Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Understanding BPDU Protection for EVPN-VXLAN

 

EVPN-VXLAN data center fabrics have a number of built-in Ethernet loop prevention mechanisms, such as split-horizon and designated forwarder and non-designated forwarder election. In some existing data center environments where a new IP EVPN fabric is being deployed, you might need to configure BPDU protection at the leaf-to-server interface in order to avoid network outages due to xSTP miscalculations. Incorrect cabling between the server and leaf interfaces, or any back-door layer 2 link between two or more ESI-LAG interfaces, might cause miscalculations and then result in Ethernet loops. Without BPDU protection, BPDUs might not be recognized and will be flooded as unknown Layer 2 packets on the VXLAN interfaces. With BPDU protection, when a BPDU is received on an edge port in an EVPN-VXLAN environment, the edge port is disabled and stops forwarding all traffic. You can also configure BPDU protection to drop BPDU traffic but have all other traffic forwarded on the interfaces without having to configure a spanning-tree protocol.

Enabling BPDU Protection on Edge Ports on Access and Leaf Devices with STP, MSTP, and RSTP Configured

In this procedure, RSTP is being configured, but it works the same way for STP and MSTP.

  1. o enable edge port blocking for RSTP:
    [edit]

    user@host# set protocols rstp bpdu-block-on-edge
  2. Configure RSTP on edge ports that are either access or trunk interfaces.Note

    Edge ports can be access or trunk ports.

    To configure RSTP on edge ports:

    [edit]

    user@host# set protocols rstp interface interface-name edge

    For example:

    [edit]

    user@host# set protocols rstp interface ae0 edge

    In this example, ae0 is an ESI-LAG interface.

Enabling BPDU Protection on Access and Leaf Devices without STP, MSTP, or RSTP Configured

  1. To enable BPDU protection on access and leaf devices without STP, MSTP, or RSTP configured:
    [edit]

    user@host# set protocols layer2-control bpdu-block interface interface-name

    For example:

    [edit]

    user@host# set protocols layer2-control bpdu-block interface xe-0/0/5.0

Enabling BPDU Protection on Access and Leaf devices without STP, MSTP, or RSTP Configured and Forward other Traffic

  1. To enable BPDU protection on access and leaf devices without STP, MSTP, or RSTP:
    [edit]

    user@host# set protocols layer2-control bpdu-block interface interface-name drop

    For example:

    [edit]

    user@host# set protocols layer2-control bpdu-block interface xe-0/0/5.0 drop

Automatically Unblocking an Interface Using an Expiry timer on Access and Leaf Devices

  1. To automatically unblock an interface using an expiry timer on access and leaf devices:Note

    The range of seconds is between 10 and 3600.

    [edit]

    user@host# set protocols layer2-control bpdu-block disable-timeout seconds

    For example:

    [edit]

    user@host# set protocols layer2-control bpdu-block disable-timeout seconds

Manually Unblocking an Interface on Access and Leaf Devices

  1. To manually unblock an interface on access and leaf devices:
    [edit]

    user@host# run clear error bpdu interface all