Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1222
Views
0
Helpful
3
Replies

NEAT authenticated Trunk port does not participate in STP

h.thiele
Level 1
Level 1

‎01-02-2015 12:40 AM - edited ‎03-07-2019 10:03 PM

Hi everbody,

 

I observed the following problem with an NEAT authenticated Trunk Port:

Test Setup:

Catalyst 4506-E ( 03.07.00E )

Gig4/1

|

|

Gig0/10

Catalyst 2960C ( 15.2(2)E )

 

Port Config 4506-E

interface GigabitEthernet4/1
 description *** uplink 2960C Gig0/10 ***
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10
 switchport mode trunk
 no logging event link-status
 duplex full
 authentication control-direction in
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication periodic
 authentication timer reauthenticate 10800
 authentication timer inactivity 330
 authentication violation replace
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 storm-control broadcast level 20.00
 spanning-tree portfast trunk
 ip dhcp snooping trust

 

Port Config 2690C

 

interface GigabitEthernet0/10
 description uplink 4506-E Gig4/1
 switchport trunk native vlan 10
 switchport trunk allowed vlan 10
 switchport mode trunk
 media-type rj45
 duplex full
 dot1x pae supplicant
 dot1x credentials neat
 dot1x supplicant eap profile fast
 spanning-tree bpduguard disable
 ip dhcp snooping limit rate 100
 ip dhcp snooping trust

 

The Port is authenticated:

 

4506-E#sho authentication sessions

Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi4/1        f41f.c22b.XXXX dot1x   DATA    Auth      AC1179DF0000131E439B64BC

 

The Switchport looks god so far:

 

4506-E#sho int g4/1 swi
Name: Gi4/1
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: dot1q
Negotiation of Trunking: On
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 10 (UserSegment)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: 10
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

 

But the Trunk Port does not show the VLAN 10 in STP Forwarding:

 

wgs-wlc-sp02#sho int trunk

Port        Mode             Encapsulation  Status        Native vlan
Te1/8       on               802.1q         trunking      10
Gi4/1       on               802.1q         trunking      10
 

Port        Vlans allowed on trunk
Te1/8       10,122-124
Gi4/1       10
 

Port        Vlans allowed and active in management domain
Te1/8       10
Gi4/1       10
 

Port        Vlans in spanning tree forwarding state and not pruned
Te1/8       10
Gi4/1       none
 

The STP State shows nothing for VLAN 10:

 

wgs-wlc-sp02#sho spanning-tree vlan 10

VLAN0010
  Spanning tree enabled protocol rstp
  Root ID    Priority    12298
             Address     001d.a23a.XXXX
             Cost        4
             Port        8 (TenGigabitEthernet1/8)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    32778  (priority 32768 sys-id-ext 10)
             Address     7c0e.ce9d.XXXX
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Te1/8               Root FWD 4         128.8    P2p

 

Does anybody is seeing the same Problem in the past ? I only found these bug ( CSCug43110 ) which sounds a little bit like the same.

I also seeing the problem when I replace the 4506-E with an 3850 running 03.03.05.SE code.

 

BR,

Holger

Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎01-02-2015 04:24 PM

Hi Holger,

I do not have first hand experience with NEAT and a setup similar to your but these are my questions and suggestions:

  1. On the 4506 Gi4/1, you are using spanning-tree portfast trunk command. I strongly suggest removing it. Using it between switches is always asking for trouble, and in addition, I see you are running RSTP that has its own mechanisms (namely, Proposal/Agreement) to put a link to the forwarding state rapidly. The PortFast on this port is both useless and dangerous, and should have never been put there in the first place.
  2. What do the show span int gi4/1 and show span int gi4/1 detail commands say about the port? Can you post their output here?
  3. What does the show span inconsistent command say? Can you post the output?

Thank you!

Best regards,
Peter

0 Helpful

h.thiele
Level 1
Level 1
In response to Peter Paluch

‎01-08-2015 04:12 AM

Hi Peter,

1. The spanning-tree portfast trunk command is setting by the ACS VSAs ( vendor-specific attributes  -> device-traffic-class=switch ) with some other commands:

Applying command... 'no spanning-tree bpduguard enable ' at Gi4/1
Applying command... 'no switchport access vlan 10' at Gi4/1
Applying command... 'no switchport nonegotiate' at Gi4/1
Applying command... 'switchport mode trunk' at Gi4/1
Applying command... 'switchport trunk native vlan 10' at Gi4/1
Applying command... 'spanning-tree portfast trunk' at Gi4/1

If I remove the spanning-tree portfast trunk command by hand it will be overwritten during the next reauthenticate cycle.

2. and 3.

4506-E#show authentication sessions
 
Interface    MAC Address    Method  Domain  Status Fg Session ID
Gi5/47       0022.bd1b.b22a dot1x   DATA    Auth      AC1179DF0000104A0105F1E8
Gi4/1        f41f.c22b.770a dot1x   DATA    Auth      AC1179DF000018397139BD18
 
Session count = 2
 
Key to Session Events Blocked Status Flags:
 
  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker
4506-E#show span int gi4/1
no spanning tree info available for GigabitEthernet4/1
 
4506-E#show span int gi4/1 detail
no spanning tree info available for GigabitEthernet4/1
 
4506-E#show span inconsistent
 
Name                 Interface                Inconsistency
-------------------- ------------------------ ------------------
 
Number of inconsistent ports (segments) in the system : 0

 

Regards,

Holger

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to h.thiele

‎01-15-2015 01:00 PM

Hi Holger,

I apologize for the late response.

I must admit that at this point, I am confused as to what should be the next step. The STP should not be deactivated on the port - there is simply no reason for that as far as I can tell. It would perhaps be interesting to experiment with the ACS and not send any VSAs to the port, limiting oneself purely to the authentication without sending down any attributes. But beyond that, I am not sure what else should be tried - apart from contacting Cisco TAC, of course.

I am sorry I cannot help further.

Best regards,
Peter

0 Helpful
Customers Also Viewed These Support Documents