AP-303H using Spanning Tree and Loop Protect

The Aruba hospitality line of access points are great for both hotel and dorm installations.  They provide RF close to their clients as well as offer wired ports for devices that need to be plugged in.  One of the common problems with this deployment is that end users loop up the network by either plugging in a small hub with two ports uplinked to the AP or just plugging two of the AP ports into each other.  In the later versions of AOS 8 Aruba has added the ability to configure loop protect which will mitigate this issue.  Here are the profiles that need to be created and modified:

AP System Profile:

Spanning Tree needs to be enabled on the AP System Profile.

h_series_ap_system_profile

 

AP Wired Port Profile:

There are a few nerd knobs inside the AP wired port profile that need to be enabled: Spanning Tree, Portfast, and Loop Protect Enable. If you are plugging in game consoles make sure you enable Portfast or they will stop trying the DHCP process before the port transitions to STP forwarding.  Storm Control Broadcast is another knob that enables the AP to shut down an ethernet port when a loop is detected. I haven’t enabled this knob in production yet so I didn’t enable it in this scenario.

h_series_ap_wired_port_profile

 

Wired AP Profile:

The Wired AP profile controls what the end user experience will be when a device is plugged into one of the AP ethernet ports.  In my scenario I have the ports configured as trusted (no authentication) and Access VLAN 111 (untagged).

h_series_wired_ap_profile

 

That is all of the configuration required.  The rest of this post will be validation that the system is configured and working as expected.

When troubleshooting I usually work in the CLI.  When working with AOS 8 and clustering, the first step when troubleshooting AP issues is to determine which controller in the cluster is the AP Anchor Controller for the AP that you are working with.  The easiest way to get that is by running “show ap radio-database” from the Mobility Master:

show_ap_radio-database

The output gives you a list of all of the active APs in the system as well as Group, type, and Switch IP (AP Anchor Controller).

In this example I’m using AP-303H-1 as my test AP. In the output for that AP it shows the switch IP address is 10.10.11.123.  If you don’t know which controller that is “show switches debug” will provide a list of all of the controllers managed by this Mobility Master:

show_switches_debug.png

The anchor controller for AP-303H-1 is 7008_03.  An easy way to gain access to the console of that controller is to use the “mdconnect” command from the node path of that controller.  Here is an example:

mdc_to_7008_03

A quick way to verify that you are on the console of the correct MD is to issue the “show ap active” command and verify that your AP is in the list:

show_ap_active

To verify your AP group configuration use the “show ap group” command:

show_ap_group

This output will show the profiles that are associated to the AP group.  Next we need to validate our configuration settings for the system profile, Wired AP profile, and AP Port Profiles:

“show ap system-profile”show_ap_system_profile

output continued:

show_ap_system_profile_output

“show ap wired-port-profile”

show_ap_wired-port-profile

“show ap wired-ap-profile”

show_ap_wired-ap-profile

The two debug commands used to troubleshot the interface status are “show ap debug spanning-tree ap-name” and “show ap debug port status ap-name”. 

 

Here are examples of these commands with nothing plugged into eth1 or eth2:

(7008_03) [MDC] #show ap debug spanning-tree ap-name AP-303H-1

show_ap_debug_spanning_no_clients

(7008_03) [MDC] #show ap debug port status ap-name AP-303H-1

show_ap_debug_port_status_no_clients

The next step is to plug in a single laptop into eth1.

Here is the output of these commands with a single device plugged into eth1:

(7008_03) [MDC] #show ap debug spanning-tree ap-name AP-303H-1

show_ap_debug_spanning_one_client

(7008_03) [MDC] #show ap debug port status ap-name AP-303H-1

show_ap_debug_port_status_one_clients

As you can see in the output, port 1 is in Forwarding mode.

Finally, let’s try to blow things up by plugging in a cable directly between eth1 and eth2 causing a loop.

Here is the output when we plug eth1 directly into eth2:

(7008_03) [MDC] #show ap debug spanning-tree ap-name AP-303H-1

show_ap_debug_spanning_loop

(7008_03) [MDC] #show ap debug port status ap-name AP-303H-1

show_ap_debug_port_status_loop

Ports 1 and 2 are STP disabled once the loop is detected.  The Loop-Protect flag is triggered on eth2.

To see the AP debug output issue “show ap debug log ap-name” command:

show_ap_debug_log

show_ap_debug_log_output

To clear the loop protect status on a port issue the “clear ap port” command:

clear_ap_port.png

I hope this post will help prevent users from looping up your network!

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: