Knowledge Center Search


 

How to configure BPDU Protection on STP Interfaces to Prevent STP miscalculations on EX Series Switches

  [KB16102] Show KB Properties

  [KB16102] Hide KB Properties

Categories:
Knowledge Base ID: KB16102
Last Updated: 25 Apr 2012
Version: 2.0

Summary:
EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). BPDU protection is configured on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages.

Problem or Goal:

Solution:
A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on those interfaces that should not receive BPDUs.

Enable BPDU protection on switch interfaces connected to user devices or on interfaces on which no BPDUs are expected, such as edge ports. If a BPDU is received on a BPDU-protected interface, the interface is disabled and stops forwarding frames.

To configure BPDU protection on two access interfaces ge-0/0/5 and ge-0/0/6, execute the following commands in CLI

[edit protocols rstp]
user@switch# set interface ge-0/0/5 edge
user@switch# set interface ge-0/0/6 edge
user@switch# set bpdu-block-on-edge

The configuration can be verified using the show command

user@switch> show configuration protocols rstp
interface ge-0/0/5.0 {

edge;

}
interface ge-0/0/6.0 {

edge;

}
bpdu-block-on-edge;

Let us consider that ge-0/0/5 and ge-0/0/6 access interfaces are connected to PCs (end hosts) which are not supposed to send STP BPDUs. These interfaces will be in forwarding state after the STP convergence.

user@switch> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 FWD DESG
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 FWD DESG

[output truncated]

Now, if the PCs start sending BPDUs to the switch on the interfaces ge-0/0/5 and ge-0/0/6 and since the BPDU protection is enabled on these interfaces, these ports will be transitioned to BPDU inconsistent state and will be placed into Blocking mode and no traffic will flow through these ports.

user@switch> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)

ge-0/0/7.0 128:520 128:1 16384.00aabbcc0348 20000 FWD ROOT
ge-0/0/8.0 128:521 128:521 32768.0019e2503f00 20000 FWD DESG
[output truncated]

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces block and prevents them from forwarding traffic.

In this manner, BPDU protection helps protecting the user traffic by blocking the access ports when a BPDU is recieved on them which may result in Spanning Tree misconfigurations.

Purpose:
Implementation

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.