Supported Platforms
Example: Configuring BPDU Protection on Edge Interfaces to Prevent STP Miscalculations
MX Series routers provide Layer 2 loop prevention through the Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a bridge protocol data unit (BPDU) to communicate. Other devices—PC bridging applications, for example also use BPDUs and generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if routers within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of STP miscalculations.
This example configures BPDU protection on MX Series routers that use RSTP. The upstream configuration is done on the edge interfaces, where outside BPDUs are often received from other devices.
Requirements
This example uses the following hardware and software components:
- Two MX Series routers in an RSTP topology
- Junos OS Release 13.1 or later
Before you configure the interfaces on Router 2 for BPDU protection, be sure you have:
- RSTP enabled on the routers.
Overview
The MX Series routers, being in an RSTP topology, support a loop-free network through the exchange of BPDUs. Receipt of outside BPDUs in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on STP interfaces that could receive outside BPDUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BPDU from accessing the STP interface.
Figure 1 shows the topology for this example. In this example, Router 1 and Router 2 are configured for RSTP and create a loop-free topology. The interfaces on Router 2 are edge access ports which frequently receive outside BPDUs generated by PC applications.
This example configures interface ge-0/0/5.0 and interface ge-0/0/6.0 as edge ports on Router 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to Router 2.
Topology
Figure 1: BPDU Protection Topology
Table 1 describes the components that are configured for BPDU protection.
Table 1: Components of the Topology for Configuring BPDU Protection on MX Series Routers
Property | Settings |
|---|---|
Router 1 (Distribution Layer) | Router 1 is connected to Router 2 on a trunk interface. |
Router 2 (Access Layer) | Router 2 has these access ports that require BPDU protection:
|
This configuration example uses RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp|rstp|vstp)] hierarchy level.
Configuration
CLI Quick Configuration
To quickly configure RSTP on the two Router 2 interfaces and configure BPDU protection on all edge ports on Router 2, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:
Router 2
Configuring Router 2
Step-by-Step Procedure
To configure RSTP on the two Router 2 interfaces, and then configure BPDU protection:
- Configure RSTP on interface ge-0/0/5.0 and interface ge-0/0/6.0,
and configure them as edge ports.[edit protocols rstp]user@Router2# set interface ge-0/0/5.0 edgeuser@Router2# set interface ge-0/0/6.0 edge
- Configure BPDU protection on all edge ports on this router.[edit protocols rstp]user@Router2# set bpdu-block-on-edge
Results
From configuration mode, confirm your configuration by entering the show configuration protocols rstp command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
Verification
Verify that the configuration is working properly.
- Displaying the Interface State Before BPDU Protection Is Triggered
- Verifying That BPDU Protection Is Working Correctly
Displaying the Interface State Before BPDU Protection Is Triggered
Purpose
Before BPDUs can be received from PCs connected to interface ge-0/0/5.0 and interface ge-0/0/6.0, confirm the interface state.
Action
Use the operational mode command show spanning-tree instance
user@Router2> show spanning-tree interfaceSpanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 FWD DESG
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 FWD DESG
[output truncated]
Meaning
The output from the show spanning-tree interface command shows that interface ge-0/0/5.0 and interface ge-0/0/6.0 are ports in a forwarding state.
Verifying That BPDU Protection Is Working Correctly
Purpose
In this example, the PCs connected to Router 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is working on the interfaces.
Action
Use the operational mode command show spanning-tree interface.
user@Router2> show spanning-tree interface Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)
ge-0/0/7.0 128:520 128:1 16384.00aabbcc0348 20000 FWD ROOT
ge-0/0/8.0 128:521 128:521 32768.0019e2503f00 20000 FWD DESG
[output truncated]
Meaning
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Router 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down.
Disabling the BPDU protection configuration on an interface does not automatically re-enable the interface. However, if the disable-timeout statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear error bpdu interface interface-name to unblock and re-enable the interface.
If the PCs connected to Router 2 send BPDUs to the interfaces again, BPDU protection is triggered once more, and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that are sending BPDUs to Router 2.
