Netlogin and stp


I am trying to get stp and netlogin:dot1x working on the same ports. Whenever I enable autobind on the destination netlogin guest vlan the client will not join the vlan. As soon as I disable autobind on the stp domain the client successfully joins the intended guest vlan. My ports are operating in ISP mode and dot1x is the only authentication method enabled on the ports. Any ideas on what I'm doing wrong or better ways to achieve loop protection and netlogin:dot1x?
configure netlogin move-fail-action authenticateconfigure netlogin vlan netlogin-guest
enable netlogin dot1x
configure netlogin dot1x timers supp-resp-timeout 10
enable netlogin ports 1:43-44 dot1x
enable netlogin dot1x guest-vlan ports 1:43-44
configure netlogin dot1x guest-vlan Default ports 1:43-44
configure netlogin ports 1:43 mode port-based-vlans
configure netlogin ports 1:43 restart
configure netlogin ports 1:44 mode port-based-vlans
configure netlogin ports 1:44 restart
Stpd: s0 Stp: ENABLED Number of Ports: 230
Rapid Root Failover: Enabled
Operational Mode: 802.1D Default Binding Mode: 802.1D 802.1Q Tag: (none) Ports: 1:1,1:2,1:3,1:4,1:5,1:6,1:7,1:8,1:9,1:10, 1:11,1:12,1:13,1:14,1:15,1:16,1:17,1:18,1:19,1:20, 1:21,1:22,1:23,1:24,1:25,1:26,1:27,1:28,1:29,1:30, 1:31,1:32,1:33,1:34,1:35,1:36,1:37,1:38,1:39,1:40, 1:41,1:42,1:45,1:46,1:47,1:48,2:1,2:3,2:4,2:5, 2:6,2:7,2:8,2:9,2:10,2:11,2:12,2:13,2:14,2:15, 2:16,2:17,2:18,2:19,2:20,2:21,2:22,2:23,2:24,2:25, 2:26,2:27,2:28,2:29,2:30,2:31,2:32,2:33,2:34,2:35, 2:36,2:37,2:38,2:39,2:40,2:41,2:42,2:43,2:44*,2:47, 2:48,3:1,3:2,3:3,3:4,3:5,3:6,3:7,3:8,3:9, 3:10,3:11,3:12,3:13,3:14,3:15,3:16,3:17,3:18,3:19, 3:20,3:21,3:22,3:23,3:24,3:25,3:26,3:27,3:28,3:29, 3:30,3:31,3:32,3:33,3:34,3:35,3:36,3:37,3:38,3:39, 3:40,3:41,3:42,3:43,3:47,3:48,4:1,4:2,4:3,4:4, 4:5,4:6,4:7,4:8,4:9,4:10,4:11,4:12,4:13,4:14, 4:15,4:16,4:17,4:18,4:19,4:20,4:21,4:22,4:23,4:24, 4:25,4:26,4:27,4:28,4:29,4:30,4:31,4:32,4:33,4:34, 4:35,4:36,4:37,4:38,4:39,4:40,4:41,4:42,4:43,4:45*, 4:46*,4:47,4:48,5:1,5:2,5:3,5:4,5:5,5:6,5:7, 5:8,5:9,5:10,5:11,5:12,5:13,5:14,5:15,5:16,5:17, 5:18,5:19,5:20,5:21,5:22,5:23,5:24,5:25,5:26,5:27, 5:28,5:29,5:30,5:31,5:32,5:33,5:34,5:35,5:36,5:37, 5:38,5:39,5:40,5:41,5:42,5:43,5:44,5:45,5:47,5:48 Participating Vlans: Default Auto-bind Vlans: Default Bridge Priority: 32768 BridgeID: 80:00:02:04:96:98:01:c8 Designated root: 80:00:00:06:28:04:cf:c0 RootPathCost: 200008 Root Port: 4:45 MaxAge: 20s HelloTime: 2s ForwardDelay: 15s CfgBrMaxAge: 20s CfgBrHelloTime: 2s CfgBrForwardDelay: 15s Topology Change Time: 35s Hold time: 1s Topology Change Detected: FALSE Topology Change: FALSE Number of Topology Changes: 5207 Time Since Last Topology Change: 327s

1 reply

Userlevel 5

Sorry for the delay on a response... we have had issue with this in the past and our solution is to create a carrier vlan (for the sole purpose of STP loop protection) as both ELRP and STP have issues with dot1.x like you encountered. The solution is the following...

# Create VLAN for Carrier - Add all user ports to this VLAN


create vlan FAKE_EDGE_MSTP tag 4051

configure FAKE_EDGE_MSTP add port (user port listing) tag


# STP Configuration - Will turn on


configure s0 delete vlan default port all

disable s0 auto-bind vlan default

configure s0 mode mstp cist

configure s0 priority 0

create stpd fake_stm

configure fake_stm mode mstp msti 1

configure fake_stm priority 01

configure fake_stm add vlan FAKE_EDGE_MSTP port (user port listing) dot1d

configure s0 ports link-type edge (user port listing) edge-safeguard enable bpdu-restrict

configure fake_stm ports link-type edge (user port listing) edge-safeguard enable bpdu-restrict

en fake_stm

en s0

en stp


Let me know if you have any questions...