Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ISE - 802.1X - Loop not detected by spanning-tree

Hello,

I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.

The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.

A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !

The loop created has not been detected by the switch !

I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard  20 seconds after the port up).

Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.

Switch port with 802.1X is following :

!

interface GigabitEthernet1/0/9

switchport access vlan 950

switchport mode access

switchport nonegotiate

switchport voice vlan 955

no logging event link-status

authentication control-direction in

authentication event fail action next-method

authentication event server dead action reinitialize vlan 950

authentication event server dead action authorize voice

authentication event server alive action reinitialize

authentication host-mode multi-auth

authentication order dot1x mab

authentication priority dot1x mab

authentication port-control auto

authentication periodic

authentication timer reauthenticate server

mab

dot1x pae authenticator

dot1x timeout tx-period 10

storm-control broadcast level 10.00

storm-control multicast level 10.00

spanning-tree portfast

!

If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.

Is there any reason for spanning-tree not works properly with 802.1X ?

Thanks,

Olivier

7 REPLIES
Cisco Employee

ISE - 802.1X - Loop not detected by spanning-tree

Suspect:

CSCtx96491    Dot1x Auth Port does not trigger BPDUGuard

Symptom:

A port configured and authenticated with dot1x security may not correctly detect a loop even if

bpduguard is configured on the interface.  This may result in 100% CPU utilization due to the

STP process of the switch

Conditions:

- Catalyst 3560/3750

- bpduguard configured

- dot1x authenticated port looped back to another dot1x configured port

This has been observed when a user mistakenly loops back the switch interface of an

authenticated IP Phone

Workaround:

Workaround:

-  configure 'authentication open' on these interfaces ( or)

-  configure 'authentication mac-move permit' on the switch.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

ISE - 802.1X - Loop not detected by spanning-tree

Hello Olivier

I agree with Jatin , I have experienced those bugs with spanning tree and 802.1x.

Besides, you shouldn't use bpdufilter. As the name implies, bpdufilter does filter the bpdus and that breaks spanning tree. Also the internal switch of some models of Cisco IP Phones uses bpdufilter (you can't modify that), that's why those models of Cisco IP Phones break spanning-tree.

In you switches you should only use bpduguard, and it's preferable to configure bpduguard in the interfaces instead that in the global configuration.

Please rate if this helps

New Member

ISE - 802.1X - Loop not detected by spanning-tree

Hello,

indeed this bug is exactly what I experience.

But this one should be fixed in the switch version I have.

(I use 15.0(2)SE, and the bug is said to be fixed for this one...)

I will try to upgrade a switch to 15.0(2)SE4, to see if bug is still present.

I do not want to use authentication open, because of the bad behavior I have with dhcp client in this mode.

About the bpdu configuration, I use the bpdufilter globally to have a bpdu loop test at link-up. I think using bpduguard globally or by port will not have many differences.

And for the phone filtering bpdu, I think if it would be the case, the switch would not have detected a loop when I have disabled 802.1X.

Thank you.

Olivier

Cisco Employee

ISE - 802.1X - Loop not detected by spanning-tree

Some discussion going on regarding this defect because what its shows in the "Fixed release" is not accurate.

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**

ISE - 802.1X - Loop not detected by spanning-tree

Hello Olivier

When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.

Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.

http://aitaseller.wordpress.com/2010/01/17/bpdu-filter-vs-bpdu-guard-what-is-the-difference/

http://costiser.wordpress.com/2011/05/23/subtle-difference-for-portfast-bpdufilter-used-together-globally-or-at-interface-level/

https://learningnetwork.cisco.com/thread/21103

http://blog.ipexpert.com/2010/12/06/bpdu-filter-and-bpdu-guard/

Please rate if this helps

New Member

ISE - 802.1X - Loop not detected by spanning-tree

Hello,

I have made several tests, here is my results :

1/ Spanning-tree configuration :

-disabling bpdufilter globally : no changes ; still have a loop when connecting both phone port to a switch

-enabling bpduguard by port : idem

2/ Dot1x configuration :

-"authentication open" configured on switch port : OK the loop is well detected.

3/ Upgrding to 15.0(2)SE4

-> I still have exactly the same behavior.

As a conclusion, the only way to detect the loop is to configure the "authentication open" on the switch port...

Which is not a good solution, from my point of view.

Olivier

New Member

ISE - 802.1X - Loop not detected by spanning-tree

Hello,

This bug, referenced CSCtx96491, is marked as resolved in version : 15.0(2)SE,15.1(2)SG1.0.10,15.1(2)SG1 and 15.1(2)SG2.

But we have done several tests, and we were able to reproduce the issue in version 15.0.2SE2 and 15.2(1)E.

Is there any news regarding this bug ?

Best regards,

1248
Views
0
Helpful
7
Replies
CreatePlease login to create content