cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
546
Views
0
Helpful
0
Replies
Highlighted

802.1x and Spanning Tree

Will spanning tree and  work together on a single switch?

We manufacture dual-port Ethernet BACnet controllers for building automation.

For purposes of redundancy, or network robustness, some of our clients want to daisy-chain these deliberately into a spanning-tree loop on a switch. The idea is that if a break occurs, for example at the point marked x in the Layout diagram attached, the blocking port will return to forwarding, and all devices will remain online instead of the devices on the far side of the break being lost until the damage is found and repaired. On non-authenticating ports, this system works as intended.

 

We've recently added 802.1x authentication to our devices and I've been able to verify that this new feature works fine on authenticating ports.

What I haven't been able to do is to get these two features to work together.

To start, I put one device on each of two multi-auth authenticating ports on the same switch, without the red connection marked x in the diagram. Both devices authenticate by 802.1x, both ports are forwarding.

 

If I then link the two together externally, i.e., insert the red cable marked x,
both ports are dropped instead of one blocking and the other continuing to forward.

 

Is there something I'm missing to make this work? Or can it work?

 

I've tried this both with an older 3750, and a new 9200.

 

At bottom of this post is the configuration for the 3750 switch.

 

****************************************************************
Following commands and output from the switch show the situation
BEFORE I create the spanning tree loop
****************************************************************

Switch#sh sp

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 108c.cff2.eb80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 108c.cff2.eb80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Desg FWD 19 128.3 P2p
Fa1/0/15 Desg FWD 19 128.17 P2p
Fa1/0/19 Desg FWD 19 128.21 P2p

 

Switch#sh auth sess
Interface MAC Address Method Domain Status Session ID
Fa1/0/19 0040.ae10.0b7a dot1x DATA Authz Success AC01020300021881017B2999
Fa1/0/15 0040.ae06.c65f dot1x DATA Authz Success AC01020300021692017AD25E
Fa1/0/19 000c.29a0.2e98 dot1x DATA Running AC0102030000263B00972CA5
Fa1/0/19 a036.9fc6.d414 dot1x DATA Running AC0102030000263C009732B5

 

The two 0040.aexx.xxxx mac addresses are our devices.
a036.9fc6.d414 is the physical NIC connected to Fa1/0/1
000c.29a0.2e98 is the MAC of the Radius server on a VM, also on Fa1/0/1

 

Switch#sh mac add
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
1 000c.29a0.2e98 DYNAMIC Fa1/0/1
1 000c.29e4.be99 DYNAMIC Fa1/0/1
1 0040.ae06.c65f STATIC Fa1/0/15
1 0040.ae10.0b7a STATIC Fa1/0/19
1 a036.9fc6.d414 DYNAMIC Fa1/0/1
Total Mac Addresses for this criterion: 25

000c.29a0.2e98 is another VM on the same NIC, with a GUI for talking to our product.

*****************************************************************
Following commands and output from the switch shows the situation
AFTER I create the spanning tree loop
*****************************************************************

Switch#sh sp

VLAN0001
Spanning tree enabled protocol ieee
Root ID Priority 32769
Address 108c.cff2.eb80
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32769 (priority 32768 sys-id-ext 1)
Address 108c.cff2.eb80
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 15 sec
Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa1/0/1 Desg FWD 19 128.3 P2p

Switch#sh auth sess

Interface MAC Address Method Domain Status Session ID
Fa1/0/19 0040.ae06.c65f dot1x UNKNOWN Running AC01020300021F71019A1ACD
Fa1/0/19 000c.29a0.2e98 N/A DATA Authz Failed AC0102030000263B00972CA5
Fa1/0/19 a036.9fc6.d414 N/A DATA Authz Failed AC0102030000263C009732B5

Switch#sh mac add
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
All ffff.ffff.ffff STATIC CPU
1 000c.29a0.2e98 DYNAMIC Fa1/0/1
1 a036.9fc6.d414 DYNAMIC Fa1/0/1
Total Mac Addresses for this criterion: 22

****************************************************************
Following is the switch configuration
****************************************************************

#sh run
Building configuration...
Current configuration : 9200 bytes
!
version 12.2

no service pad

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Switch
!
boot-start-marker
!
boot-end-marker
!
enable secret 5 $1$bIhA$fC9r.wbWuRMIr8Wt6/c3d.
enable password cisco1234
aaa new-model
!
aaa authentication login default line
aaa authentication dot1x default group radius
!
aaa session-id common
switch 1 provision ws-c3750v2-48ps
system mtu routing 1500
authentication mac-move permit
ip routing
ip dhcp excluded-address 10.10.1.1
ip dhcp excluded-address 10.10.2.1
ip dhcp excluded-address 10.10.3.1
ip dhcp excluded-address 10.10.4.1
ip dhcp excluded-address 192.168.4.1
ip dhcp excluded-address 192.168.4.2
ip dhcp excluded-address 172.1.2.1
!
ip dhcp pool mypool
network 172.1.2.0 255.255.255.0
domain-name mydomain.com
dns-server 8.8.8.8 75.153.176.9
default-router 172.1.2.254
lease 7
!
ip dhcp pool homepool
network 10.10.1.0 255.255.255.0
domain-name homedomain.com
default-router 10.10.1.1
dns-server 8.8.8.8 75.153.176.9
lease 7
!
ip dhcp pool francepool
network 10.10.2.0 255.255.255.0
domain-name francedomain.com
default-router 10.10.2.1
dns-server 8.8.8.8 75.153.176.9
lease 7
!
ip dhcp pool paraguaypool
network 10.10.3.0 255.255.255.0
default-router 10.10.3.1
domain-name paraguaydomain.com
dns-server 8.8.8.8 75.153.176.9
lease 7
!
ip dhcp pool bhutanpool
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
domain-name bhutandomain.com
dns-server 8.8.8.8 75.153.176.9
lease 7
!
crypto pki trustpoint TP-self-signed-3488803712
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3488803712
revocation-check none
rsakeypair TP-self-signed-3488803712
!
crypto pki certificate chain TP-self-signed-3488803712
certificate self-signed 01
3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343838 38303337 3132301E 170D3933 30333031 30303032
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34383838
30333731 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D041 0CBDE7EB 3D5B2984 68ED500C BBD59A86 3BFE6C7B 255D429B 09314E7E
5E59F355 1A35993B 2EFD74D8 B99B390A 950F7B5A C73B9548 03DA95C9 858F178C
6910FB6E 64DC9B37 E7DC26C5 A50ADF6C 0A02DF83 9FBE920A 3329CBC5 E1CE720C
0F3D8A7A F09C9EE5 61DA97A2 04A1DD8C 607EA616 4B5DBA83 C534C291 4FB4F31B
FC1F0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
551D1104 0B300982 07537769 7463682E 301F0603 551D2304 18301680 149439D2
52793F34 4A2C9AD0 944384C0 D2401B1E 94301D06 03551D0E 04160414 9439D252
793F344A 2C9AD094 4384C0D2 401B1E94 300D0609 2A864886 F70D0101 04050003
81810085 F3CC89CD 8DAF5102 010F161E 319A0795 6A35541B 3560202F DCBD68C8
C1973E18 6912CD48 74C29BF1 A0247417 4EFCE23E 9277EBF5 4BCB9492 748417A2
ED817B4A CF06946B 7D9AC725 2A86DE35 93BBC81A 6C343470 B08123F9 63C7DF8A
AACFA7C9 CDFA9FF8 FBB14AFF 3F5DFE11 C7508BDF CE11CB28 24864EC3 E8481405 DAF774
quit
dot1x system-auth-control
!
errdisable recovery interval 30
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/1
ip verify source
!
interface FastEthernet1/0/2
!
! etc
!
interface FastEthernet1/0/12
!
interface FastEthernet1/0/13
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/14
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/15
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!

interface FastEthernet1/0/16
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/17
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/18
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/19
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/20
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/21
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/22
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/23
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
dot1x pae authenticator
!
interface FastEthernet1/0/24
switchport mode access
authentication host-mode multi-auth
authentication port-control auto
authentication periodic
authentication timer reauthenticate 300
authentication violation restrict
dot1x pae authenticator
!
interface FastEthernet1/0/25
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/26
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/27
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/28
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/29
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/30
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/31
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/32
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/33
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/34
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/35
switchport access vlan 2
switchport mode access
!
interface FastEthernet1/0/36
switchport access vlan 3
switchport mode access
!
interface FastEthernet1/0/37
switchport access vlan 4
switchport mode access
!
interface FastEthernet1/0/38
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/39
switchport access vlan 4
switchport mode access
!
interface FastEthernet1/0/40
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/41
switchport access vlan 4
switchport mode access
!
interface FastEthernet1/0/42
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/43
switchport access vlan 4
switchport mode access
!
interface FastEthernet1/0/44
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/45
switchport access vlan 4
switchport mode access
!
interface FastEthernet1/0/46
switchport access vlan 5
switchport mode access
!
interface FastEthernet1/0/47
switchport access vlan 4
switchport mode access
!
interface FastEthernet1/0/48
switchport access vlan 5
switchport mode access
!
interface GigabitEthernet1/0/1
!
interface GigabitEthernet1/0/2
!
interface GigabitEthernet1/0/3
!
interface GigabitEthernet1/0/4
!
interface Vlan1
ip address 172.1.2.3 255.255.255.0
!
interface Vlan2
ip address 10.10.1.1 255.255.255.0
!
interface Vlan3
ip address 10.10.2.1 255.255.255.0
!
interface Vlan4
ip address 10.10.3.1 255.255.255.0
!
interface Vlan5
ip address dhcp
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.1.2.5
ip http server
ip http secure-server
!
arp 192.168.220.128 000c.29a0.2e98 ARPA
radius-server host 172.1.2.5 auth-port 1812 acct-port 1813 key %$#123ewq
!
!
line con 0
line vty 0 4
password cisco1234
line vty 5 15
password cisco1234
!
!
monitor session 1 source interface Fa1/0/1 , Fa1/0/25 - 42
monitor session 1 destination interface Fa1/0/2
end

0 REPLIES 0
Content for Community-Ad