ArubaOS and Controllers

Reply
Regular Contributor II

Port status: spanning tree blocking

I'm adding an AP to an existing controller (620) in a remote office. I've added the license, and the controller has been rebooted.

The AP has been connected, however it doesn't seem to contact the master controller for provisioning, nor does it appear on the local controller.

When I look at the port status on the 620, I see the AP connected, admin status is 'enabled,' operational status is 'enabled,' and spanning tree is 'blocking.'

How can I get this AP working properly? Is this by design? We've added APs to several other controllers in this same fashion and have never had any problems.
Guru Elite

Re: Port status: spanning tree blocking

It should only be blocking if you have a second uplink from that 620 to your network. Is that the case?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II

Re: Port status: spanning tree blocking




Not that I'm aware of. We only have the 2 APs plugged into the PoE ports (1/0 and 1/1) and then the 620 (port 1/8) plugged into a trunked port on our Cisco switch.

I just double checked the port status and those are the only ports being used.

Controller is a 620 running 5.0.2.0 if that makes any difference.

Guru Elite

Re: Port status: spanning tree blocking

I would turn of spanning tree globally on the Aruba controller and allow the Cisco switch to manage spanning tree:

config t
no spanning tree


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor II

Re: Port status: spanning tree blocking


I would turn of spanning tree globally on the Aruba controller and allow the Cisco switch to manage spanning tree:

config t
no spanning tree




Well, that was a big no-no. Putting in that command kicked me out of the controller and actually brought down their network.

I'm not at the location, but apparently that flooded the entire network as they weren't able to access the local resources on their subnet (server, printers, etc).

I had them reboot the controller and that fixed the issue with the flooding, but the AP is still coming up as blocked.

I can't think of any reason why it would be, but any chance this is related to the expired certificate in 5.0.2.0?
Guru Elite

Re: Port status: spanning tree blocking

Is the AP port a "trunk" as well? Is that port trusted? What licenses do you have on the 620 and do they match?

Does the AP get an ip address? What is providing DHCP? What method is the AP using to discover the controller? Is there another controller in the environment?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Aruba Employee

Re: Port status: spanning tree blocking


Well, that was a big no-no. Putting in that command kicked me out of the controller and actually brought down their network.

I'm not at the location, but apparently that flooded the entire network as they weren't able to access the local resources on their subnet (server, printers, etc).

I had them reboot the controller and that fixed the issue with the flooding, but the AP is still coming up as blocked.

I can't think of any reason why it would be, but any chance this is related to the expired certificate in 5.0.2.0?




What port is the new AP on? Which port is spanning tree blocking on the controller?

There is a physical loop somewhere in the network, as shown by spanning tree blocking a port, and then subsequently when the network flooded when spanning tree was disabled. That loop needs to be corrected.

This won't be related to the expired certificate in earlier versions of 5.x.
Regular Contributor II

Re: Port status: spanning tree blocking


Is the AP port a "trunk" as well? Is that port trusted? What licenses do you have on the 620 and do they match?

Does the AP get an ip address? What is providing DHCP? What method is the AP using to discover the controller? Is there another controller in the environment?





AP port is not trunked. The only trunked port on the controller is the uplink (1/8).

AP is plugged into port 1/1. Port is enabled, PoE, Trusted, Access mode, VLAN ID: 1 and Trusted. No firewall policies, MUX is not enabled, Spanning Tree is enabled, cost of 19, port priority of 128, Port Fast is not enabled, Point-to-point is enabled. LACP is active mode - all other boxes are empty.

Controller has 2 single AP and PEF licenses installed. Controller reports 2 AP licenses installed, 1 used, 1 unused.

The AP does not get an IP address. DHCP is provided by the local w2k3 server. Scope has a total of 150 addresses, with at least 70 addresses still available.

APs are set to discover via Host controller name - aruba-master. I've checked from several PC in that office and aruba-master does resolve to the correct IP for our master controller (3600).

There is no other controller at that location.

I've double checked the AP group and AP system profile to make sure they are correct.

Obviously I'm not at the location, but they tell me nothing else is plugged into the controller. Checking the port status on the controller only shows 3 ports being used. 1/0 is the original AP and is working fine. 1/1 is the new AP. 1/8 is the uplink to the trunked port on our Cisco switch.

All of our branch offices are very much cookie-cutter, but I've gone through and verified the DHCP scope settings, switch configurations, and router configurations.

This isn't the first time we've added additional APs, so I'm baffled as to why this one is causing problems.

Any chance it's a problem with this AP? I can certainly ship them a different AP to see if that fixes the issue.


And thank you to all for the quick replies and advice. I'm going on 7 months of a smooth and trouble-free Aruba deployment. Other than a failed controller, I've had no need to perform any trouble-shooting!
Aruba Employee

Re: Port status: spanning tree blocking

Most likely the 620 became the root of the spanning tree at that site, and when you turned it off, it converged and some other switch out there became root. Always check the root status of a switch before turning off spanning tree. You may want to check to see who the root is out there and set it's priority low so something new that comes on can't overthrow it.

Even if the 620 had two connections to your Cisco switch, it wouldn't put an access port that's connected to an AP in blocked mode. That's especially true if it was the root as it wouldn't be blocking anything.

Is there a reason why you're trunking the 620 or is it just a standard config?

If the AP has two ethernet ports, no one connected one to the 620 and one to another switch, did they?
Regular Contributor II

Re: Port status: spanning tree blocking


Most likely the 620 became the root of the spanning tree at that site, and when you turned it off, it converged and some other switch out there became root. Always check the root status of a switch before turning off spanning tree. You may want to check to see who the root is out there and set it's priority low so something new that comes on can't overthrow it.

Even if the 620 had two connections to your Cisco switch, it wouldn't put an access port that's connected to an AP in blocked mode. That's especially true if it was the root as it wouldn't be blocking anything.

Is there a reason why you're trunking the 620 or is it just a standard config?

If the AP has two ethernet ports, no one connected one to the 620 and one to another switch, did they?





True enough about spanning tree, although it's not something that I'm overly familiar with.....other than enough to pass a few tests ;). Like I said, everything is cookie cutter and we've never had any issues with spanning tree before, so I've never had to deal with it. I'll look into it a little more tomorrow. Worse case I end up learning something new! :eek:

It's been almost a year since we sat down and designed the Aruba deployment, so I can't honestly say that I remember exactly why we did the things we did. It only took a few tries before our engineer got us a good, working config.

I'm tempted to say the trunking is just a standard config, but I'm going to assume it's because we have multiple VLANs at our locations - 1 for network users (VPN back to HQ, and wireless PEAP users), 1 for "internet only" access (captive portal and split tunneled directly out the broadband connection), and 1 for future use (VoIP, video, ???).

Only 1 enet port on the AP93 - makes it easy for our cabling vendor or local "tech guru" to hook it up.

Still, the issue has me thoroughly stumped. They requested the additional AP for increased coverage, although luckily for me they haven't started to complain......yet.
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: