Wired Intelligent Edge

 View Only
last person joined: 23 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

spanning-tree configuration on Access Switch

This thread has been viewed 19 times
  • 1.  spanning-tree configuration on Access Switch

    Posted Sep 06, 2022 02:09 AM
    I am migrating from Cisco to Aruba in Access. I am running RSTP. Cisco switch in the core is root  for all vlans. I am looking for recommendations as to what spanning-tree features shoudl be enabled/disabled on the Access Switch (BPDU Filter, Root Gurd, Loop Guard etc.). I have enbaled BPDU Guard and Loop Guard on Access Ports while nothing enabled on Trunk Uplink Port.

    Aruba-0B-0021-W# sh spanning-tree summary root
    STP status : Enabled
    Protocol : RPVST
    System ID : bc:d7:a5:b3:22:44

    Root bridge for VLANs :   (this switch is not root for any vlan)
    ........................

    Aruba-SW# sh spanning-tree vlan 211

    VLAN211
    Spanning tree status : Enabled Protocol: RPVST
    Root ID Priority : 8192
    MAC-Address: 00:c1:64:c4:aa:01
    Hello time(in seconds):2 Max Age(in seconds):20
    Forward Delay(in seconds):15

    Bridge ID Priority : 32768
    MAC-Address: bc:d7:a5:b3:bb:02
    Hello time(in seconds):2 Max Age(in seconds):20
    Forward Delay(in seconds):15


    Aruba-SW# sh spanning-tree interface
    Port : 1/1/48   (Access Port)
    Admin State : up
    BPDU Guard : enabled
    BPDU Filter : disabled
    RPVST Guard : disabled
    RPVST Filter : disabled
    Loop Guard : enabled
    Root Guard : disabled
    TCN Guard : disabled
    Admin Edge Port : admin-edge
    Link Type : Shared
    BPDU Tx Count : 0
    BPDU Rx Count : 0
    TCN Tx Count : 0
    TCN Rx Count : 0


    Port : 1/1/51   (Uplink Port)
    Admin State : up
    BPDU Guard : disabled
    BPDU Filter : disabled
    RPVST Guard : disabled
    RPVST Filter : disabled
    Loop Guard : disabled
    Root Guard : disabled
    TCN Guard : disabled
    Admin Edge Port : admin-network
    Link Type : Point to Point
    BPDU Tx Count : 0
    BPDU Rx Count : 0
    TCN Tx Count : 0
    TCN Rx Count : 0


  • 2.  RE: spanning-tree configuration on Access Switch

    EMPLOYEE
    Posted Sep 06, 2022 08:42 AM
    Root-guard: It ensures that STP operates normal with the peer device, as long as the peer device does transmit a superior BPDU. If the peer device (say access switch) transmits superior BDPU, it blocks its interface that has root guard enabled as "Root inconsistent" and "P2P Bound". This effectively protects the current root bridge.

    Loop-guard: It ensures that a port on which BPDUs are expected will transition to blocking when no BPDUs are received. A normal STP port would transition to forwarding when no BPDUs are received. This feature can be used in large environment to handle the scenario where the STP process on the Agg/Core switches would fail and would cause loops in the network.
    Can be configured on the access switch LAG that is connected to the VSX Systems. If no BPDUs are received from the VSX system, port that has the loop-guard enabled will be blocked.

    BPDU-guard: It is typically an access switch feature to ensure that no other STP devices can be connected to the network. When a BPDU guard enabled port receives an STP BPDU, it will be disabled.

    BPDU-filter: You can prevent STP from blocking ports that will only perform routing functions, by configuring STP BPDU filter on these ports.

    ------------------------------
    Kapildev Erampu
    Systems Engineer, ACEX#94
    Aruba, a Hewlett Packard Enterprise company
    Sydney, Australia.
    Any opinions expressed here are solely my own and not necessarily that of HPE
    ------------------------------



  • 3.  RE: spanning-tree configuration on Access Switch

    Posted Sep 06, 2022 09:33 AM
    I understand these details. My question was about recommended configuration for access and uplink ports.
    I also wanted to know whether loop-protect is required on both these port types along with STP?


  • 4.  RE: spanning-tree configuration on Access Switch

    EMPLOYEE
    Posted Sep 06, 2022 07:22 PM
    I would generally add the following spanning-tree commands to the access ports

    •     spanning-tree bpdu-guard
    •     spanning-tree root-guard
    •     spanning-tree tcn-guard
    •     spanning-tree port-type admin-edge
    •     loop-protect


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
    ------------------------------



  • 5.  RE: spanning-tree configuration on Access Switch

    Posted Sep 07, 2022 03:08 AM

    Hi all

     

    I would consider root-guard and tcn-guard as unnecessary since these are related to BPDUs received which are already treated by the bpdu-guard.

    So IMHO bpdu-guard and admin-edge is a good combination for edge (access) ports and on higher level switches (e.g. core / aggregation) root-guard
    and depending on your design also tcn-guard for the downlinks to the access switches.

     

    Regards,

    Thomas

     






  • 6.  RE: spanning-tree configuration on Access Switch

    Posted Sep 07, 2022 03:30 AM
    Interesting question, especially regarding STP and loop-protection. Here is my current perspective: The command "spanning-tree bpdu-guard" is used to block a port where BPDUs are not expected. That would be an access port. It is commonly used in conjunction with "admin-edge" which declares a switch port as access port.

    However, "root-guard" and "tcn-guard" are more specific protection features when compared to bpdu-guard. Where bpdu-guard always blocks the port when a BPDU arrives, root/tcn-guard only trigger when a BPDU arrives for which certain criterias are met. For root-guard this would be a superior BPDU (means one which will change the root bridge) and for tcn-guard a BPDU with the TC flag set. So, for me it doesn't seem to make sense to use bpdu-guard AND root-guard plus tcn-guard as bpdu-guard IN PARTICULAR blocks those BPDUs which are blocked by the other two features.

    Now, for combining STP and loop-protection i quote the Aruba l2-bridging configuration guide (for CX 6000/6100): "STP is mutually exclusive with loop protection. If STP and loop protection are both enabled on the same VLAN, STP takes precedence. This means that loop protection does not take any action on a port blocked by STP."

    ------------------------------
    Frank Anstoetz
    Aruba Edge Professional, HPE MASE, CCIE em. #14807
    Ingentive Networks GmbH
    Duesseldorf, Germany
    ------------------------------



  • 7.  RE: spanning-tree configuration on Access Switch

    Posted Sep 08, 2022 04:55 AM
    The loop-protect feature should help to be able to detect a loop caused by connecting network-devices which do filter bpdu's in the wrong way - as  the loop-protect packets will be forwarded and not filtered by such devices. Though there is no guarantee that the loop-protect packet will be received "in time" and port will be blocked by this feature to break the loop - so loop-protect is not a replacement for stp.