Spanning Tree on ArubaOS-Switch

- networking aruba

RSTP Configuration

RSTP should be as easy as turning on spanning tree and optionally configure a priority.

switch(config)# spanning-tree 
switch(config)# spanning-tree priority 0

MSTP Configuration

To configure MSTP properly, you need a config name and revision. Then, you can map VLANs to instances.

switch(config)# spanning-tree <config name>
switch(config)# spanning-tree <config-revision> 
switch(config)# spanning-tree instance 1 vlan 1-10
switch(config)# spanning-tree instance 2 vlan 11-20

BPDU Protection

BPDU protetion shuts down the port if it receives a BPDU. This is a good idea to have on all of your access ports. Optionally, configure a timeout to re-enable the port automatically. This is used when running RSTP or MSTP.

switch(config)# spanning-tree <post list> bpdu-protection 
switch(config)# spanning-tree bpdu-protection-timeout 120

BPDU Filtering

BPDU filtering discards BPDUs received on a port. This is a dangerous setup, because the port will always remain in the forwarding state and not participate in spanning tree, potentially allowing looops to occur.

switch(config)# spanning-tree <post list> bpdu-filter

Root Guard

Root guard is supported in MSTP or RPVST+ mode. Root guard is similar to BPDU protection or PVST protection. It ensures the root bridge remains the root bridge. Rather than blocking the port when receiving any BPDUs, the port is blocked when the port receives superior BPDUs that could create a topology change. The switch puts the port into a “root-inconsistent” state when it receives superior BPDUs and does not forward traffic. This configuration is recommended on all ports that are not connected to other switches.

switch(config)# spanning-tree <post list> root-guard 

BPDU Throttling

BPDU throttling is enabled by default to prevent a malicious or poorly configured device from DDoS-ing the switch. The default rate is 256 pps but can be changed.

STP Loop Guard

STP loop guard helps detect failures in the case of a unidirectional link. It places the port into a “loop inconsistent” state when this failure mode occurs. This should be typically used on switch-to-switch links. When using loop guard in MST mode, you enable it for the whole port, but it works on a instance-by-instance basis.

Loop Protection

Loop protection helps identify and protect your network from loops creating by devices which spanning-tree cannot detect. For example, some small workgroup switches are known to simply drop BPDUs. In this case, this small workgroup switch could create a loop and your network would be unaware.

By default, loop protect uses port mode. The ports send loop protection packets every 5 seconds and if a port receives a loop protection packet that it sent, the switch knows there is a loop in the network. The default action in this case is send-disable which the sending port is disabled. Alternatively, the port can be set in a no-disable option, which logs the infraction but does not disable the port.

Loop protection packets are sent untagged and will only be transmitted on ports where loop protection is enabled and there is an untagged VLAN configured. If you need to send VLAN tagged packets for loop protection, enable loop protect VLAN mode.

switch(config)# loop-protect mode port
switch(config)# loop-protect <port list>

VLAN mode:

switch(config)# loop-protect mode vlan 
switch(config)# loop-protect <port list> 

UDLD

Unidirectional Link Detection helps identify unidirectional links and shut them down. The switches on either end send the device ID and port ID as well as its neighbor ID and port ID. If the switch detects a unidirectional link, the port will be blocked. By default, these packets are sent untagged. If there are no untagged VLANs on the port with UDLD enabled, you will need to specify which VLAN to transmit them on.

switch(config)# interface <#> link-keepalive 
switch(config)# interface <#> link-keepalived vlan <vlan id> 

Rapid PVST+ Support

To configure RPSVT+ and set some VLAN priorities, execute teh follwoing commands. Remember, you also need to enable spanning-tree itself.

switch(config)# spanning-tree mode rapid-pvst
switch(config)# spanning-tree vlan 4 priority 0
switch(config)# spanning-tree vlan 6 priority 1 
switch(config)# spanning-tree 

PVST Protection

PVST protection is similar to BPDU protection, but for switches running RPVST+. It also supports a timeout.

switch(config)# spanning-tree <port list> pvst-protection
switch(config)# spanning-tree bpdu-protection-timeout 120