Aruba & ProVision-based

Using admin-edge-port and bdpu-filter

Occasional Contributor

Using admin-edge-port and bdpu-filter

On an aruba switch I've 4 ESXi switches connected to A3-A6. According to this vmware article  the admin-edge-port should be applied to these ports. Now I'm using the following command:

spanning-tree A3-A6 admin-edge-port

I also applied bdpu-filter on these ports so that the ports will always remain its 'forwarding' state.

spanning-tree A3-A6 admin-edge-port bdpu-filter

Is the last one recommended? Does the 'admin-edge-port' include the 'bdpu-filter' or should I use 'bdpu-protection' on these ports.  What is the best practice?

Honored Contributor

Re: Using admin-edge-port and bdpu-filter

That is an article written by non-network people. For starters, they are referring to a very old implementation of STP that is no longer current. Secondly, the outage caused by STP that they are referring to should never happen anyway in a properly designed and maintained network. In other words, if these issues occur, then you need to fix them in the network, not by applying a network bodge dreamed up by a server guy.

When I first had ESXi servers running VMWare being added to my networks it din't take me long to realise that I could not rely on the VMWare administrator to not break my network as he was playing with vswitches and messing with Layer2 and Layer3 functionality that he did not even remotely understand.

So I established that the best thing was to *route* not *switch* between the VMWare environment and my network. He still needed a couple of VLANs spanned between datacentres, but nothing else was on those so he couldn't break anything that I was responsible for. So I had no STP passing between VMWare and my network.
Several months after I came to this conclusion and forced its implementation, a VMWare guy working on a nearby very large client site (10,000 employees) did exactly what I had predicted could happen and knocked out that organisation's network for half a day.

Frequent Advisor

Re: Using admin-edge-port and bdpu-filter

I fully agree with Vince here. But I have to say that I know one (1) server guy who is also really good in networking. Due to that, he configures his switches himself most of the time. 

But back to your question if admin-edge is the same as or includes bpdu-filter:
admin-edge sets the port to forwarding.
bpdu-filter stops the port from sending BPDUs over this port.
bpdu-protection shuts down the port in the moment a BPDU is received on this port. The port needs to be manually activated again.


Richard Litchfield
Respected Contributor

Re: Using admin-edge-port and bdpu-filter

Be very careful with bpdu-filter. Since it holds the port in the forwarding state, a loop condition would not be stopped at that port. I have seen bulding networks stop when bpdu-filter was incorrectly applied to multiple ports and a loop was later introduced.

I use sometime bpdu-filter when connecting mismatched spanning tree domains (eg in the lab, at events, etc) Layer 3 would be better, but it is not always possible.