Re: Dot1x is not detecting STP loop in switch C3850-48P

Sanjoy4231 · ‎04-01-2022

I have a client who has mistakenly created loop on cisco switch C3850-48P by connecting another cable to the switch from cisco IP phone 7811 model. This should ideally be detected by switch and the ports should be blocked since there are BPDU guard configured globally and on interface too. The interfaces are NAC enabled and only dot1x is configured.

But with mab enabled on the ports, the loop is being detected and port is being sent to err-disabled state. But with only dot1x enabled it is not working.

My question is :

1. will the stp loop detection only work with mab enabled on the switch? with only dot1x it will not work? is this normal behaviour?

Interface config :

interface GigabitEthernet1/0/9 >>>>> on this port the IP phone is already connected and authenticated with dot1x
description PR11-N-10
switchport access vlan 140
switchport mode access
switchport voice vlan 232
logging event status
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input TrustDSCP

interface GigabitEthernet1/0/29 >>>>>> on this port the other cable with connected and creating a loop
description PR11-N-32
switchport access vlan 140
switchport mode access
switchport voice vlan 232
logging event status
shutdown >>>> the port is now shut due to the loop situation, once it is opened it created loop and not going to blocked state
authentication event fail action next-method
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout server-timeout 5
dot1x timeout tx-period 10
dot1x max-reauth-req 1
spanning-tree portfast
spanning-tree bpduguard enable
service-policy input TrustDSCP

this is with mab enabled :

Mar 25 13:13:52: %SPANTREE-6-PORT_STATE: Port Gi1/0/29 instance 140 moving from disabled to blocking
Mar 25 13:13:52: %SPANTREE-6-PORT_STATE: Port Gi1/0/29 instance 140 moving from blocking to forwarding
Mar 25 13:13:52: %SPANTREE-6-PORT_STATE: Port Gi1/0/29 instance 232 moving from disabled to blocking
Mar 25 13:13:52: %SPANTREE-6-PORT_STATE: Port Gi1/0/29 instance 232 moving from blocking to forwarding
Mar 25 13:13:52: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/0/9 with BPDU Guard enabled. Disabling port.
Mar 25 13:13:52: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/0/9, putting Gi1/0/9 in err-disable state

This is without mab :

TEPPINETS003-ACC-PR1(config)#int gi 1/0/29
TEPPINETS003-ACC-PR1(config-if)#no shu
TEPPINETS003-ACC-PR1(config-if)#no shutdown
TEPPINETS003-ACC-PR1(config-if)#
Mar 25 13:09:49: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/29, changed state to up >>>>>> port 29 comes up
Mar 25 13:09:49: %SPANTREE-6-PORT_STATE: Port Gi1/0/9 instance 232 moving from forwarding to disabled >>>>> vlan 232 instance of port 9 goes down
Mar 25 13:09:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/29, changed state to up
Mar 25 13:09:50: %SW_MATM-4-MACFLAP_NOTIF: Host 5897.1e28.0f93 in vlan 232 is flapping between port Gi1/0/29 and port Po1 >>>>>>>> MAC flap, indication of layer 2 loop
Mar 25 13:09:55: %SW_MATM-4-MACFLAP_NOTIF: Host 1ce6.c799.7ca6 in vlan 232 is flapping between port Gi1/0/29 and port Po1
Mar 25 13:10:03: %SPANTREE-6-PORT_STATE: Port Gi1/0/9 instance 232 moving from disabled to blocking >>>>>>>> vlan 232 instance of port 9 changing to blocking
Mar 25 13:10:03: %SPANTREE-6-PORT_STATE: Port Gi1/0/9 instance 232 moving from blocking to forwarding >>>>>>>> vlan 232 instance of port 9 changing to forwarding

Please help me to clear this situation.

Thanks

Sanjoy

Arne Bier · ‎04-03-2022

Hi @Sanjoy4231

I would have expected the BPDU to be independent of whether or not MAB is enabled. A BPDU should not be sent to a RADIUS server as a form of MAB ...

I tested this on IOS 15.2 in my lab.

Apr  3 12:43:02.453: dot1x-ev:[Gi1/2] Interface state changed to UP
Apr  3 12:43:02.459: dot1x-ev:DOT1X Supplicant not enabled on GigabitEthernet1/2
Apr  3 12:43:03.201: %SYS-5-CONFIG_I: Configured from console by console
Apr  3 12:43:03.457: %SPANTREE-2-BLOCK_BPDUGUARD: Received BPDU on port Gi1/2 with BPDU Guard enabled. Disabling port.
Apr  3 12:43:03.458: %PM-4-ERR_DISABLE: bpduguard error detected on Gi1/2, putting Gi1/2 in err-disable state
Apr  3 12:43:03.462: dot1x-ev:[Gi1/2] Interface state changed to DOWN
Apr  3 12:43:03.463: dot1x-ev:[Gi1/2] No DOT1X subblock found for port down
Apr  3 12:43:04.269: %LINK-3-UPDOWN: Interface GigabitEthernet1/2, changed state to down
CORE#
CORE#
CORE#show derived-config int gi 1/2
Building configuration...

Derived configuration : 287 bytes
!
interface GigabitEthernet1/2
 switchport access vlan 10
 switchport mode access
 negotiation auto
 access-session port-control auto
 dot1x pae authenticator
 spanning-tree portfast edge
 spanning-tree bpduguard enable
 service-policy type control subscriber AI_DOT1X_MAB_POLICIES
end

Same behaviour observed when 'mab' is added back to the config.

It's an interesting question though, because I expected spanning tree protection to be done independently of processing packets for MAB/EAPOL on the port. When 'mab' is configured on the port, do you see any events in the ISE Live Logs?

Sanjoy4231 · ‎04-04-2022

@Arne Bier Hello Arne, Thanks for your response. I did not check the live logs in ISE and not sure whether the customer is using ISE or not. Will check and update the post.

with only dot1x configured, i am not seeing any BPDU produced by the supplicant(CISCO IP phone in this case) which is why the port is not being blocked. Not sure what can be done here.

Customer is using a very old IOS version. Could this be a bug which could possibly be fixed if i upgrade the IOS?

Thanks.

MHM Cisco World · ‎04-03-2022

"In the default state, when you connect a supplicant switch to an authenticator switch that has BPDU guard enabled, the authenticator port could be error-disabled if it receives a Spanning Tree Protocol (STP) bridge protocol data unit (BPDU) packets before the supplicant switch has authenticated. Beginning with Cisco IOS Release 15.0(1)SE, you can control traffic exiting the supplicant port during the authentication period. Entering the dot1x supplicant controlled transient global configuration command temporarily blocks the supplicant port during authentication to ensure that the authenticator port does not shut down before authentication completes. If authentication fails, the supplicant port opens. Entering the no do t1x supplicant controlled transient global configuration command opens the supplicant port during the authentication period. This is the default behavior.

We strongly recommend using the dot1x supplicant controlled transient command on a supplicant switch when BPDU guard is enabled on the authenticator switch port with the spanning-tree bpduguard enable interface onfiguration command."

From Cisco Doc.
So I think this command is disable and this make traffic pass include BPDU.

Sanjoy4231 · ‎04-04-2022

@MHM Cisco World Thanks for the input. I will try this command and will let you know if this fixes the issue. Although here the client is using a CISCO IP phone as the supplicant. Could the BPDU be received from a CISCO IP phone as this is what's happening here.

My issue here is, the STP is not running with only dot1x configured. But with MAB, it is participating fine and upon detecting loop it is also blocking the port. Client wants the same with only dot1x configured the authenticator port.

MHM Cisco World · ‎04-04-2022

You miss config connect two IP phone to two SW port.
G0/29-IP phone
G0/9-ether-port of IP Phone

Now, the LOOP how it happened,
G0/29-IP Phone will be forward STP since the IP Phone not send any BPDU
G0/9-ether-port return connect to SW so how loop,
SW send BPDU "even with BPDU guard the SW still send BPDU" the IP phone by default re-forward it back to SW "IP phone assume that PC connect to ether-port"
SW detect BPDU in BPDU guard and block the port.

keep notice:- G0/9 is block because BPDU not G0/29 which is source of issue.

so here IP phone is bypass BPDU from one SW port to other SW port.

BPDU guard work in data plane and detect BPDU before block port.

802.1x vs mab
SW with 802.1x only allow EAP to pass through the auth process and after auths/authz it allow all traffic to pass

mab allow any frame from client to learn mac address and this include BPDU
I think this is why mab make port detect loop.

BUT if 802.1x allow any traffic after auths/authz why the port not block and looping and mac flapping

you config multi-auth the voice is success auth/authz
BUT
data which is VLAN 140 is never success and all traffic deny except the EAP

Hope this help you to decided best solution here.