I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
The loop created has not been detected by the switch !
I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard 20 seconds after the port up).
Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
Switch port with 802.1X is following :
switchport access vlan 950
switchport mode access
switchport voice vlan 955
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 950
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
Is there any reason for spanning-tree not works properly with 802.1X ?
I agree with Jatin , I have experienced those bugs with spanning tree and 802.1x.
Besides, you shouldn't use bpdufilter. As the name implies, bpdufilter does filter the bpdus and that breaks spanning tree. Also the internal switch of some models of Cisco IP Phones uses bpdufilter (you can't modify that), that's why those models of Cisco IP Phones break spanning-tree.
In you switches you should only use bpduguard, and it's preferable to configure bpduguard in the interfaces instead that in the global configuration.
When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :