Port Admin Status displays as "D-Down"

  • 0
  • 1
  • Article
  • Updated 5 years ago
  • (Edited)
Article ID: 11392 

Products
SecureStack C3, firmware 1.02.01.0004 and higher
SecureStack C2, firmware 5.02.01.0006 and higher
SecureStack B3, firmware 1.02.01.0004 and higher
SecureStack B2, firmware 4.02.01.0006 and higher
G-Series, firmware 1.02.00.0043 and higher 

Changes
Enabled and configured the DHCP Snooping feature ('set dhcpsnooping...').

Symptoms
Port link is down.
Port is not passing traffic.
The output of a 'show port status' command displays the port's Admin Status as "D-Down". 

For example: 
B3(su)->show port status ge.1.1
Alias Oper Admin Speed
Port (truncated) Status Status (bps) Duplex Type
--------- ------------ ------- ------- --------- ------- ------------
ge.1.1 Down D-Down N/A N/A BaseT RJ45/PoE

The ifAdminStatus mib returns value of "testing":
Object ifAdminStatus
OID 1.3.6.1.2.1.2.2.1.7
Type INTEGER
Permission read-write
Status current
Values

1 : up
2 : down
3 : testing

Description "The desired state of the interface. The testing(3) state
indicates that no operational packets can be passed. When a
managed system initializes, all interfaces start with
ifAdminStatus in the down(2) state. As a result of either
explicit management action or per configuration information
retained by the managed system, ifAdminStatus is then
changed to either the up(1) or testing(3) states (or remains
in the down(2) state)."

Cause
DHCP Snooping's Rate Limiting behavior examines each untrusted port for received DHCP packets exceeding a configurable rate per burst interval (by default, 15 packets per second). If the receive rate exceeds the limit, DHCP Snooping brings down the port, and its Admin Status is then described as "D-Down" to indicate why the port is in an administratively "down" state, and the ifAdminStatus mib reflects the fact that packets are not flowing.

Solution/Workaround
Examine your DHCP Snooping setup to determine whether or not the action that has been taken is valid, then take any corrective action that is warranted. 

If this port is giving network access to a valid DHCP server, designate it as a trusted port ('set dhcpsnooping trust port <port_string> enable'). 
If this port is giving network access to a rogue DHCP server, remove/disable the server. 
To re-enable the port as desired, use the command 'set port enable <port_string>'. 

For more about the DHCP Snooping feature, please refer to the Configuration Guide or CLI Reference Guide for your product and firmware version. 

See also: 12008.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 5 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.