Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches

Spanning-tree protocols support loop-free network communication through the exchange of a special type of frame called a bridge protocol data unit (BPDU). However, when BPDUs generated by spanning-tree protocols are communicated to devices on which spanning-tree protocols are not configured, these devices recognize the BPDUs, which can lead to network outages. You can, however, enable BPDU protection on switch interfaces to prevent BPDUs generated by spanning-tree protocols from passing through those interfaces. When BPDU protection is enabled, an interface shuts down or drops BPDU packets when any incompatible BPDU is encountered, thereby preventing the BPDUs generated by spanning-tree protocols from reaching the switch. When an interface is configured to drop BPDU packets, all traffic except the incompatible BPDUs can pass through the interface.

Note: The BPDU drop feature can be specified only on interfaces on which no spanning-tree protocol is configured.

This example configures BPDU protection on STP switch downstream interfaces that connect to two PCs:

Requirements

• One EX Series switch in an RSTP topology
• One EX Series switch that is not in any spanning-tree topology
• Junos OS Release 9.1 or later for EX Series switches

• Ensured that RSTP is operating on Switch 1.
• Disabled or enabled RSTP on Switch 2 (depending on the configuration that you plan to implement.)

  If you want to enable the BPDU shutdown feature, then it is optional to disable spanning-tree protocols on the interface.

Note: By default, RSTP is enabled on all EX Series switches.

Overview and Topology

EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a BPDU to communicate. Other devices also use BPDUs—PC bridging applications, for example, generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if switches within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of the miscalculations caused by the outside BPDUs. Therefore, you must configure BPDU protection on interfaces in a spanning-tree topology to avoid network outages.

This example explains how to block outside BPDUs from reaching a switch interface connected to devices that are not part of the STP topology. This example addresses two scenarios. In the first scenario, an interface is shutdown when it encounters an outside BPDU. In the second scenario, an interface drops only BPDU packets while retaining the status of the interface as up and allowing all other traffic to pass through the interface.

Figure 1 shows the topology for this example. Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured for RSTP while Switch 2 has a spanning-tree protocol configured on it for the first scenario, and does not have a spanning-tree protocol configured on it for the second scenario.

In the first scenario, this example configures downstream BPDU protection on Switch 2 interfaces ge-0/0/5.0 and ge-0/0/6.0 when the default spanning-tree protocol (RSTP) is not disabled on these interfaces. When BPDU protection is enabled with the shutdown statement, the switch interfaces will shut down if BPDUs generated by the laptops attempt to access Switch 2.

Caution: When configuring BPDU protection on an interface without spanning trees connected to a switch with spanning trees, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on switch interfaces (such as a trunk interface) that you intended to have receive BPDUs from a switch with spanning trees.

Figure 1: BPDU Protection Topology

Table 1 shows the components that will be configured for BPDU protection.

Configuration

To configure BPDU protection on the interfaces:

CLI Quick Configuration

This is the first scenario that explains interface automatic shutdown. To quickly configure BPDU protection on Switch 2 , copy the following commands and paste them into the switch terminal window:

Step-by-Step Procedure

1. To shutdown the BPDU interface on the downstream interface ge-0/0/5.0 on Switch 2:
   [edit protocol layer 2]

   user@switch# set bpdu-block interface ge-0/0/5.0
2. To shutdown the BPDU interface on the downstream interface ge-0/0/6.0 on Switch 2:
   [edit protocol layer 2]

   user@switch# set bpdu-block interface ge-0/0/6.0

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

• Displaying the Interface State Before BPDU Protection Is Triggered
• Verifying That BPDU Shutdown Protection Is Working Correctly

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before any BPDUs can be received on Switch 2 on either interface ge-0/0/5.0 or interface ge-0/0/6.0, confirm the state of those interfaces.

Action

Physical interface: ge-0/0/5.0, Enabled, Physical link is Down
  Interface index: 659, SNMP ifIndex: 639, Generation: 161
  Link-level type: Ethernet, MTU: 1514, MRU: 0, Link-mode: Auto, Speed: Auto,
  BPDU Error: Detected, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
  Remote fault: Online, Media type: Copper,
  IEEE 802.3az Energy Efficient Ethernet: Disabled
  Device flags   : Present Running Down
  Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
  Link flags     : None
  CoS queues     : 12 supported, 12 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms

Meaning

The output from the operational mode command show interfaces extensive shows that ge-0/0/5.0 a is enabled.

Verifying That BPDU Shutdown Protection Is Working Correctly

Purpose

Verify that BPDU protection is working correctly in the network by checking to see whether BPDUs have been blocked appropriately.

Action

Physical interface: ge-0/0/5.0, Enabled, Physical link is Down
  Interface index: 659, SNMP ifIndex: 639, Generation: 161
  Link-level type: Ethernet, MTU: 1514, MRU: 0, Link-mode: Auto, Speed: Auto,
  BPDU Error: Detected, MAC-REWRITE Error: None, Loopback: Disabled,
  Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled,
  Remote fault: Online, Media type: Copper,
  IEEE 802.3az Energy Efficient Ethernet: Disabled
  Device flags   : Present Running Down
  Interface flags: Hardware-Down SNMP-Traps Internal: 0x4000
  Link flags     : None
  CoS queues     : 12 supported, 12 maximum usable queues
  Hold-times     : Up 0 ms, Down 0 ms

Meaning

When the BPDUs sent from laptops reached interface ge-0/0/5.0 on Switch 2, the interface transitioned to a BPDU inconsistent state, shutting down the interface to prevent BPDUs from reaching the laptops.

You need to re-enable the blocked interface. There are two ways to do this. If you included the statement disable-timeout(Spanning Trees) in the BPDU configuration, the interface returns to service after the timer expires. Otherwise, use the operational mode command clear error bpdu interface interface-name to unblock and re-enable ge-0/0/5.0. This command will only re-enable an interface but the BPDU configuration for the interface will continue to exist unless you remove the BPDU configuration explicitly.

If BPDUs reach the downstream interface on Switch 2 again, BPDU protection is triggered again and the interface shuts down. In such cases, you must find and repair the misconfiguration that is sending BPDUs to interface ge-0/0/5.0 .