10-03-2012 12:44 PM - last edited on 03-25-2019 04:22 PM by ciscomoderator
Preface:
The BPDUGuard feature is supposed to protect your network from loops by error-disabling a switch port configured to be in access mode when a BPDU frame is received. (as shown below)
interface GigabitEthernet1/44
switchport mode access
dot1x pae authenticator
spanning-tree bpduguard enable
GD-HQ-IDF1-ASW2#show int g1/44
GigabitEthernet1/44 is down, line protocol is down (err-disabled)
PROBLEM:
We are running into an issue where if you enable 802.1x authentication on a port using "authentication port-control auto" command on the interface, BPDUGuard is seemingly disabled. The interface is never err-disabled, thus creating a loop in your network when a user inadvertently connects a switch into an access port.
interface GigabitEthernet1/44
switchport mode access
authentication port-control auto
dot1x pae authenticator
spanning-tree bpduguard enable
GD-HQ-IDF1-ASW2#show int g1/44
GigabitEthernet1/44 is up, line protocol is down (notconnect)
This behavior is seen on both 4500 as well as the Catalyst 3750X platforms in our network, on the 15.0 code, as well as the 12.2 code base.
cat4500e-universalk9.SPA.03.02.00.SG.150-2.SG.bin
Has anyone else encountered this problem in their network?
It seems like this behavior can be reproduced in our lab without a fully functioning back-end ACS or Certificate server for handling the requests for 802.1x... the mere presence of the command, "authentication port-control auto" appear to disable the BPDUguard functionality.
10-04-2012 06:48 PM
Hello. I'm having similar problems. Could you please post your exact configuration ? I noticed the behavior is slightly different when using mab vs not using mab , when using authentication host-mode multi-auth vs using multi-domain, etc, etc
10-09-2012 09:56 AM
This is the current configuration:
spanning-tree mode rapid-pvst
spanning-tree loopguard default
spanning-tree portfast bpduguard default
spanning-tree extend system-id
interface GigabitEthernet1/1
switchport mode access
switchport nonegotiate
switchport voice vlan 116
authentication event fail action authorize vlan 911
authentication event server dead action authorize vlan 911
authentication event no-response action authorize vlan 911
authentication event server alive action reinitialize
authentication host-mode multi-domain
authentication order dot1x mab
authentication priority dot1x mab
authentication periodic
authentication violation restrict
auto qos voip trust
dot1x pae authenticator
spanning-tree portfast
service-policy input AutoQos-VoIP-Input-Cos-Policy
service-policy output AutoQos-VoIP-Output-Policy
However, during troubleshoot, we took a clean switch, perfomred an erase-start, and tacked on just the commands for BPDU Guard enable on the interface level, and authenticatio port-control auto. And the effect was reproduced. Mere presence of the port-control auto seems to disable BPDU Guard...
If you have mab and no port-control auto, BPDU Guard seems to work again. This looks like a major bug to me.
No other feature should matter. Logically, if an interface with BPDU Guard enabled receives a BPDU frame on an interface, it should error-disable the interface.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: