Wireless Access

Hello,

Has anybody successfully blocked incoming BPDU packets on a interface of a MAS while allowing the rest of the traffic?

Cisco has a simple command for this functionnality but nothing seems similar in the mobility access switch OS 7.3.0.0.

We've tried using ACLs based on mac and eth type 0x4242, but it almost looks like the BPDU is getting processed before the acl is applied.

Any thoughts apreciated.

Yaan,

We currently do not support BPDUFilter and an ACL cannot be used to block them.

I highly recommend submitting the request to the idea portal.

https://arubanetworkskb.secure.force.com/cp/ideas/ideaList.apexp

I'm not sure what your use case is specifically but you can enable root-guard to prevent the 3rd party STP capable switch from influencing your STP environment or a little more brute force, shutdown the port using BPDUGuard.

Best regards,

Madani

How does root guard work? Does it allow the traffic on the port while simply ignoring BPDU packets?

Yaan,

Per the user guide:

Rootguard provides a way to enforce the root bridge placement in the network. The rootguard feature guarantees that a port will not be selected as Root Port for the CIST or any MSTI. If a bridge receives superior spanning tree BPDUs on a rootguard-enabled port, the port is selected as an Alternate Port instead of Root Port and no traffic is forwarded across this port.
By selecting the port as an Alternate Port, the rootguard configuration prevents bridges, external to the region, from becoming the root bridge and influencing the active spanning tree topology.

So yes traffic is allowed into the port but we still process the BPDUs to ensure that the 3rd party connected switch cannot either maliciously or accidentally start being recognized as the root bridge. If we do start seeing superior BPDUs from that port, we will stop forwarding traffic through that port.

(S35-TST-SW-01) #show spanning-tree


MST 0
Root ID               Address: 0019.0655.3a80, Priority: 4097
Regional Root ID   Address: 000b.866c.3200, Priority: 16384
Bridge ID          Address: 000b.866c.3200, Priority: 16384
External root path cost 40000, Internal root path cost 0

Interface  Role           State  Port Id  Cost    Type
---------  ----           -----  -------  ----    ----
GE0/0/1    Altn(Root-Inc) BLK    128.22   20000   P2p
GE0/0/2    Desg           FWD    128.301  20000   P2p


GE0/0/22   Root           FWD    128.23   20000   P2p

Thanks for the info,

Unfortunately this will not work in our environment, traffic must not be blocked, just the BPDU packet.

Yaan,

Just out of curiosity, what is your application where you want to allow STP capable switches to be connected but filter inbound BPDUs? The one possible issue I see there is that you could create a loop amongst ports if you want to just discard BPDUs.

Madani

Basically we have several organizations connected over a WAN which is primarily used for videoconferencing. One of the network devices (we are not sure which, and these organizations are independent of each other) is broadcasting a root priority higher than ours and this is causing the spanning tree on our primary switch to recalculate its topology every so often which causes an endless stream of headaches, especially since we are running VOIP.

We considered simply raising our priority but since that would probably cause them issues and then they would raise their priority and then they in turn would raise their priority as well, it would not be a proper solution.

A workaround we are considering at this point is to put a Cisco switch in between and have it filter the BPDUs from the WAN port until Aruba implements a solution in their OS.

Yaan,

I just wanted to let you know that we implemented BPDU Filter as part of 7.3.2.0.

Best regards,

Madani