Wired Intelligent Edge

last person joined: 10 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

RAP and spanning-tree issues

This thread has been viewed 33 times
  • 1.  RAP and spanning-tree issues

    Posted Oct 15, 2021 05:50 AM
    Hi!
    We would like to deploy a small site with only a switch and a RAP access point but we get issues with spanning-tree. This is how the setup looks like:
    AP is a 505H and switch is AOS-2930F-12port.

    We want to extend vlans 20, 30 and 40 from the controller at our HQ so that these vlans could be used on the switch ports. Problem is that this creates a loop and port 1/1/1 gets blocked. If we disable port 1/1/3 until AP gets associated with controller and then enable port 1/1/3 again it starts working as intended.
    This is not very stable because if we have a power loss or the AP reboots port 1/1/1 will start blocking and AP never gets associated to controller in HQ.

    I have tried to change cost and priority on ports so that 1/1/3 would be the port that is blocking but it is always port 1/1/1 that ends up in blocking. What could we do in order to prevent blocked ports while AP is booting?


  • 2.  RE: RAP and spanning-tree issues

    Posted Oct 20, 2021 04:46 AM
    Hello,

    I did a quick research for your RAP and its STP functionality (I am not that familiar with the configurations of APs). According to the guides STP is not operating on the uplink port - on downlink ports only (wired profile). 

    1. Could you please doublecheck that STP is blocking the port? Maybe the output of "show spanning-tree" will be helpful here.
    If STP is not operating on port E0, I don't think that influencing the STP port priority and cost on port 1 on the switch will affect this behavior. I will just note the difference between both:
    STP port Priority is used to affect the downstream switches and their root port election.
    STP Cost – affecting the local switch root port election.

    2. Do you have loop protection enabled on the 2930 switch? 
    3. I have some doubts on this topology as well. Unfortunately I am not able to confirm how the topology really should look like (as I already said, I don't have that experience with the APs). Maybe the other people from the community can give us more insights on this.

    ------------------------------
    Stanislav Naydenov
    ------------------------------



  • 3.  RE: RAP and spanning-tree issues

    Posted Oct 21, 2021 06:59 AM

    Hi!

    Answer for your questions:
    1. Yes, STP is blocking the port. In the RAP we have enabled STP on port E3 but not on E0.

    Multiple Spanning Tree (MST) Information
    
      STP Enabled   : Yes
      Force Version : MSTP-operation
      IST Mapped VLANs : 1-4094
      Switch MAC Address : XXXXX-XXXXXX    
      Switch Priority    : 32768
      Max Age  : 20
      Max Hops : 20   
      Forward Delay : 15
    
      Topology Change Count  : 31          
      Time Since Last Change : 117 secs    
    
      CST Root MAC Address : XXXXXX-XXXXXX   
      CST Root Priority    : 4097        
      CST Root Path Cost   : 42000       
      CST Root Port        : Trk1               
    
      IST Regional Root MAC Address : XXXXXX-XXXXXX    
      IST Regional Root Priority    : 32768       
      IST Regional Root Path Cost   : 0           
      IST Remaining Hops            : 20          
    
      Root Guard Ports     : 
      Loop Guard Ports     : 2,4-10
      TCN Guard Ports      : 
      BPDU Protected Ports : 2,4-10                                  
      BPDU Filtered Ports  :                                         
      PVST Protected Ports :                                         
      PVST Filtered Ports  :                                         
    
      Root Inconsistent Ports  :             
      Loop Inconsistent Ports  :             
    
                       |           Prio              | Designated        Hello         
      Port  Type       | Cost      rity State        | Bridge            Time PtP Edge
      ----- ---------- + --------- ---- ------------ + ----------------- ---- --- ----
      1     100/1000T  | 20000     128  Blocking     | XXXXXX-XXXXXX     2    Yes No  
      2     100/1000T  | Auto      128  Disabled     |                   2    Yes Yes 
      3     100/1000T  | 20000     128  Forwarding   | XXXXXX-XXXXXX     2    Yes Yes

    2. If I have loop-protection enabled on the switch I receive BpduError and removed it gets in the state Blocking for port 1.
    3. I would be more than happy to get some feedback on the design from the community.




  • 4.  RE: RAP and spanning-tree issues

    Posted Oct 20, 2021 07:32 AM
    What did you configure on the switch for spanning-tree?

    Did you make sure that the native VLAN on port 1/1/3 is NOT set to 10? And port 1/1/1 is only untagged in VLAN10? In that case, if you can prevent a loop over the native VLAN. I'm not a STP expert, but looks like the 2930F has the option between MSTP and Rapid-PVST, which both appear to be VLAN aware, so not fully sure why you have the loop, unless you really created a loop by selecting the same native VLAN for both port 1/1/1 and 1/1/3.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------



  • 5.  RE: RAP and spanning-tree issues

    Posted Oct 21, 2021 07:02 AM
    For port 3 we have native vlan 1 and for port 1 it is untagged vlan 10 so it is not the same vlan.


  • 6.  RE: RAP and spanning-tree issues

    Posted Oct 21, 2021 09:01 AM
    Hi,

    what you need to consider in that setup as well: what's the vlan on the E0-interface of the RAP
    by default, the Aruba-AP's are utilizing vlan1 as the native vlan
    and from what I remember, Hermann's recommendation is to not change this.
    So if you do utilize vlan10 (untagged) on the switch-side, you do have a PVID-mismatch; vlan10 (on switch) maps to vlan1 (on AP).
    So one requirement will be: make sure that both these vlans are _not_ allowed on the 2nd connection;
    keep in mind that vlan1 (default vlan) on aruba-switches is the default untagged vlan on trunk ports;
    so you need to explicitly remove vlan1 from port3 on the switch.
    results in following switch settings when it comes to vlans:
    port 1: just vlan 10 untagged
    port 3: just vlan 20,30,40 tagged + "no untag vlan 1"

    RSTP (or MSTP with just single/common instance) is making use of one single Spanned-Tree only, thus if you have two physical links to same device (stp-enabled) one will be in blocking state.
    if that's used on your switch with above port settings, then you can add "bpdu-filtering" to port 1 in addition to make things working (that setting switches off STP on port1 as all BPDU-packets will get ignored and none sent out);
    if you only have that single switch and single RAP and otherwise "just clients" - that would be my recommendation as it keeps things simple
    (but you should be aware of the "bpdu-filtering" function and it's risks)

    MSTP - you can configure multiple STP-instances, but you should understand how it works (the mapping of vlan's to instances) to get it working;
    I would add vlan20,30,40 to one instance and keep all the other vlans in another instance, though you need to pay special attention to vlan1 (avoid PVID-mismatch issue)
    to get it working without the need to add "bpdu-filtering" to port1 (like described in the RSTP description)

    To make a long story short - If I would have to support it, i would go with:
    port 1: just vlan 10 untagged + bpdu-filter
    port 3: just vlan 20,30,40 tagged + "no untag vlan 1"
    note: choosing port1 for bpdu-filtering makes sure the AP does startup with it's uplink port not blocked by STP in any case

    Groetjes
    Jochem

    ------------------------------
    Jochem Knoben
    ------------------------------