Wireless Access

I am testing a setup with 2 controllers having redundant links to 2 switches. Both switches are connected to each other. Everything seems fine with the required switchports/VLANs blocking. I have tried the setup with spanning-tree disabled on the controllers and rapid-pvst enabled on the controllers - no difference which seems good. What is the recommendation from Aruba on whether it should be enabled or disabled?. Also with rapid-pvst enabled there is no output from the "show spanning-tree" command but the is when the normal mode is running - why is this?

Based on my experienced I usually disabled STP on the controller and let it handle it by the uplink.

Now how do you have STP configured ? which of those switches is the STP root ? 

I ususally disable STP initially.  

The L2 redundancy is simply duplicated links across two switches in case one switch fails so there is still a path to the DG, rest of the network etc. One of the switches will be the root bridge - switch 1. I just wanted to gauge if there was anything else to take into consideration. when the default STP was enabled, it was reporting it was the root although so did the root switch which concerned me. After enabling rapid-pvst I got no output from the controller on the state of spanning-tree. Disabled spanning-tree on the controller and the switchports did not change so I assume this is the way to go - switches running STP and controllers disabled.

Are you using VRRP or HSRP ?

Neither in this context, VRRP is running on controllers for AP termination, but the switches are simply operating at L2.

If the switches are connected to each other and you have the controller going to both switches that will create a loop and STP will block one of those connections to avoid the loop .

You can have control of what connection gets blocked by defining the priority each has and also which switch is the root .

If you created the VLANs on both switches you should create a L3 redundancy and then define which switch will be Active / Standy, this only applies if your switches are not virtualize .

I'm not sure what you mean by "a layer 2 redundancy".

VRRP and HSRP 

VRRP and HSRP provide redundancy for IP addresses which are layer 3.

I have RSTP enabled on my HP switches and also on Aruba controllers. I get sudden port blocked by STP and online messages on certain port. If I disable STP from my Aruba controller I get excessive broadcast errors.

HP settings are globally enable STP and force RSTP, no other settings.
Aruba STP settings are default, globally enabled.

Any help on this?

Are you using a port-channel or are they two independent switched ports?

3000 series controllers using independent switchports.

Sorry, I'm a little late to this thread. Are the two upstream switches independent or are they stacked/VSS pairs?

They are two separate switches in the lab and as far as I am aware this is the same where it will be implemented.

With RPVST enabled, try running show spantree instead. 

This may not be much help with your current setup, but the ideal one if you were rebuilding the upstream infrastructure would be a cross-stack port-channel (multichasis etherchannel, whatever else people call it). Anytime that I have deployed a controller with upstream devices in the same segment, I always use LACP port-channels with short timers. You can avoid a lot of the spanning-tree headaches and you also gain load balancing so both links are actively forwarding traffic.

I'm very interested to hear what others have done with standalone upstream switches and spanning-tree. 

Another question - how do the Instant APs with multiple ports overcome the issue of loops - can STP be configured on the devices, do they generate BPDUs etc.

Starting in Instant 4.0, spanning-tree is supported in wired-profiles. I'm not sure how it was handled prior to 4.