP SWITCH 300-115 Cisco certification. You can view the previous notes for objective 1.1.a – SDM Templates – and 1.1.b – Managing MAC Address Table.

Error Disable Recovery is the act of a switch detecting an error condition and then automatically turns the err-disabled interface back on after a default time. You can specify reasons for an interface to become re-enabled.

When a port goes into err-disabled it will shut down and stop sending and receiving traffic. The LED changes to orange and err-disabled will be shown under the show interfaces command.

The reason why an interface would go into err-disable is because of an error condition. This tells a network engineer there is a problem with the port and prevents the port from causing other ports to fail. Some of the causes for err-disable:

  • Bad cable
  • Bad network interface card
  • Port duplex mismatch
  • Port channel misconfiguration
  • BPDU guard violation
  • UDLD condition
  • Late-collision detection
  • Link-flap detection
  • Security violation
  • PAgP flap
  • L2TP guard
  • DHCP snooping rate-limit
  • Incorrect GBIC/SFP module or cable
  • ARP Inspection
  • Inline power

How do you determine the reason of err-disable

Type the command show errdisable recovery to display the ErrDisable Reason column and find out if you have autorecovery enabled. As you can see in the list below, autorecovery for all the features listed are disabled.

SW#show errdisable recovery
ErrDisable Reason Timer Status
----------------- --------------
udld Disabled
bpduguard Disabled
security-violatio Disabled
channel-misconfig Disabled
vmps Disabled
pagp-flap Disabled
dtp-flap Disabled
link-flap Disabled
l2ptguard Disabled
psecure-violation Disabled
sfp-config-mismat Disabled
gbic-invalid Disabled
dhcp-rate-limit Disabled
unicast-flood Disabled
storm-control Disabled
arp-inspection Disabled
loopback Disabled
Timer interval: 300 seconds
Interfaces that will be enabled at the next timeout:

To enable autorecovery use the following syntax:

errdisable recovery cause cause-nameContinue Reading…

Cisco MAC Address Table

A switch maintains an dynamically built address table using the source MAC addresses of received frames. The switch takes the received frame and it’s incoming MAC address of the sending device with the LAN port it was received on and puts that in the address table.

If the switch receives a frame and sees that the destination MAC address is not listed in the address table it will flood that frame to all LAN ports of the same VLAN. When the destination replies, the switch adds that source MAC address to the table.

MAC entries are retained on switch reboot. To maintain a clean table, an aging timer is used to remove inactive MAC addresses from the table. This aging timer is configured in seconds.

Aside from dynamically learning MAC addresses, you can also configure Static MAC addresses. The syntax for configuring a static MAC address is:

SW1(config)#mac address-table static mac_address vlan vlan-id {drop | interface {type slot/port} | port-channel number} [auto-learn]

SW1#conf t
SW1(config)#mac address-table static aaaa.bbbb.cccc vlan 10 interface gigabitethernet 1/0/4

To delete a static MAC address add the no keyword in front of the command above.

Configure the Aging Timer

Configure the aging timer for all MAC addresses on the switch:

SW1#conf t
SW1(config)#mac address-table aging-time seconds [vlan vlan-id]

The time range is from 10 – 1000000. Configuring an aging time of 0 disables aging.

Clearing Dynamic Addresses

This command clears all dynamic MAC entries from the MAC address table:

SW1#clear mac address-table dynamic

You can be more granular with clearing addresses. Here is the syntax:

SW1#clear mac address-table dynamic {address mac_address} {interface [type slot/port | port-channel number} {vlan vlan_id}

Verifying the MAC Address Table

Use these show commands:

show mac address-table to display the contents of the MAC address table.

SW1#show mac address-table
 Mac Address Table
Vlan Mac Address Type Ports
---- ----------- -------- -----
 All 000d.bdd3.4e80 STATIC CPU
 All 000d.bdd3.4e81 STATIC CPU
 All 000d.bdd3.4e82 STATIC CPU
 10 0090.7f9b.0a35 DYNAMIC Po10
 10 0090.7f9b.0a36 DYNAMIC Po10
Total Mac Addresses for this criterion: 5

show mac address-table aging-time to display the aging time for all VLANs on the switch.

SW1#sh mac address-table aging-time
Global Aging Time: 300
Vlan Aging Time
---- ----------
 60 100



Installing Snorby for Snort

We’ve gone through installing Snort and installing PulledPork and Barnyard2. It’s not much help if there isn’t an easy way to look at the alerts and events being triggered in Snort. Snorby integrates with Snort by providing metrics and reporting. The installation is a ruby on rails application. If configured properly you can now classify events to preconfigured or custom classifications. You can also do so with a simple hotkey.

Even for a small team who doesn’t have a dedicated security analyst you can schedule daily reports to be emailed out with a summary of events. To get a glimpse of what it’s capable you can take a look at the demo at http://demo.snorby.org. Username is snorby@snorby.org and the password is snorby.

Installing Prerequisites

Before installing Snorby you will need Ruby, ImageMagick, Rails, and Wkhtmltopdf.

yum -y groupinstall "Development Tools"
 yum install -y openssl-devel readline-devel libxml2-devel libxslt-devel mysql mysql-devel mysql-libs mysql-server urw-fonts libX11-devel libXext-devel qconf fontconfig-devel libXrender-devel unzip

Download and Compile ImageMagick

cd ~/tmp
wget ftp://ftp.fifi.org/pub/ImageMagick/ImageMagick-6.8.9-6.tar.gz
tar -xvf ImageMagick-6.8.9-6.tar.gz
cd ImageMagick-6.8.9-6
make install
ldconfig /usr/local/lib

Download and Install Wkhtmltopdf

Wkhtmltopdf is used by Snorby to create reports. First download some prerequisites for Wkhtmltopdf:

yum -y install xz urw-fonts libXext openssl-devel libXrender

Install wkhtmltopdf:

cd ~/tmp
wget http://sourceforge.net/projects/wkhtmltopdf/files/0.12.1/wkhtmltox-0.12.1_linux-centos6-amd64.rpm/download
rpm -Uvh wkhtmltox-0.12.1_linux-centos6-amd64.rpm

You can verify the installation by running this command:

wkhtmltopdf http://www.google.com google.pdf

Install Ruby

First the prerequisites:

yum -y install libxslt-devel libxml2-devel gdbm-devel libffi-devel zlib-devel openssl-devel libyaml-devel readline-devel curl-devel openssl-devel pcre-devel git memcached-devel valgrind-devel mysql-devel ImageMagick-devel
yum -y install libyaml-devel

If you have problems finding libyaml-devel using yum, run these commands:

wget http://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm
wget http://rpms.famillecollet.com/enterprise/remi-release-6.rpm
rpm -Uvh remi-release-6*.rpm epel-release-6*.rpm

I’ll be installing Ruby with RVM:

curl -L get.rvm.io | bash -s stable

Set up the RVM environment:

source /etc/profile.d/rvm.sh

Install Ruby version 1.9.3 which is required for Snorby:

rvm install 1.9.3
rvm use 1.9.3 --default

Install RubyGems:

rvm rubygems current

Install Rails:

gem install rails

Install Snorby

yum -y install httpd
service httpd start
chkconfig --add httpd
chkconfig httpd on
gem install bundler
cd /var/www/html
mkdir snorby
cd snorby
wget -O snorby.zip --no-check-certificate https://github.com/Snorby/snorby/archive/master.zip
unzip snorby.zip
mv snorby-master/* /var/www/html/snorby

Continue Reading…