Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches

Spanning-tree protocols support loop-free network communication through the exchange of a special type of frame called a bridge protocol data unit (BPDU). However, when BPDUs generated by spanning-tree protocols are communicated to devices on which spanning-tree protocols are not configured, these devices recognize the BPDUs, which can lead to network outages. You can, however, enable BPDU protection on switch interfaces to prevent BPDUs generated by spanning-tree protocols from passing through those interfaces. When BPDU protection is enabled, an interface shuts down or drops BPDU packets when any incompatible BPDU is encountered, thereby preventing the BPDUs generated by spanning-tree protocols from reaching the switch. When an interface is configured to drop BPDU packets, all traffic except the incompatible BPDUs can pass through the interface.

Note: The BPDU drop feature can be specified only on interfaces on which no spanning-tree protocol is configured.

This example configures BPDU protection on STP switch downstream interfaces that connect to two PCs:

Requirements

• One EX Series switch in an RSTP topology
• One EX Series switch that is not in any spanning-tree topology
• Junos OS Release 9.1 or later for EX Series switches

• Ensured that RSTP is operating on Switch 1.
• Disabled or enabled RSTP on Switch 2 (depending on the configuration that you plan to implement.)

  If you want to enable the BPDU shutdown feature, then it is optional to disable spanning-tree protocols on the interface.

Note: By default, RSTP is enabled on all EX Series switches.

Overview and Topology

EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a BPDU to communicate. Other devices also use BPDUs—PC bridging applications, for example, generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if switches within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of the miscalculations caused by the outside BPDUs. Therefore, you must configure BPDU protection on interfaces in a spanning-tree topology to avoid network outages.

This example explains how to block outside BPDUs from reaching a switch interface connected to devices that are not part of the STP topology. This example addresses two scenarios. In the first scenario, an interface is shutdown when it encounters an outside BPDU. In the second scenario, an interface drops only BPDU packets while retaining the status of the interface as up and allowing all other traffic to pass through the interface.

Figure 1 shows the topology for this example. Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured for RSTP while Switch 2 has a spanning-tree protocol configured on it for the first scenario, and does not have a spanning-tree protocol configured on it for the second scenario.

In the first scenario, this example configures downstream BPDU protection on Switch 2 interfaces ge-0/0/5.0 and ge-0/0/6.0 when the default spanning-tree protocol (RSTP) is not disabled on these interfaces. When BPDU protection is enabled with the shutdown statement, the switch interfaces will shut down if BPDUs generated by the laptops attempt to access Switch 2.

In the second scenario, this example configures downstream BPDU protection on Switch 2 interfaces ge-0/0/5.0 and ge-0/0/6.0 when the default spanning-tree protocol (RSTP) is disabled on these interfaces. When BPDU protection is enabled with the drop statement, the switch interfaces drop only the BPDUs while allowing remaining traffic to pass through and retaining their status as up if BPDUs generated by the laptops attempt to access Switch 2.

Caution: When configuring BPDU protection on an interface without spanning trees connected to a switch with spanning trees, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on switch interfaces (such as a trunk interface) that you intended to have receive BPDUs from a switch with spanning trees.

Figure 1: BPDU Protection Topology

Table 1 shows the components that will be configured for BPDU protection.

Configuration

To configure BPDU protection on the interfaces:

CLI Quick Configuration

This is the first scenario that explains configuration for the shutdown statement. To quickly configure BPDU protection on Switch 2 for the shutdown statement, copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. Configure the BPDU shutdown statement on the downstream interface ge-0/0/5.0 on Switch 2:
   [edit ethernet-switching-options]

   user@switch# set bpdu-block interface ge-0/0/5.0 shutdown
2. Configure the BPDU shutdown statement on the downstream interface ge-0/0/6.0 on Switch 2:
   [edit ethernet-switching-options]

   user@switch# set bpdu-block interface ge-0/0/6.0 shutdown

Results

Check the results of the configuration:

CLI Quick Configuration

This is the second scenario that explains configuration for the drop statement. To quickly configure BPDU protection on Switch 2 for the drop statement, copy the following commands and paste them into the switch terminal window:

Note: You can also disable RSTP globally using the delete protocols rstp, the set protocols rstp disable, or the set protocols rstp interface all disable command.

Step-by-Step Procedure

1. Disable RSTP on both the interfaces ge-0/0/5.0 and ge-0/0/6.0 interfaces:
   [edit]
user@switch# set protocols rstp interface ge-0/0/5.0 disable
user@switch# set protocols rstp interface ge-0/0/6.0 disable
2. Configure the BPDU drop statement on the downstream interface ge-0/0/5.0 on Switch 2:
   [edit ethernet-switching-options]

   user@switch# set bpdu-block interface ge-0/0/5.0 drop
3. Configure the BPDU drop statement on the downstream interface ge-0/0/6.0 on Switch 2:
   [edit ethernet-switching-options]

   user@switch# set bpdu-block interface ge-0/0/6.0 drop

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

• Displaying the Interface State Before BPDU Protection Is Triggered
• Verifying That BPDU Shutdown Protection Is Working Correctly
• Verifying That BPDU Drop Protection Is Working Correctly

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before any BPDUs can be received on Switch 2 on either interface ge-0/0/5.0 or interface ge-0/0/6.0, confirm the state of those interfaces.

Action

Interface    State  VLAN members     Tag   Tagging    Blocking
ge-0/0/5.0   up     default               untagged   unblocked
ge-0/0/6.0   up     default               untagged   unblocked

Meaning

The output from the operational mode command show ethernet-switching interfaces shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.

Verifying That BPDU Shutdown Protection Is Working Correctly

Purpose

Verify that BPDU protection is working correctly in the network by checking to see whether BPDUs have been blocked appropriately.

Action

Interface    State  VLAN members     Tag   Tagging     Blocking
ge-0/0/5.0   down   default                untagged    Disabled by bpdu-control
ge-0/0/6.0   down   default                untagged    Disabled by bpdu-control

Meaning

When the BPDUs sent from laptops reached interfaces ge-0/0/5.0 and ge-0/0/6.0 on Switch 2, the interfaces transitioned to a BPDU inconsistent state, shutting down the two interfaces to prevent BPDUs from reaching the laptops.

You need to re-enable the blocked interfaces. There are two ways to do this. If you included the statement disable-timeout (Spanning Trees) in the BPDU configuration, the interface returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error to unblock and re-enable ge-0/0/5.0 and ge-0/0/5.0. This command will only re-enable an interface but the BPDU configuration for the interface will continue to exist unless you remove the BPDU configuration explicitly.

If BPDUs reach the downstream interfaces on Switch 2 again, BPDU protection is triggered again and the interfaces shut down. In such cases, you must find and repair the misconfiguration that is sending BPDUs to interfaces ge-0/0/5.0 and ge-0/0/6.0.

Verifying That BPDU Drop Protection Is Working Correctly

Purpose

Verify that BPDU drop protection is working correctly in the network by checking to see whether BPDUs have been blocked appropriately.

Action

Interface    State  VLAN members     Tag   Tagging  Blocking
ge-0/0/5.0   up     default               untagged unblocked-xSTP bpdu 
                                                   filter enabled
ge-0/0/6.0   up     default               untagged unblocked-xSTP bpdu 
                                                   filter enabled

Meaning

When the BPDUs sent from laptops reached interfaces ge-0/0/5.0 and ge-0/0/6.0 on Switch 2, the interfaces dropped those BPDUs to prevent them from reaching Switch 2, and the state of both the interfaces is up.