Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Best practice for AP port configuration

Turimo
New here
‎Feb 8 2023 6:14 AM
‎Feb 8 2023 6:14 AM

Best practice for AP port configuration

Hello,

My wireless data is managed by Meraki AP. On the port that connect the switches to the AP, I've configured my port as trunk,  STP guard as BPDU Guard since from what i understand Meraki AP don't send BPDU but i was wondering if it was wise to setup storm control on AP ports or if it should not be done.

 

Hope you can advice.

Thank you.

 

 

Turimo

0 Kudos
Subscribe
5 Replies 5
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 8 2023 6:26 AM
‎Feb 8 2023 6:26 AM

I never configured the STP BPDU guard on the AP ports,Best Practices to enable BPDU Guard only on access ports (access ports lead to end user devices), but I always configured the storm control, some think like this:

 

 

storm-control broadcast level 20.00 10.00
storm-control multicast level 20.00 10.00
storm-control action shutdown
spanning-tree portfast trunk

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 8 2023 11:08 AM
‎Feb 8 2023 11:08 AM

BPDU Guard is safe on trunks leading to Meraki APs. It is indeed wise to configure it since these APs do not participate to the STP topology.

Storm control is fine but setting high values defeats the purpose.

0 Kudos
Subscribe
In response to RaphaelL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 8 2023 11:21 AM
‎Feb 8 2023 11:21 AM

@RaphaelL 

 

BPDU guard is enabled globally on all STP portfast ports with the command spanning-tree portfast bpduguard default.

BPDU guard is typically configured with all host-facing ports that are enabled with portfast, but it is not very common to see configured on AP ports.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
In response to alemabrahao
RaphaelL
Kind of a big deal
Kind of a big deal
‎Feb 8 2023 11:34 AM
‎Feb 8 2023 11:34 AM

I'm not sure why you provided IOS commands , but the only downside of enabling bpdu guard on AP ports is that someone could send a bpdu and the port would go into 'err disable' state which would 'DOS' that AP.

 

It also prevents someone from unplugging the AP and plug a switch since Meraki do not support 802.1X auth on trunks so you don't have any other way to protect your network from that behavior. 

Some enterprise prefer 'security' over user experience.   I have mixed feelings over bpdu guard on AP but it can be done.

 

Also if you use SecurePort ( RIP SecureConnect ) it will not override STP settings , so It would keep the bpdu guard from an access port.

 

EDIT :

TLDR : There is no good or bad answer to configure bpdu guard on Meraki AP ports. That's my opinion. Some may agree / disagree

0 Kudos
Subscribe
In response to RaphaelL
alemabrahao
Kind of a big deal
Kind of a big deal
‎Feb 8 2023 11:45 AM
‎Feb 8 2023 11:45 AM

It doesn't matter if is Meraki Switch or Catalyst Switch.

 

 

BPDU guard

BPDUs - Bridge Protocol Data Units - are informational messages communicated between all switches in a Spanning Tree instance to maintain STP consistency. BPDU Guard is used to protect the Spanning Tree topology of a network by enforcing STP domain borders. If a port with BPDU Guard enabled on it receives a BPDU, the port will transition to a disabled state. It is recommended that BPDU Guard be applied to all access ports or client-facing ports that are not intended to be connected to a neighboring switch.

 

 

 

In general, in all the projects I've followed over the years, I've never seen anyone use BPDU guard on AP ports. But it's up to each individual what they want to configure on their network. 🙂

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.