Hi,
what you need to consider in that setup as well: what's the vlan on the E0-interface of the RAP
by default, the Aruba-AP's are utilizing vlan1 as the native vlan
and from what I remember, Hermann's recommendation is to not change this.
So if you do utilize vlan10 (untagged) on the switch-side, you do have a PVID-mismatch; vlan10 (on switch) maps to vlan1 (on AP).
So one requirement will be: make sure that both these vlans are _not_ allowed on the 2nd connection;
keep in mind that vlan1 (default vlan) on aruba-switches is the default untagged vlan on trunk ports;
so you need to explicitly remove vlan1 from port3 on the switch.
results in following switch settings when it comes to vlans:
port 1: just vlan 10 untagged
port 3: just vlan 20,30,40 tagged + "no untag vlan 1"
RSTP (or MSTP with just single/common instance) is making use of one single Spanned-Tree only, thus if you have two physical links to same device (stp-enabled) one will be in blocking state.
if that's used on your switch with above port settings, then you can add "bpdu-filtering" to port 1 in addition to make things working (that setting switches off STP on port1 as all BPDU-packets will get ignored and none sent out);
if you only have that single switch and single RAP and otherwise "just clients" - that would be my recommendation as it keeps things simple
(but you should be aware of the "bpdu-filtering" function and it's risks)
MSTP - you can configure multiple STP-instances, but you should understand how it works (the mapping of vlan's to instances) to get it working;
I would add vlan20,30,40 to one instance and keep all the other vlans in another instance, though you need to pay special attention to vlan1 (avoid PVID-mismatch issue)
to get it working without the need to add "bpdu-filtering" to port1 (like described in the RSTP description)
To make a long story short - If I would have to support it, i would go with:
port 1: just vlan 10 untagged + bpdu-filter
port 3: just vlan 20,30,40 tagged + "no untag vlan 1"
note: choosing port1 for bpdu-filtering makes sure the AP does startup with it's uplink port not blocked by STP in any case
Groetjes
Jochem
------------------------------
Jochem Knoben
------------------------------
Original Message:
Sent: Oct 20, 2021 07:31 AM
From: Herman Robers
Subject: RAP and spanning-tree issues
What did you configure on the switch for spanning-tree?
Did you make sure that the native VLAN on port 1/1/3 is NOT set to 10? And port 1/1/1 is only untagged in VLAN10? In that case, if you can prevent a loop over the native VLAN. I'm not a STP expert, but looks like the 2930F has the option between MSTP and Rapid-PVST, which both appear to be VLAN aware, so not fully sure why you have the loop, unless you really created a loop by selecting the same native VLAN for both port 1/1/1 and 1/1/3.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Oct 15, 2021 05:49 AM
From: Fredrik Andersson
Subject: RAP and spanning-tree issues
Hi!
We would like to deploy a small site with only a switch and a RAP access point but we get issues with spanning-tree. This is how the setup looks like:
AP is a 505H and switch is AOS-2930F-12port.
We want to extend vlans 20, 30 and 40 from the controller at our HQ so that these vlans could be used on the switch ports. Problem is that this creates a loop and port 1/1/1 gets blocked. If we disable port 1/1/3 until AP gets associated with controller and then enable port 1/1/3 again it starts working as intended.
This is not very stable because if we have a power loss or the AP reboots port 1/1/1 will start blocking and AP never gets associated to controller in HQ.
I have tried to change cost and priority on ports so that 1/1/3 would be the port that is blocking but it is always port 1/1/1 that ends up in blocking. What could we do in order to prevent blocked ports while AP is booting?