I have recently implemented the 802.1X on switchs 3750-X running 15.0(2)SE IOS version.
The spanning-tree bpdufilter and bpduguard are globally enabled on the switchs.
A user has created a loop on the network by connecting its Cisco IP-Phone twice on the network : one wire connected normally from switch to the RJ-45 phone connector and the second wire that should be connected to the PC had also been connected to the switch !
The loop created has not been detected by the switch !
I have made several tests and re-created the problem 3 times on 4 (only one time, the loop has been detected by bpduguard 20 seconds after the port up).
Notice that without 802.1X configured on the same switch port, the loop is quickly detected and ports are err-disabled shutdown.
Switch port with 802.1X is following :
switchport access vlan 950
switchport mode access
switchport voice vlan 955
no logging event link-status
authentication control-direction in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 950
authentication event server dead action authorize voice
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication timer reauthenticate server
dot1x pae authenticator
dot1x timeout tx-period 10
storm-control broadcast level 10.00
storm-control multicast level 10.00
If I change the host-mode to multi-domain, a MAC violation restriction occurs and shutdown the port. But this is not the config I need.
Is there any reason for spanning-tree not works properly with 802.1X ?
CSCtx96491 Dot1x Auth Port does not trigger BPDUGuard
A port configured and authenticated with dot1x security may not correctly detect a loop even if
bpduguard is configured on the interface. This may result in 100% CPU utilization due to the
STP process of the switch
- Catalyst 3560/3750
- bpduguard configured
- dot1x authenticated port looped back to another dot1x configured port
This has been observed when a user mistakenly loops back the switch interface of an
authenticated IP Phone
- configure 'authentication open' on these interfaces ( or)
- configure 'authentication mac-move permit' on the switch.
**Do rate helpful posts**
I agree with Jatin , I have experienced those bugs with spanning tree and 802.1x.
Besides, you shouldn't use bpdufilter. As the name implies, bpdufilter does filter the bpdus and that breaks spanning tree. Also the internal switch of some models of Cisco IP Phones uses bpdufilter (you can't modify that), that's why those models of Cisco IP Phones break spanning-tree.
In you switches you should only use bpduguard, and it's preferable to configure bpduguard in the interfaces instead that in the global configuration.
Please rate if this helps
indeed this bug is exactly what I experience.
But this one should be fixed in the switch version I have.
(I use 15.0(2)SE, and the bug is said to be fixed for this one...)
I will try to upgrade a switch to 15.0(2)SE4, to see if bug is still present.
I do not want to use authentication open, because of the bad behavior I have with dhcp client in this mode.
About the bpdu configuration, I use the bpdufilter globally to have a bpdu loop test at link-up. I think using bpduguard globally or by port will not have many differences.
And for the phone filtering bpdu, I think if it would be the case, the switch would not have detected a loop when I have disabled 802.1X.
When using bpdufilter, bpduguard and portfast all at the same time there are many things going on which are not well documented. Now when you add 802.1x to the mix then you really have no documentation. I had to do many labs on my own to finally have my configuration, and also discovered some bugs. According to my experience you shouldn't use bpdufilter and you should use bpduguard on the switchport not in the global config.
Please read the following links about the differences between global and port bpdufilter, differences between global and port bpduguard, configuring bpduguard along with portfast , configuring bpdufilter along with portfast, and configuring bpduguard along with bpdufilter.
Please rate if this helps
I have made several tests, here is my results :
1/ Spanning-tree configuration :
-disabling bpdufilter globally : no changes ; still have a loop when connecting both phone port to a switch
-enabling bpduguard by port : idem
2/ Dot1x configuration :
-"authentication open" configured on switch port : OK the loop is well detected.
3/ Upgrding to 15.0(2)SE4
-> I still have exactly the same behavior.
As a conclusion, the only way to detect the loop is to configure the "authentication open" on the switch port...
Which is not a good solution, from my point of view.