Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] How to configure BPDU Protection on NON-STP Interfaces to Prevent STP Miscalculations

0

0

Article ID: KB16103 KB Last Updated: 30 Oct 2019Version: 2.0
Summary:

EX Switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). BPDU protection is configured on non-STP interfaces that are connected to switches with spanning tree to prevent the non-STP interfaces from receiving BPDUs. When non-STP interfaces receive BPDUs, it can result in an STP misconfiguration, which could lead to network outages.

Solution:

A loop-free network is supported through the exchange of a special type of frame called "bridge protocol data unit"(BPDU). Receipt of BPDUs on certain interfaces can lead to network outages by triggering an STP miscalculation. Enable BPDU protection on those interfaces that should not receive BPDUs.

Enable BPDU protection on interfaces on which BPDUs are NOT expected, such as access ports connected to user devices. If BPDUs are received on a BPDU-protected interface, the interface transitions to a blocking state and stops forwarding frames.

Caution: When configuring BPDU protection on a non-STP configured switch connected to an STP-configured switch, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on interfaces (such as a trunk interface) that should be receiving BPDUs from an STP-configured switch.

Let's consider that two ports ge-0/0/5 and ge-0/0/6 are not running any spanning tree protocol and these ports are connected to PCs (end hosts). The PCs are not supposed to send spanning tree BPDUs. The BPDU protection can be configured on these non-STP ports by executing the following commands in CLI

[edit ethernet-switching-options]
user@switch# set bpdu-block interface ge-0/0/5
user@switch#
set bpdu-block interface ge-0/0/6

To check the results of the configuration:

user@switch> show ethernet-switching-options
bpdu-block {

interface ge-0/0/5.0;
interface ge-0/0/6.0;
}

Before the BPDUs are recieved on these interfaces these interfaces will not be blocked and will forward user traffic:

user@switch> show ethernet-switching interfaces

Interface State VLAN members Blocking
ge-0/0/0.0 down default unblocked
ge-0/0/1.0 down default unblocked
ge-0/0/2.0 down default unblocked
ge-0/0/3.0 up default unblocked
ge-0/0/4.0 up v1 unblocked
ge-0/0/5.0 up v1 unblocked
ge-0/0/6.0 up default unblocked

[output truncated]

Now, lets assume that the PCs connected to ge-0/0/5 and ge-0/0/6 start sending STP BPDUs. Since the bpdu block is enabled on these interfaces, the reception of BPDUs on these interfaces triggers the BPDU protection feature and puts these ports into blocking mode:

user@switch> show ethernet-switching interfaces

Interface State VLAN members Blocking
ge-0/0/0.0 up default unblocked
ge-0/0/1.0 up default unblocked
ge-0/0/2.0 up default unblocked
ge-0/0/3.0 up default unblocked
ge-0/0/4.0 up v1 unblocked
ge-0/0/5.0 down v1 blocked - blocked by bpdu-control
ge-0/0/6.0 down default blocked - blocked by bpdu-control
[output truncated]
 

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on the Switch, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces shut down and prevents them from forwarding traffic.

 

Thus BPDU protection can be configured on non STP interfaces of a switch to protect the switch from causing unwanted spanning tree misconfiguration when it recieves a BPDU on access ports.

Recovery:

BPDU error recovery can be performed manually or dynamically by using a pre-defined configuration.

The command used to manually recover the BPDU error is as follows:

{master:0}[edit]
user@switch# run clear ethernet-switching bpdu-error 

OR

This error can also be dynamically recovered by using the following configuration:

{master:0}[edit]
user@switch # show ethernet-switching-options 
bpdu-block {
   disable-timeout 10;
}
Modification History:
2019-10-30: Added recovery steps.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search