BPDUGUARD not working with dot1x

sechoi · ‎10-03-2012

Preface:

The BPDUGuard feature is supposed to protect your network from loops by error-disabling a switch port configured to be in access mode when a BPDU frame is received. (as shown below)

interface GigabitEthernet1/44

switchport mode access

dot1x pae authenticator

spanning-tree bpduguard enable

GD-HQ-IDF1-ASW2#show int g1/44
GigabitEthernet1/44 is down, line protocol is down (err-disabled)

PROBLEM:

We are running into an issue where if you enable 802.1x authentication on a port using "authentication port-control auto" command on the interface, BPDUGuard is seemingly disabled. The interface is never err-disabled, thus creating a loop in your network when a user inadvertently connects a switch into an access port.

interface GigabitEthernet1/44

switchport mode access

authentication port-control auto

dot1x pae authenticator

spanning-tree bpduguard enable

GD-HQ-IDF1-ASW2#show int g1/44

GigabitEthernet1/44 is up, line protocol is down (notconnect)

This behavior is seen on both 4500 as well as the Catalyst 3750X platforms in our network, on the 15.0 code, as well as the 12.2 code base.

cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG.bin

Has anyone else encountered this problem in their network?

It seems like this behavior can be reproduced in our lab without a fully functioning back-end ACS or Certificate server for handling the requests for 802.1x... the mere presence of the command, "authentication port-control auto" appear to disable the BPDUguard functionality.

Eduardo Aliaga · ‎10-04-2012

Hello. I'm having similar problems. Could you please post your exact configuration ? I noticed the behavior is slightly different when using mab vs not using mab , when using authentication host-mode multi-auth vs using multi-domain, etc, etc

sechoi · ‎10-09-2012

This is the current configuration:

spanning-tree mode rapid-pvst

spanning-tree loopguard default

spanning-tree portfast bpduguard default

spanning-tree extend system-id

interface GigabitEthernet1/1

switchport mode access

switchport nonegotiate

switchport voice vlan 116

authentication event fail action authorize vlan 911

authentication event server dead action authorize vlan 911

authentication event no-response action authorize vlan 911

authentication event server alive action reinitialize

authentication host-mode multi-domain

authentication order dot1x mab

authentication priority dot1x mab

authentication periodic

authentication violation restrict

auto qos voip trust

dot1x pae authenticator

spanning-tree portfast

service-policy input AutoQos-VoIP-Input-Cos-Policy

service-policy output AutoQos-VoIP-Output-Policy

However, during troubleshoot, we took a clean switch, perfomred an erase-start, and tacked on just the commands for BPDU Guard enable on the interface level, and authenticatio port-control auto. And the effect was reproduced. Mere presence of the port-control auto seems to disable BPDU Guard...

If you have mab and no port-control auto, BPDU Guard seems to work again. This looks like a major bug to me.

No other feature should matter. Logically, if an interface with BPDU Guard enabled receives a BPDU frame on an interface, it should error-disable the interface.