Wireless Access

Hi All,

Is there a way to configure bpdu Filter on Aruba Controller interface?

We connected an Aruba Controller running latest 6.5 code to a Cisco nexus switch.

We are seeing from the Cisco switch is the port is in an error disabled state caused by BPDU guard configured on the Cisco switch. STP was already disabled on the controller prior to connecting into the network.

It seems like the controller is sending BPDUs when STP is disabled on the controller to the Cisco Switch.

The controller will not send BPDUs when STP is disabled.

What is usually the case, Cisco proprietary BPDUs are being received by the controller on other ports. Because they are not seen as BPDUs, they get switched to other ports with the same VLAN and the Nexus triggers on that.

Do you have a diagram of your topology, showing the connections into the controller?

Hi Charlie.

Attached is the diagram.

Logs from cisco switch

-------------------------------

2018 Oct  4 15:06:52.620 CLASAO01S01SWSER01 %ETHPORT-5-IF_ADMIN_UP: Interface Ethernet101/1/36 is admin up .

2018 Oct  4 15:14:53.420 CLASAO01S01SWSER01 %STP-2-BLOCK_BPDUGUARD: Received BPDU on port Ethernet101/1/36 with BPDU Guard enabled. Disabling port.

2018 Oct  4 15:14:53.616 CLASAO01S01SWSER01 %ETHPORT-5-IF_DOWN_ERROR_DISABLED: Interface Ethernet101/1/36 is down (Error disabled. Reason:BPDUGuard)

---------------------------

STP Status on Aruba Controller from show spanning-tree command:

Spanning-Tree is diabled

The Nexus switch is seeing BPDUs from the 3850. If BPDU Guard was not enabled, you would likely be setting STP Inconsistency messages on the Nexus due to VLAN number mismatches from the 3850 passing through the controller.

If you enable BPDU filtering on the 3850's port connecting to the controller, the BPDU Guard issue should resolve.

The Nexus switch is seeing BPDUs from the port at aruba controller is connected.

There is no cables 3850 x Nexus swtich.

For test we enabled BPDU Filter at 3850. but no success.

I believe to have seen in the past that when you disable STP on the controller, it will start becoming transparent for BPDU frames. So check that you don't have another interface in the same VLAN for the controller that might be receiving BPDU and result in forwarding it out again on the controller port. Also, I think that APs send out BPDU frames by default, so if the link you are connecting to also carries the AP vlan from the controller, that could be a source of your BPDU as well. If you can do a port mirror or see the MAC addresses in some log or debug, you might find out what device is actually sending out the frame.

Configuring the controller port in access mode and the Nexus switch in access mode the error did not occur, after several configurations we conclude:

The Nexus switch administrator had defined the Trunk port, but had not allowed any VLANs, and in this state the port went into error disable.

At this time both the controller and the Nexus have the ports configured as trunk allowing the VLANs. successfully worked.

Thank you very much cclemmer and Herman Robers