Configuring BPDU Protection on Individual Interfaces
On MX Series routers and EX Series switches, you can configure BPDU protection to ignore BPDU received on interfaces where none should be expected. If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.
To configure BPDU protection for individual spanning-tree instance interfaces:
- Enable BPDU protection on a specific spanning-tree instance
interface:
[edit]
user@host# edit protocols layer2-control bpdu-block
user@host# set interface interface (aex | (ge-fpc/pic/port | xe-fpc/pic/port)If a BPDU is received on the interface, the system will disable the interface and stop forwarding frames out the interface until the bridging process is restarted.
- (Optional) Configure the amount of time the system waits
before automatically unblocking this interface
after it has received a BPDU.
[edit protocols layer2-contorl bpdu-block interface interface-name]
user@host# set disable-timeout secondsThe range of the seconds option value is from 10 through 3600 seconds (one hour). A seconds option value of 0 is allowed, but this results in the default behavior (the interface is blocked until the interface is cleared).
Verify the configuration of BPDU blocking for individual interfaces:
[edit]interfaces {ge-fpc/pic/port { # VLAN encapsulation on Gigabit Ethernet.encapsulation (ethernet-bridge | extended-vlan-bridge | extended-vlan-vpls | vlan-vpls);}xe-fpc/pic/port { # VLAN encapsulation on 10-Gigabit Ethernet.encapsulation (ethernet-bridge | extended-vlan-bridge | extended-vlan-vpls | vlan-vpls);}ae-X { # VLAN encapsulation encapsulation (ethernet-vpls vlan-vpls); # on Aggregated Ethernet....}ae-X { # Extended VLAN encapsulationvlan-tagging; # on Aggregated Ethernet.encapsulation extended-vlan-vpls;unit logical-unit-number {vlan-id number;......}......}}protocols layer2-control {bpdu-block interface interface-name;disable-timeout seconds;}}
