How does Windows bridge detection work?

Aruba Employee
Aruba Employee

Product and Software: This article applies to all Aruba controllers and ArubaOS 2.5 and later.


Windows Bridge


A new networking feature in Windows XP (Home and Professional) and Vista is called a software bridge. It is the ability to bridge together any two adapters, most commonly the wired Ethernet adapter and the 802.11a/bg adapter to pass any Layer 2 and Layer 3 packets between the two adapters.


Impact on Wireless Network


Most laptops ship with wired and wireless adapters. Although a Windows bridge is useful in home networking, such an easily enabled feature has the potential to create problems in large enterprise networks that do see the coexistence of wired and wireless segments.


It has the potential to flood sections of the network with errant packets rendering portions of it unusable.


Aruba Windows Bridge Detection


Starting with ArubaOS 3.x, Aruba added the capability of its APs to listen in the air for Spanning Tree packets (BPDU Destination MAC 01:80:c2:00:00:00).


Such multicast packets are expected from the AP toward the wifi client, but not the other way around.


Aruba APs detect a Windows bridge as soon as they see a BPDU packet from a wifi client to its associated AP.


The option is enabled by default in the IDS profile:


(MM800) #show ids unauthorized-device-profile default


IDS Unauthorized Device Profile "default" 


Parameter Value 


Detect Adhoc Networks true 
Protect from Adhoc Networks false 
Detect Windows Bridge true
Detect Wireless Bridge true 
Detect Devices with an Invalid MAC OUI false 
MAC OUI detection Quiet Time 900 sec 
Adhoc Network detection Quiet Time 900 sec 
Wireless Bridge detection Quiet Time 900 sec 
Rogue AP Classification true 
Overlay Rogue AP Classification true 
Valid Wired MACs N/A 
Rogue Containment false 
Protect Valid Stations false 
Detect Bad WEP false 
Detect Misconfigured AP false 
Protect Misconfigured AP false 
Protect SSID false 
Privacy false 
Require WPA false 
Valid 802.11g channel for policy enforcement N/A 
Valid 802.11a channel for policy enforcement N/A 
Valid MAC OUIs N/A 
Valid and Protected SSIDs N/A

Version history
Revision #:
1 of 1
Last update:
‎07-02-2014 12:06 PM
Updated by:
Labels (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: