LWAPP and BPDUGuard

Answered Question
Feb 26th, 2009
User Badges:
  • Silver, 250 points or more

Does anyone know if LWAPP/CAPWAP access points send out BPDUs? I can't think of any reason why they would, but wanted to see if anyone has direct experience.

Correct Answer by Johannes Luther about 8 years 4 months ago

They don't.

My default LWAPP access-port configuration is with BPDUGuard enabled. Never had ERR-DISABLED problems on these ports.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Johannes Luther Thu, 02/26/2009 - 07:20
User Badges:

They don't.

My default LWAPP access-port configuration is with BPDUGuard enabled. Never had ERR-DISABLED problems on these ports.

MARK BAKER Thu, 08/22/2013 - 14:14
User Badges:
  • Bronze, 100 points or more

I know this is an old post, but it most closely discusses the topic of my question. Is it possible for a wireless client to send a BPDU and for it to be forwarded by the LWAP to the switch port causing the port to err-disable and a DoS for other wireless clients? Or, does an LWAP not forward BPDUs between wired and wireless interfaces?


Thank you,

Mark

Leo Laohoo Thu, 08/22/2013 - 15:45
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Is it possible for a wireless client to send a BPDU and for it to be forwarded by the LWAP to the switch port causing the port to err-disable and a DoS for other wireless clients?

BPDU are sent by switch.  So the answer to your question is YES if your AP is a WGB and you've got a switch at the end.  The switch will send a BPDU up to the local AP, the local AP will forward the BPDU to the other remote AP.  The remote AP will decode and send the BPDU down the remote switch.  Remote switch sees incoming BPDU and the rest is history.

MARK BAKER Thu, 08/22/2013 - 17:28
User Badges:
  • Bronze, 100 points or more

Leo,


After I thought about it some more, wouldn't any traffic from a client connected to an LWAP that is centrally switched to the WLC not be seen by the switch itself? I could see this being an issue with HREAP or FLEXConnect, but I'm thinking centrally switched LWAPs should be fine. What do you think.


Thank you,

Mark

Leo Laohoo Thu, 08/22/2013 - 17:43
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Mark,


As long as it's not a switch, then I believe BPDU guard won't be triggered.

George Stefanick Thu, 08/22/2013 - 17:48
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Best Publication, October 2015

This could be a factory for mesh and Ethernet switching .. That traffic gets dumped on the raps wired port

Sent from Cisco Technical Support iPad App

Actions

This Discussion

 

 

Trending Topics - Security & Network