Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding BPDU Protection for STP, RSTP, and MSTP

    Networks frequently use multiple protocols simultaneously to achieve different goals and in some cases those protocols might conflict with each other. One such case is when spanning-tree protocols are active on the network, where a special type of switching frame called a bridge protocol data unit (BPDU) can conflict with BPDUs generated on other devices such as PCs. The different kinds of BPDUs are not compatible, but they can still be recognized by other devices that use BPDUs and cause network outages. You need to protect any device that recognizes BPDUs from picking up incompatible BPDUs.

    Different Kinds of BPDUs

    Spanning-tree protocols such as Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP) generate their own BPDUs. These peer STP applications use their BPDUs to communicate, and ultimately, the exchange of BPDUs determines which interfaces block traffic and which interfaces become root ports and forward traffic.

    User bridge applications running on a PC can also generate BPDUs. If these BPDUs are picked up by STP applications running on the device, they can trigger STP miscalculations, and those miscalculations can lead to network outages. Similarly, BPDUs generated by STP protocols can cause problems if they are picked up by devices such as PCs that are not using STP. Some mechanism for BPDU protection must be implemented in these cases.

    Protecting Devices from Incompatible BPDUs

    To protect the state of spanning-tree protocols on devices from outside BPDUs, enable BPDU protection on the interfaces of a device on which spanning-tree protocols are configured and are connected to user devices (such as PCs)—for example, on edge ports connected to PCs. Use the same strategy when a device on which STP is not configured is connected to a device through a trunk interface that forwards BPDUs generated by spanning-tree protocols. In this case, you protect the device from BPDUs generated by the STP on the device.

    To prevent a device from forwarding BPDUs generated by spanning-tree protocols to a device, you can enable bpdu-block on an interface.

    • On Juniper Networks SRX Series devices that run Juniper Networks Junos operating system (Junos OS) that supports the Enhanced Layer 2 Software (ELS) configuration style, enable bpdu-block at the [edit protocols layer2-control] hierarchy level. To clear the BPDU error, use clear error bpdu interface.

    When an interface configured with BPDU protection encounters an incompatible BPDU, it drops that BPDU and then, either shuts down or continues to receive packets other than spanning-tree protocol BPDUs depending on the configuration defined in the bpdu-block statement. If the interface continues to be open after dropping all incompatible BPDUs, all packets except incompatible BPDUs continue to ingress and egress through the interface.

    If the interface shuts down after dropping all BPDUs, you can re-enable the interface as follows:

    • On Juniper Networks SRX Series devices running Juniper Networks Junos operating system (Junos OS) that supports the Enhanced Layer 2 Software (ELS) configuration style:
      • Include the disable-timeout statement at the [edit protocols layer2-control bpdu-block] hierarchy level to enable the interfaces to automatically return to service when the specified timer expires.
      • Issue the operational mode command clear error bpdu interface on the device.

    Modified: 2017-02-08