Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to configure BPDU Protection on STP Interfaces to Prevent STP miscalculations

0

0

Article ID: KB16102 KB Last Updated: 30 Oct 2019Version: 3.0
Summary:

EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). BPDU protection is configured on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages.

Solution:

A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on those interfaces that should not receive BPDUs.

Enable BPDU protection on switch interfaces connected to user devices or on interfaces on which no BPDUs are expected, such as edge ports. If a BPDU is received on a BPDU-protected interface, the interface is disabled and stops forwarding frames.

To configure BPDU protection on two access interfaces ge-0/0/5 and ge-0/0/6, execute the following commands in CLI

[edit protocols rstp]
user@switch# set interface ge-0/0/5 edge
user@switch# set interface ge-0/0/6 edge
user@switch# set bpdu-block-on-edge

 

The configuration can be verified using the show command

user@switch> show configuration protocols rstp
interface ge-0/0/5.0 {
edge;
}
interface ge-0/0/6.0 {

edge;
}
bpdu-block-on-edge;
 

Let us consider that ge-0/0/5 and ge-0/0/6 access interfaces are connected to PCs (end hosts) which are not supposed to send STP BPDUs. These interfaces will be in forwarding state after the STP convergence.

user@switch> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 FWD DESG
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 FWD DESG

[output truncated]

Now, if the PCs start sending BPDUs to the switch on the interfaces ge-0/0/5 and ge-0/0/6 and since the BPDU protection is enabled on these interfaces, these ports will be transitioned to BPDU inconsistent state and will be placed into Blocking mode and no traffic will flow through these ports.

user@switch> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)

ge-0/0/7.0 128:520 128:1 16384.00aabbcc0348 20000 FWD ROOT
ge-0/0/8.0 128:521 128:521 32768.0019e2503f00 20000 FWD DESG
[output truncated]

 

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces block and prevents them from forwarding traffic.

In this manner, BPDU protection helps protecting the user traffic by blocking the access ports when a BPDU is recieved on them which may result in Spanning Tree misconfigurations.

Recovery:

BPDU error recovery can be performed manually or dynamically by using a pre-defined configuration.

The command used to manually recover the BPDU error is as follows:

{master:0}[edit]
user@switch# run clear ethernet-switching bpdu-error 
OR

This error can also be dynamically recovered by using the following configuration:

{master:0}[edit]
user@switch # show ethernet-switching-options 
bpdu-block {
   disable-timeout 10;
}
Modification History:
2019-10-30: Added recovery steps.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search