12-09-2013 08:13 AM
Has anybody successfully blocked incoming BPDU packets on a interface of a MAS while allowing the rest of the traffic?
Cisco has a simple command for this functionnality but nothing seems similar in the mobility access switch OS 220.127.116.11.
We've tried using ACLs based on mac and eth type 0x4242, but it almost looks like the BPDU is getting processed before the acl is applied.
Any thoughts apreciated.
Solved! Go to Solution.
12-09-2013 08:18 AM
We currently do not support BPDUFilter and an ACL cannot be used to block them.
I highly recommend submitting the request to the idea portal.
I'm not sure what your use case is specifically but you can enable root-guard to prevent the 3rd party STP capable switch from influencing your STP environment or a little more brute force, shutdown the port using BPDUGuard.
12-09-2013 08:52 AM
Per the user guide:
Rootguard provides a way to enforce the root bridge placement in the network. The rootguard feature guarantees that a port will not be selected as Root Port for the CIST or any MSTI. If a bridge receives superior spanning tree BPDUs on a rootguard-enabled port, the port is selected as an Alternate Port instead of Root Port and no traffic is forwarded across this port.
By selecting the port as an Alternate Port, the rootguard configuration prevents bridges, external to the region, from becoming the root bridge and influencing the active spanning tree topology.
So yes traffic is allowed into the port but we still process the BPDUs to ensure that the 3rd party connected switch cannot either maliciously or accidentally start being recognized as the root bridge. If we do start seeing superior BPDUs from that port, we will stop forwarding traffic through that port.
(S35-TST-SW-01) #show spanning-tree
Root ID Address: 0019.0655.3a80, Priority: 4097
Regional Root ID Address: 000b.866c.3200, Priority: 16384
Bridge ID Address: 000b.866c.3200, Priority: 16384
External root path cost 40000, Internal root path cost 0
Interface Role State Port Id Cost Type
--------- ---- ----- ------- ---- ----
GE0/0/1 Altn(Root-Inc) BLK 128.22 20000 P2p
GE0/0/2 Desg FWD 128.301 20000 P2p
GE0/0/22 Root FWD 128.23 20000 P2p
12-09-2013 09:09 AM - edited 12-09-2013 09:19 AM
Just out of curiosity, what is your application where you want to allow STP capable switches to be connected but filter inbound BPDUs? The one possible issue I see there is that you could create a loop amongst ports if you want to just discard BPDUs.
12-09-2013 10:12 AM - edited 12-09-2013 10:13 AM
Basically we have several organizations connected over a WAN which is primarily used for videoconferencing. One of the network devices (we are not sure which, and these organizations are independent of each other) is broadcasting a root priority higher than ours and this is causing the spanning tree on our primary switch to recalculate its topology every so often which causes an endless stream of headaches, especially since we are running VOIP.
We considered simply raising our priority but since that would probably cause them issues and then they would raise their priority and then they in turn would raise their priority as well, it would not be a proper solution.
A workaround we are considering at this point is to put a Cisco switch in between and have it filter the BPDUs from the WAN port until Aruba implements a solution in their OS.