Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring BPDU Protection on Edge Interfaces to Prevent STP Miscalculations


SRX Series devices provide Layer 2 loop prevention through Rapid Spanning Tree protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a bridge protocol data unit (BPDU) to communicate. Other devices—PC bridging applications, for example, also use BPDUs and generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if devices within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of STP miscalculations.

This example configures BPDU protection on a SRX Series device that uses RSTP. The upstream configuration is done on the edge interfaces, where outside BPDUs are often received from other devices:


This example uses the following software and hardware components:

  • Two SRX Series devices in an RSTP topology

  • Junos OS Release 15.1X49-D70 or later

Before you configure the interfaces on device 2 for BPDU protection, be sure you have:

  • RSTP enabled on the devices.


The devices, being in an RSTP, support a loop-free network through the exchange of BPDUs. Receipt of outside BPDUs in an RSTP or MSTP, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on spanning tree interfaces that could receive outside BPDUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BPDU from accessing the spanning tree interface.

In this example, device 1 and device 2 are configured for RSTP. The interfaces on device 2 are edge access ports—edge access ports frequently receive outside BPDUs generated by PC applications.

This example configures interface ge-0/0/5 and interface ge-0/0/6 as edge ports on device 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to device 2.


To configure BPDU protection on two access interfaces:

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.


This example configures BPDU protection on specific interfaces. SRX Series devices with support for the Enhanced Layer 2 Software (ELS) configuration style, you can also configure BPDU protection globally on all spanning tree interfaces. See Configuring BPDU Protection on Spanning Tree Interfaces for additional information.

Step-by-Step Procedure

To configure RSTP on the two device 2 interfaces, and then configure BPDU protection:

  1. Configure RSTP on interface ge-0/0/5 and interface ge-0/0/6, and configure them as edge ports:
    [edit protocols rstp]

    user@host# set interface ge-0/0/5 edge

    user@host# set interface ge-0/0/6 edge
  2. Configure BPDU protection on all edge ports on this device:
    [edit protocols rstp]

    user@host# set bpdu-block-on-edge


Check the results of the configuration:


To confirm that the configuration is working properly:

Displaying the Interface State Before BPDU Protection Is Triggered


Before BPDUs can be received from PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state.


Use the operational mode command:

user@host> show spanning-tree interface


The output from the operational mode command show spanning-tree interface shows that ge-0/0/5 and interface ge-0/0/6 are ports in a forwarding state.

Verifying That BPDU Protection Is Working Correctly


In this example, the PCs connected to device 2 start sending BPDUs to interface ge-0/0/5 and interface ge-0/0/6. Verify that BPDU protection is working on the interfaces.


Use the operational mode command:

user@host> show spanning-tree interface


When BPDUs are sent from the PCs to interface ge-0/0/5 and interface ge-0/0/6 on device 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down.

Disabling the BPDU protection configuration on an interface does not automatically reenable the interface. However, if the disable-timeout (Spanning Trees) statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear error bpdu to unblock and reenable the interface.

If the PCs connected to device 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that is sending BPDUs to device 2.