Autonomous AP causing loop

marc.groenen · ‎05-07-2014

The following setup:

A 3750 core and a few 3560's in the edge almost everything in VLAN 1 and another seperate VLAN(320) for guestnet/publicinternet.

The switches are running rpvst and the 3750 is the root bridge.

The 3560 are connected to the 3750 in a ring.

Earlier this week i was onsite to implement 3 autonomous AP's, it seemed to go well but eventually the AP's seemed to have caused a loop or broadcaststorm resulting in a complete network outage

I idnt really have time to troubleshoot the problem which resulted in shutting all ISL's removing the AP's and activating the ISL's again (problem solved).

I was thinking about what could have caused this.

I have done a few autonomous(and lightweight) implementations and never have seen this behavior.

Perhaps it has something to do with users who are wired in VLAN 1 and bridge there connection ?

https://supportforums.cisco.com/discussion/11509826/cisco-ap-sending-bpdu

I know this post is a little old, but I also use portfast and bpduguard. One issue we ran into was very similar, in that APs would go off line because of bpduguard. What we found was that a developer had installed a Hyper-V tool on his laptop that bridged the wired and wireless networks which was causing the ports to go down.

Just my 2 cents.

The strange thing is that i actually have almost the exact same configuration running on another site (same customer) the only differences are the switches in the edge(Nortel BPS425) and the Cisco AP(1242 instaed of 2602).

Perhaps the issue lies in the software Version 12.4(25d)JA2 & Version 15.2(2)JA?

The configuration i used-

Switch uplink:

interface FastEthernet0/3

description *** AP ***
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 1,320
switchport mode trunk
speed 100
duplex full
no snmp trap link-status
end

AP interface configuration:

interface GigabitEthernet0
no ip address
no ip route-cache
duplex 100
speed full
no keepalive
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 spanning-disabled
no bridge-group 1 source-learning
!
interface GigabitEthernet0.320
encapsulation dot1Q 320
no ip route-cache
bridge-group 220
bridge-group 220 spanning-disabled
no bridge-group 220 source-learning

I also tried simulating it in our test lab but didnt see anything strange will do some more testing this week.

Anyone any ideas ?

marc.groenen · ‎05-08-2014

Did some more testing today:

A Cisco 3750 connected to 2x 3560, the 3560 are also connected to each other resulting in a ring topology.

The AP's are connected to 1 of the 3560's.

LAN MAC

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) 82577LC Gigabit Network Connecti

Physical Address. . . . . . . . . : 1C-C1-DE-AC-64-59

DHCP Enabled. . . . . . . . . . . : Yes

C3750#show mac address-table | i 6459

1 1cc1.deac.6459 DYNAMIC Gi2/0/2

Gigabit2/0/2 is de interface where my laptop is directly connected to.

WLAN MAC

Wireless LAN adapter Wireless Network Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Intel(R) Centrino(R) Advanced-N 6200 AGN

Physical Address. . . . . . . . . : 00-27-10-7C-7F-08

C3750#show mac address-table | i 7f08

1 0027.107c.7f08 DYNAMIC Gi2/0/24

Gigabit2/0/24 is de trunk to the 3560 where the AP is connected to.

So i can ping both my laptop on the IP adress of the LAN & WLAN card.

C3750#ping 10.10.10.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

C3750#ping 10.10.10.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.10.2, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

Now i will bridge my LAN & WLAN connection on the laptop.

For about 20 seconds i am unable to ping the L3 interface of the 3750

Ethernet adapter Network Bridge:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : MAC Bridge Miniport

Physical Address. . . . . . . . . : 02-27-10-7C-7F-08

DHCP Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

Link-local IPv6 Address . . . . . : fe80::4500:98c1:bc05:8c20%36(Preferred)

IPv4 Address. . . . . . . . . . . : 10.10.10.3(Preferred)

Subnet Mask . . . . . . . . . . . : 255.255.254.0

The bridge that has been created uses the MAC adres of my WLAN card.

And now we see that the MAC address of the WLAN card is learned over the interface where my laptop's LAN card is directly connected to.

1 0227.107c.7f08 DYNAMIC Gi2/0/2

1 1cc1.deac.6459 DYNAMIC Gi2/0/2

So i can imagine that the switch will think why he is suddenly learning this MAC adres over a different interface.

But this shouldnt cause any major issue. Maybe a warning with a MAC FLAP message.

I now also have a duplicate ARP entry but that should time out eventually.

Internet 10.10.10.3 0 0227.107c.7f08 ARPA Vlan1

Internet 10.10.10.2 5 0027.107c.7f08 ARPA Vlan1

Some more testing shows that sometimes the MAC adres from the LAN card is used for the bridge.

In this event the mac address of the WLAN card is still active on the AP since it is associated but it has the IP adres of the MAC bridge.

CI2602-03#show dot11 associations

802.11 Client Stations on Dot11Radio1:

SSID [WLAN] :

MAC Address IP address Device Name Parent State

0027.107c.7f08 10.10.10.6 ccx-client CI2602 self Assoc

The MAC address from the WLAN card is not learned on the switches.

The ARP entry of this IP address shows the MAC address of the LAN card on the C3750:

Internet 10.10.10.6 0 1ec1.deac.6459 ARPA Vlan1

I do not know why windows sometimes chooses the MAC of the LAN or WLAN card maybe it has something to do with which interface was selected first or just random doesnt really matter anyway.

The swiches are still stable and no strange behavior.

marc.groenen · ‎06-25-2014

Did some more testing last week onsite and most likely found the problem.

On 1 of the 3750 a cable was connected in vlan 1 and the other end went to a port configured for vlan 3.

Appearantly the guy who installed the VoIP thought this was a good solution for doing segmentation without layer 3 and only keeping the DHCP server in VLAN 1....................

Abhishek Abhishek · ‎05-28-2014

Step 1 Choose Administration > System > Settings > System Time .

Step 2 Enter unique IP addresses for your NTP servers.

Step 3 Check the Only allow authenticated NTP servers check box if you want to restrict Cisco ISE to use only authenticated NTP servers to keep system and network time.

Step 4 Click the NTP Authentication Keys tab and specify one or more authentication keys if any of the servers that you specify requires authentication via an authentication key, as follows:

a. Click Add .

b. Enter the necessary Key ID and Key Value , specify whether the key in question is trusted by activating or deactivating the Trusted Key option, and click OK . The Key ID field supports numeric values between 1 to 65535 and the Key Value .field supports up to 15 alphanumeric characters.

c. Return to the NTP Server Configuration tab when you are finished entering the NTP Server Authentication Keys.

Step 5 Click Save .

marc.groenen · ‎06-12-2014

I dont think NTP has anything to do with it