Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

BPDU Protection for Spanning-Tree Protocols

 

Understanding BPDU Protection for Spanning-Tree Instance Interfaces

MX Series routers, ACX Series routers, and EX Series switches support spanning-tree protocols that prevent loops in a network by creating a tree topology (spanning-tree) of the entire bridged network. All spanning-tree protocols use a special type of frame called bridge protocol data units (BPDUs) to communicate with each other. Other devices in the network, such as PCs, generate their own BPDUs that are not compatible with the spanning-tree BPDUs. When BPDUs generated by other devices are transmitted to switches on which spanning-tree protocols are configured, a misconfiguration can occur in the spanning tree and a network outage can occur. Therefore, it is necessary to protect an interface in a spanning-tree topology from BPDUs generated from other devices.

By default, if a bridge protocol data unit (BPDU) data frame is received on a blocked interface, the system will disable the interface and stop forwarding frames out the interface until the interface is explicitly cleared.

The Spanning Tree Protocol (STP) family is designed to break possible loops in a Layer 2 bridged network. Loop prevention avoids damaging broadcast storms that can potentially render the network useless. STP processes on bridges exchange BPDUs to determine the LAN topology, decide the root bridge, stop forwarding on some ports, and so on. However, a misbehaving user application or device can interfere with the operation of the STP protocols and cause network problems.

On the ACX Series routers, MX Series routers, and EX Series switches only, you can configure BPDU protection to ignore BPDUs received on interfaces where none should be expected (for example, a LAN interface on a network edge with no other bridges present). If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.

You can configure BPDU protection on interfaces with the following encapsulation types:

  • ethernet-bridge

  • ethernet-vpls

  • extended-vlan-bridge

  • vlan-vpls

  • vlan-bridge

  • extended-vlan-vpls

You can configure BPDU protection on individual interfaces or on all the edge ports of the bridge.

Enable BPDU protection on interfaces that are configured as edge ports by using the bpdu-block-on-edge command. If you have not configured a port as an edge port, you can still configure BPDU protection on the interface by using the bpdu-block command under the set ethernet-switching-options hierarchy. You can also use the bpdu-block command to configure BPDU protection on interfaces configured for a spanning-tree.

Understanding BPDU Protection for STP, RSTP, and MSTP

Networks frequently use multiple protocols simultaneously to achieve different goals and in some cases those protocols might conflict with each other. One such case is when spanning-tree protocols are active on the network, where a special type of switching frame called a bridge protocol data unit (BPDU) can conflict with BPDUs generated on other devices such as PCs. The different kinds of BPDUs are not compatible, but they can still be recognized by other devices that use BPDUs and cause network outages. You need to protect any device that recognizes BPDUs from picking up incompatible BPDUs.

Different Kinds of BPDUs

Spanning-tree protocols such as Spanning Tree Protocol (STP), Rapid Spanning Tree Protocol (RSTP), VLAN Spanning Tree Protocol (VSTP), and Multiple Spanning Tree Protocol (MSTP) generate their own BPDUs. These peer STP applications use their BPDUs to communicate, and ultimately, the exchange of BPDUs determines which interfaces block traffic and which interfaces become root ports and forward traffic.

User bridge applications running on a PC can also generate BPDUs. If these BPDUs are picked up by STP applications running on the switch, they can trigger STP miscalculations, and those miscalculations can lead to network outages. Similarly, BPDUs generated by STP protocols can cause problems if they are picked up by devices such as PCs that are not using STP. Some mechanism for BPDU protection must be implemented in these cases.

Protecting Switches from Incompatible BPDUs

To protect the state of spanning-tree protocols on switches from outside BPDUs, enable BPDU protection on the interfaces of a switch on which spanning-tree protocols are configured and are connected to user devices (such as PCs)—for example, on edge ports connected to PCs. Use the same strategy when a device on which STP is not configured is connected to a switch through a trunk interface that forwards BPDUs generated by spanning-tree protocols. In this case, you protect the device from BPDUs generated by the STP on the switch.

To prevent a switch from forwarding BPDUs generated by spanning-tree protocols to a device, you can enable bpdu-block on an interface.

  • On Juniper Networks EX Series Ethernet Switches that run Juniper Networks Junos operating system (Junos OS) that supports the Enhanced Layer 2 Software (ELS) configuration style, enable bpdu-block at the [edit protocols layer2-control ] hierarchy level. To clear the BPDU error, use clear error bpdu interface.

  • On EX Series switches that run Junos OS that does not support the ELS configuration style, enable bpdu-block at the [edit ethernet-switching-options] hierarchy level. To clear the BPDU error, use clear ethernet-switching bpdu-error interface.

When an interface configured with BPDU protection encounters an incompatible BPDU, it drops that BPDU and then, either shuts down or continues to receive packets other than spanning-tree protocol BPDUs depending on the configuration defined in the bpdu-block statement. If the interface continues to be open after dropping all incompatible BPDUs, all packets except incompatible BPDUs continue to ingress and egress through the interface.

If the interface shuts down after dropping all BPDUs, you can re-enable the interface as follows:

  • On Juniper Networks EX Series and QFX Series switches running Juniper Networks Junos operating system (Junos OS) that supports the Enhanced Layer 2 Software (ELS) configuration style:

    • Include the disable-timeout statement at the [edit protocols layer2-control bpdu-block] hierarchy level to enable the interfaces to automatically return to service when the specified timer expires.

    • Issue the operational mode command clear error bpdu interface on the switch.

  • On EX Series switches running Junos OS that does not support the ELS configuration style:

    • Include the disable-timeout statement at the [edit ethernet-switching-options bpdu-block] hierarchy level to enable the interfaces to automatically return to service when the specified timer expires.

    • Issue the operational mode command clear ethernet-switching bpdu-error interface on the switch.

Maximum Age for Awaiting Arrival of Hello BPDUs

The maximum age timer specifies the maximum expected arrival time of hello BPDUs. If the maximum age timer expires, the bridge detects the link failure to the root bridge has failed and initiates a topology reconvergence.

Tip

The maximum age timer should be longer than the configured hello timer.

Hello Time for Root Bridge to Transmit Hello BPDUs

The hello timer specifies the time interval at which the root bridge transmits configuration BPDUs.

Configuring BPDU Protection for Individual Spanning-Tree Instance Interfaces

To configure BPDU protection on one or more spanning-tree instance interfaces, include the bpdu-block statement:

Note

If you also include the optional disable-timeout seconds statement, blocked interfaces are automatically cleared after the specified time interval unless the interval is 0.

Understanding BPDUs Used for Exchanging Information Among Bridges

In a Layer 2 bridge environment, spanning-tree protocols use data frames called Bridge Protocol Data Units (BPDUs) to exchange information among bridges.

Spanning-tree protocols on peer systems exchange BPDUs, which contain information about port roles, bridge IDs, and root path costs. On each MX Series router or EX Series switch, the spanning-tree protocol uses this information to elect a root bridge, identify root ports for each switch, identify designated ports for each physical LAN segment, and prune specific redundant links to create a loop-free tree topology. The resulting tree topology provides a single active Layer 2 data path between any two end stations.

Note

In discussions of spanning-tree protocols, the terms bridge and switch are often used interchangeably.

The transmission of BPDUs is controlled by the Layer 2 Control Protocol process (l2cpd) on MX Series 5G Universal Routing Platforms.

The transmission of periodic packets on behalf of the l2cpd process is carried out by periodic packet management (PPM), which, by default, is configured to run on the Packet Forwarding Engine. The ppmd process on the Packet Forwarding Engine ensures that the BPDUs are transmitted even when the l2cpd process control plane is unavailable, and keeps the remote adjacencies alive during a unified in-service software upgrade (unified ISSU). However, if you want the distributed PPM (ppmd) process to run on the Routing Engine instead of the Packet Forwarding Engine, you can disable the ppmd process on the Packet Forwarding Engine.

On MX Series routers or EX Series switches with redundant Routing Engines (two Routing Engines that are installed in the same router), you can configure nonstop bridging. Nonstop bridging enables the router to switch from a primary Routing Engine to a backup Routing Engine without losing Layer 2 Control Protocol (L2CP) information. Nonstop bridging uses the same infrastructure as graceful Routing Engine switchover (GRES) to preserve interface and kernel information. However, nonstop bridging also saves L2CP information by running the l2cpd process on the backup Routing Engine.

Note

To use nonstop bridging, you must first enable GRES.

Nonstop bridging is supported for the following Layer 2 control protocols:

  • Spanning-Tree Protocol (STP)

  • Rapid Spanning-Tree Protocol (RSTP)

  • Multiple Spanning-Tree Protocol (MSTP)

BPDU Protection on All Edge Ports of the Bridge

To configure edge port blocking for a particular STP family member, include the bpdu-block-on-edge statement for mstp, rstp, or vstp:

In contrast to BPDU protection configured on individual spanning-tree instance interfaces, BPDU protection configured on all edge ports of an entire spanning-tree protocol disables designated edge ports and does not enable them again.

Understanding BPDU Protection for EVPN-VXLAN

EVPN-VXLAN data center fabrics have a number of built-in Ethernet loop prevention mechanisms, such as split-horizon and designated forwarder and non-designated forwarder election. In some existing data center environments where a new IP EVPN fabric is being deployed, you might need to configure BPDU protection at the leaf-to-server interface in order to avoid network outages due to xSTP miscalculations. Incorrect cabling between the server and leaf interfaces, or any back-door layer 2 link between two or more ESI-LAG interfaces, might cause miscalculations and then result in Ethernet loops. Without BPDU protection, BPDUs might not be recognized and will be flooded as unknown Layer 2 packets on the VXLAN interfaces. With BPDU protection, when a BPDU is received on an edge port in an EVPN-VXLAN environment, the edge port is disabled and stops forwarding all traffic. You can also configure BPDU protection to drop BPDU traffic but have all other traffic forwarded on the interfaces without having to configure a spanning-tree protocol.

Enabling BPDU Protection on Edge Ports on Access and Leaf Devices with STP, MSTP, and RSTP Configured

In this procedure, RSTP is being configured, but it works the same way for STP and MSTP.

  1. o enable edge port blocking for RSTP:
    [edit]

    user@host# set protocols rstp bpdu-block-on-edge
  2. Configure RSTP on edge ports that are either access or trunk interfaces.Note

    Edge ports can be access or trunk ports.

    To configure RSTP on edge ports:

    [edit]

    user@host# set protocols rstp interface interface-name edge

    For example:

    [edit]

    user@host# set protocols rstp interface ae0 edge

    In this example, ae0 is an ESI-LAG interface.

Enabling BPDU Protection on Access and Leaf Devices without STP, MSTP, or RSTP Configured

  1. To enable BPDU protection on access and leaf devices without STP, MSTP, or RSTP configured:
    [edit]

    user@host# set protocols layer2-control bpdu-block interface interface-name

    For example:

    [edit]

    user@host# set protocols layer2-control bpdu-block interface xe-0/0/5.0

Enabling BPDU Protection on Access and Leaf devices without STP, MSTP, or RSTP Configured and Forward other Traffic

  1. To enable BPDU protection on access and leaf devices without STP, MSTP, or RSTP:
    [edit]

    user@host# set protocols layer2-control bpdu-block interface interface-name drop

    For example:

    [edit]

    user@host# set protocols layer2-control bpdu-block interface xe-0/0/5.0 drop

Automatically Unblocking an Interface Using an Expiry timer on Access and Leaf Devices

  1. To automatically unblock an interface using an expiry timer on access and leaf devices:Note

    The range of seconds is between 10 and 3600.

    [edit]

    user@host# set protocols layer2-control bpdu-block disable-timeout seconds

    For example:

    [edit]

    user@host# set protocols layer2-control bpdu-block disable-timeout seconds

Manually Unblocking an Interface on Access and Leaf Devices

  1. To manually unblock an interface on access and leaf devices:
    [edit]

    user@host# run clear error bpdu interface all

Configuring BPDU Protection on Switch Spanning Tree Interfaces

All spanning-tree protocols use a special type of frame called bridge protocol data units (BPDUs) to communicate with each other. Other devices in the network, such as PCs, generate their own BPDUs that are not compatible with the spanning-tree BPDUs. When BPDUs generated by other devices are transmitted to switches on which spanning-tree protocols are configured, a misconfiguration can occur in the spanning tree and a network outage can occur. Therefore, it is necessary to protect an interface in a spanning-tree topology from BPDUs generated from other devices.

On the ACX Series routers, MX Series routers QFX Series switches, and EX Series switches, you can configure BPDU protection to ignore BPDU received on interfaces where none are expected. If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.

Note

This topic applies to Junos OS for EX Series and QFX switches with support for the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Using the Enhanced Layer 2 Software CLI.

You can configure BPDU protection to ignore BPDU received on interfaces where none are expected. If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.

To configure BPDU protection for spanning-tree instance interfaces:

  • On a specific spanning-tree interface:

    1. Enable BPDU protection on a specified spanning-tree interface:
      [edit protocols layer2-control bpdu-block ]

      user@switcht# set interface (aex | (ge-fpc/pic/port | xe-fpc/pic/port)

      If a BPDU is received on the interface, the system will disable the interface and stop forwarding frames out the interface until the bridging process is restarted.

    2. (Optional) Configure the amount of time the system waits before automatically unblocking this interface after it has received a BPDU.
      [edit protocols layer2-control bpdu-block interface interface-name]

      user@switch# set disable-timeout seconds

      The range of the seconds option value is from 10 through 3600 seconds (one hour). A seconds option value of 0 is allowed, but this results in the default behavior (the interface is blocked until the interface is cleared).

    3. Verify the configuration of BPDU blocking for individual interfaces:

  • To disable BPDU protection for a specific spanning-tree interface

    [edit protocols layer2-control bpdu-block interface interface-name]

    user@switch# set disable-timeout seconds

Configuring BPDU Protection on ACX Router, EX Switch and MX Router Edge Ports

On ACX Series routers, MX Series routers, and EX Series switches, you can configure BPDU protection to ignore BPDU received on interfaces where none should be expected. If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.

Tip

You can configure BPDU protection for RSTP, STP or MSTP topologies at the [edit protocols (mstp|rstp|vstp)] hierarchy level.

To configure BPDU protection for all edge ports for a particular spanning-tree protocol:

  1. Enable edge port blocking for a particular spanning-tree protocol:
  2. Verify BPDU protection for edge ports:

Configuring BPDU protection For Edge Interfaces

In a spanning-tree topology, if a switch is an access switch then interfaces on that switch will be connected to end devices such as PCs, servers, routers, or hubs, that are not connected to other switches. You configure these interfaces as edge interfaces because they directly connect to end devices.

Interfaces that are configured as edge interfaces can transition to a forwarding state immediately because they cannot create network loops. A switch detects edge ports by noting the absence of communication from the end stations. As edge ports are connected to end devices, it is imperative that you configure BPDU protection on edge ports to protect the switch from outside BPDUs. If BPDU protection is enabled on an edge interface, the interface shuts down on encountering an outside BPDU thereby preventing any traffic from passing through the interface. You can re-enable the interface either by using the disable-timeout command while configuring BPDU protection, or by issuing the clear ethernet-switching bpdu-error operational mode command. The clear ethernet-switching bpdu-error command will only re-enable an interface but the BPDU configuration for the interface will continue to exist unless you explicitly remove the BPDU configuration.

To configure BPDU protection on an edge interface of a switch:

Note

Ensure that the switch is connected to an end device.

  1. Configure any spanning-tree protocol on the switch if not configured already. RSTP is configured in this procedure.Note

    The Rapid Spanning Tree Protocol (RSTP) is configured by default on a switch.

    [edit protocols]

    user@switch# set rstp
  2. Enable RSTP on a specific interface and set a priority for the interface—for example, ge-0/0/0.0:
    [edit protocols]

    user@switch# set rstp interface ge-0/0/0.0 priority 16
  3. Configure the ge-0/0/0.0 interface as an edge interface and enable BPDU protection on that interface:
    [edit protocols]

    user@switch# set rstp bpdu-block-on-edge interface ge-0/0/0.0 edge
  4. Commit the configuration:
    [edit]

    user@switch# commit
  5. Verify that BPDU protection is configured properly on the edge interface (ge-0/0/0.0):
    • Run the show ethernet-switching interfaces operational mode command to ensure that BPDU protection is configured on the edge interface:

      user@switch> show ethernet-switching interfaces

      In this output, you note that the ge-0/0/0.0 interface is down because it has received BPDUs from the end device. Also, note that the state of the Blocking field is Disabled by bpdu-control, which indicates that the port is disabled because of BPDU protection.

    • Run the show spanning-tree interfaces operational mode command to ensure that the ge-0/0/0.0 interface is not displayed in the output.

Configuring BPDU for Interface Protection With Port Shutdown Mode

In a spanning-tree topology, if a switch is an access switch then interfaces on that switch will be connected to end devices such as PCs, servers, routers, or hubs, that are not connected to other switches. You configure these interfaces as edge interfaces because they directly connect to end devices. Interfaces that are configured as edge interfaces can transition to a forwarding state immediately because they cannot create network loops. A switch detects edge ports by noting the absence of communication from the end stations. As edge ports are connected to end devices, it is imperative that you configure BPDU protection on edge ports to protect the switch from outside BPDUs. If BPDU protection is enabled on an edge interface, the interface shuts down on encountering an outside BPDU thereby preventing any traffic from passing through the interface. You can re-enable the interface either by using the disable-timeout command while configuring BPDU protection, or by issuing the clear ethernet-switching bpdu-error operational mode command. The clear ethernet-switching bpdu-error command will only re-enable an interface but the BPDU configuration for the interface will continue to exist unless you explicitly remove the BPDU configuration.

To configure BPDU protection on an edge interface of a switch:

Note

Ensure that the switch is connected to an end device.

  1. Configure any spanning-tree protocol on the switch if not configured already. RSTP is configured in this procedure.Note

    The Rapid Spanning Tree Protocol (RSTP) is configured by default on a switch.

    [edit protocols]

    user@switch# set rstp
  2. Enable RSTP on a specific interface and set a priority for the interface—for example, ge-0/0/0.0:
    [edit protocols]

    user@switch# set rstp interface ge-0/0/0.0 priority 16
  3. Configure the ge-0/0/0.0 interface as an edge interface and enable BPDU protection on that interface:
    [edit protocols]

    user@switch# set rstp bpdu-block-on-edge interface ge-0/0/0.0 edge
  4. Commit the configuration:
    [edit]

    user@switch# commit
  5. Verify that BPDU protection is configured properly on the edge interface (ge-0/0/0.0):
    • Run the show ethernet-switching interfaces operational mode command to ensure that BPDU protection is configured on the edge interface:

      user@switch> show ethernet-switching interfaces

      In this output, you note that the ge-0/0/0.0 interface is down because it has received BPDUs from the end device. Also, note that the state of the Blocking field is Disabled by bpdu-control, which indicates that the port is disabled because of BPDU protection.

    • Run the show spanning-tree interfaces operational mode command to ensure that the ge-0/0/0.0 interface is not displayed in the output.

Configuring BPDU for Interface Protection With BPDU Drop Mode

For certain access switches, you might want interfaces on the switch not to shutdown on encountering incompatible BPDU packets; instead, only drop incompatible BPDU packets while allowing the remaining traffic to pass through. Such an interface must not have a spanning-tree protocol configured on it, so that packets that pass through the interface will not cause STP misconfiguration and consequent network outages.

To configure BPDU protection for an interface to only drop incompatible BPDU packets and to allow the remaining traffic to pass through, while retaining the interface status as up:

Note

Ensure that the switch on which you are configuring BPDU protection is connected to a peer device.

  1. Delete or disable any spanning-tree protocol (for instance, RSTP as in this procedure) configured on the switch or on any interface.
    • To delete a spanning-tree protocol on the entire switch:

      [edit]

      user@switch# delete protocols rstp

      Or,

      [edit]

      user@switch# set protocols rstp disable
    • To delete a spanning-tree protocol on a specific interface (for example, ge-0/0/0.0) on the switch:

      [edit]

      user@switch# set protocols rstp interface ge-0/0/0.0 disable
    Note

    As RSTP is configured on a switch by default, ensure that you delete or disable RSTP even though you had not configured it explicitly.

  2. Ensure that the interface on which you want to enable the BPDU protection, is up and unblocked. For example, if you want to configure the BPDU protection on the ge-0/0/0.0 interface, following is the output of the show ethernet-switching interfaces command if the interface is up and unblocked:
    user@switch> show ethernet-switching interfaces

    In this output, note that the state of the ge-0/0/0.0 interface is up and the value for the Blocking field is unblocked.

  3. Enable the BPDU protection on the interface (ge-0/0/0.0 in this procedure) to drop BPDU packets:
    [edit]

    user@switch set ethernet-switching-options bpdu-block interface ge-0/0/0.0 drop
  4. Commit the configuration:
    [edit]

    user@switch# commit
  5. Verify that the BPDU protection is configured on the interface:
    • Run the show ethernet-switching interfaces operational mode command to ensure that the BPDU protection is configured on the interface:

      user@switch> show ethernet-switching interfaces

      In this output, note that the ge-0/0/0.0 interface is up even though it has received incompatible BPDU packets because the drop feature is configured for this interface. Also, note that the state of the Blocking field is unblocked-xSTP bpdu filter enabled, which indicates that the BPDU drop feature is enabled on this interface.

    • Run the show spanning-tree interfaces operational mode command to ensure that the ge-0/0/0.0 interface is displayed in the output and that the State of the interface is DIS, which indicates that the interface discards all incompatible BPDUs:

      user@switch> show spanning-tree interface

Example: Configuring BPDU Protection on MX Edge Interfaces to Prevent STP Miscalculations

MX Series routers provide Layer 2 loop prevention through the Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a bridge protocol data unit (BPDU) to communicate. Other devices—PC bridging applications, for example also use BPDUs and generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if routers within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of STP miscalculations.

This example configures BPDU protection on MX Series routers that use RSTP. The upstream configuration is done on the edge interfaces, where outside BPDUs are often received from other devices.

Requirements

This example uses the following hardware and software components:

  • Two MX Series routers in an RSTP topology

  • Junos OS Release 13.1 or later

Before you configure the interfaces on Router 2 for BPDU protection, be sure you have:

  • RSTP enabled on the routers.

Overview

The MX Series routers, being in an RSTP topology, support a loop-free network through the exchange of BPDUs. Receipt of outside BPDUs in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on STP interfaces that could receive outside BPDUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BPDU from accessing the STP interface.

Figure 1 shows the topology for this example. In this example, Router 1 and Router 2 are configured for RSTP and create a loop-free topology. The interfaces on Router 2 are edge access ports which frequently receive outside BPDUs generated by PC applications.

This example configures interface ge-0/0/5.0 and interface ge-0/0/6.0 as edge ports on Router 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to Router 2.

Topology

Figure 1: BPDU Protection Topology
BPDU Protection
Topology

Table 1 describes the components that are configured for BPDU protection.

Table 1: Components of the Topology for Configuring BPDU Protection on MX Series Routers

Property

Settings

Router 1 (Distribution Layer)

Router 1 is connected to Router 2 on a trunk interface.

Router 2 (Access Layer)

Router 2 has these access ports that require BPDU protection:

  • ge-0/0/5.0

  • ge-0/0/6.0

This configuration example uses RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp | rstp | vstp)] hierarchy level.

Configuration

CLI Quick Configuration

To quickly configure RSTP on the two Router 2 interfaces and configure BPDU protection on all edge ports on Router 2, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level:

Router 2

Configuring Router 2

Step-by-Step Procedure

To configure RSTP on the two Router 2 interfaces, and then configure BPDU protection:

  1. Configure RSTP on interface ge-0/0/5.0 and interface ge-0/0/6.0, and configure them as edge ports.
  2. Configure BPDU protection on all edge ports on this router.

Results

From configuration mode, confirm your configuration by entering the show configuration protocols rstp command. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Verify that the configuration is working properly.

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before BPDUs can be received from PCs connected to interface ge-0/0/5.0 and interface ge-0/0/6.0, confirm the interface state.

Action

Use the operational mode command show spanning-tree instance.

user@Router2> show spanning-tree interface

Meaning

The output from the show spanning-tree interface command shows that interface ge-0/0/5.0 and interface ge-0/0/6.0 are ports in a forwarding state.

Verifying That BPDU Protection Is Working Correctly

Purpose

In this example, the PCs connected to Router 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is working on the interfaces.

Action

Use the operational mode command show spanning-tree interface.

user@Router2> show spanning-tree interface

Meaning

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Router 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down.

Disabling the BPDU protection configuration on an interface does not automatically re-enable the interface. However, if the disable-timeout statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear error bpdu interface interface-name to unblock and re-enable the interface.

If the PCs connected to Router 2 send BPDUs to the interfaces again, BPDU protection is triggered once more, and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that are sending BPDUs to Router 2.

Example: Configuring BPDU Protection on Switch Edge Interfaces With ELS to Prevent STP Miscalculations

EX Series and QFX Series switches provide Layer 2 loop prevention through Rapid Spanning Tree protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a bridge protocol data unit (BPDU) to communicate. Other devices—PC bridging applications, for example, also use BPDUs and generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if switches within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of STP miscalculations.

This example configures BPDU protection on an EX Series switch that uses RSTP. The upstream configuration is done on the edge interfaces, where outside BPDUs are often received from other devices:

Requirements

This example uses the following software and hardware components:

  • Two EX Series switches in an RSTP topology

  • Junos OS Release 13.2X50-D10 or later or later for EX Series or QFX Series switches

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have:

  • RSTP enabled on the switches.

Note

By default, RSTP is enabled on all EX Series switches.

Overview and Topology

The switches, being in an RSTP topology, support a loop-free network through the exchange of BPDUs. Receipt of outside BPDUs in an RSTP or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on spanning tree interfaces that could receive outside BPDUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BPDU from accessing the spanning tree interface.

Figure 2 shows the topology for this example. In this example, Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The interfaces on Switch 2 are edge access ports—edge access ports frequently receive outside BPDUs generated by PC applications.

This example configures interface ge-0/0/5 and interface ge-0/0/6 as edge ports on Switch 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to Switch 2.

Figure 2: BPDU Protection Topology
BPDU Protection Topology

Table 2 shows the components that will be configured for BPDU protection.

Table 2: Components of the Topology for Configuring BPDU Protection on EX Series Switches

Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 on a trunk interface.

Switch 2 (Access Layer)

Switch 2 has these access ports that require BPDU protection:

  • ge-0/0/5

  • ge-0/0/6

This configuration example uses RSTP topology. You also can configure BPDU protection for MSTP topologies at the [edit protocols mstp ] hierarchy level.

Configuration

To configure BPDU protection on two access interfaces:

CLI Quick Configuration

Quickly configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection on all edge ports on Switch 2 by copying the following commands and pasting them into the switch terminal window:

Note

This example configures BPDU protection on specific interfaces. Starting with Junos OS Release 15.1 for EX Series and QFX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style, you can also configure BPDU protection globally on all spanning tree interfaces. See Configuring BPDU Protection on Switch Spanning Tree Interfaces for additional information.

[edit]


set protocols rstp interface ge-0/0/5 edge

set protocols rstp interface ge-0/0/6 edge

set protocols rstp bpdu-block-on-edge


Step-by-Step Procedure

To configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection:

  1. Configure RSTP on interface ge-0/0/5 and interface ge-0/0/6, and configure them as edge ports:
    [edit protocols rstp]

    user@switch# set interface ge-0/0/5 edge

    user@switch# set interface ge-0/0/6 edge
  2. Configure BPDU protection on all edge ports on this switch:
    [edit protocols rstp]

    user@switch# set bpdu-block-on-edge

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly:

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before BPDUs can be received from PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state.

Action

Use the operational mode command:

Meaning

The output from the operational mode command show spanning-tree interface shows that ge-0/0/5 and interface ge-0/0/6 are ports in a forwarding state.

Verifying That BPDU Protection Is Working Correctly

Purpose

In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5 and interface ge-0/0/6. Verify that BPDU protection is working on the interfaces.

Action

Use the operational mode command:

Meaning

When BPDUs are sent from the PCs to interface ge-0/0/5 and interface ge-0/0/6 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down.

Disabling the BPDU protection configuration on an interface does not automatically reenable the interface. However, if the disable-timeout statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear error bpdu to unblock and reenable the interface.

If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that is sending BPDUs to Switch 2.

Example: Configuring BPDU Protection on Edge Interfaces to Prevent STP Miscalculations on non-ELS EX Series Switches

EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a bridge protocol data unit (BPDU) to communicate. Other devices—PC bridging applications, for example, also use BPDUs and generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if switches within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of STP miscalculations.

This example configures BPDU protection on an EX Series switch that uses RSTP. The upstream configuration is done on the edge interfaces, where outside BPDUs are often received from other devices:

Requirements

This example uses the following hardware and software components:

  • Two EX Series switches in an RSTP topology

  • Junos OS Release 9.1 or later for EX Series switches

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have:

  • RSTP enabled on the switches.

Note

By default, RSTP is enabled on all EX Series switches.

Overview and Topology

The switches, being in an RSTP topology, support a loop-free network through the exchange of BPDUs. Receipt of outside BPDUs in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on STP interfaces that could receive outside BPDUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BPDU from accessing the STP interface.

Figure 3 shows the topology for this example. In this example, Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The interfaces on Switch 2 are edge access ports—edge access ports frequently receive outside BPDUs generated by PC applications.

This example configures interface ge-0/0/5.0 and interface ge-0/0/6.0 as edge ports on Switch 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to Switch 2.

Figure 3: BPDU Protection Topology
BPDU Protection Topology

Table 3 shows the components that will be configured for BPDU protection.

Table 3: Components of the Topology for Configuring BPDU Protection on EX Series Switches

Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 on a trunk interface.

Switch 2 (Access Layer)

Switch 2 has these access ports that require BPDU protection:

  • ge-0/0/5.0

  • ge-0/0/6.0

This configuration example uses RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.

Configuration

To configure BPDU protection on two access interfaces:

CLI Quick Configuration

Quickly configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection on all edge ports on Switch 2 by copying the following commands and pasting them into the switch terminal window:

[edit]


set protocols rstp interface ge-0/0/5.0 edge

set protocols rstp interface ge-0/0/6.0 edge

set protocols rstp bpdu-block-on-edge


Step-by-Step Procedure

To configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection:

  1. Configure RSTP on interface ge-0/0/5.0 and interface ge-0/0/6.0, and configure them as edge ports:
    [edit protocols rstp]

    user@switch# set interface ge-0/0/5.0 edge

    user@switch# set interface ge-0/0/6.0 edge
  2. Configure BPDU protection on all edge ports on this switch:
    [edit protocols rstp]

    user@switch# set bpdu-block-on-edge

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly:

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before BPDUs can be received from PCs connected to interface ge-0/0/5.0 and interface ge-0/0/6.0, confirm the interface state.

Action

Use the operational mode command:

Meaning

The output from the operational mode command show spanning-tree interface shows that ge-0/0/5.0 and interface ge-0/0/6.0 are ports in a forwarding state.

Verifying That BPDU Protection Is Working Correctly

Purpose

In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is working on the interfaces.

Action

Use the operational mode command:

Meaning

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down.

Disabling the BPDU protection configuration on an interface does not automatically re-enable the interface. However, if the disable-timeout statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear ethernet-switching bpdu-error interface to unblock and re-enable the interface.

If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that is sending BPDUs to Switch 2.

Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches

Note

This example uses Junos OS for EX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that does not support ELS, see Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.

Spanning-tree protocols support loop-free network communication through the exchange of a special type of frame called a bridge protocol data unit (BPDU). However, when BPDUs generated by spanning-tree protocols are communicated to devices on which spanning-tree protocols are not configured, these devices recognize the BPDUs, which can lead to network outages. You can, however, enable BPDU protection on switch interfaces to prevent BPDUs generated by spanning-tree protocols from passing through those interfaces. When BPDU protection is enabled, an interface shuts down when any incompatible BPDU is encountered, thereby preventing the BPDUs generated by spanning-tree protocols from reaching the switch.

This example configures BPDU protection on STP switch downstream interfaces that connect to two PCs:

Requirements

This example uses the following software and hardware components:

  • One EX Series switch in an RSTP topology

  • One EX Series switch that is not in any spanning-tree topology

  • Junos OS Release 13.2X50-D10 or later or later for EX Series switches

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have:

  • Ensured that RSTP is operating on Switch 1.

  • Disabled RSTP on Switch 2

Note

By default, RSTP is enabled on all EX Series switches.

Overview and Topology

EX Series switches provide Layer 2 loop prevention through Rapid Spanning Tree protocol (RSTP) and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a BPDU to communicate. Other devices also use BPDUs—PC bridging applications, for example, generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if switches within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of the miscalculations caused by the outside BPDUs. Therefore, you must configure BPDU protection on interfaces in a spanning-tree topology to avoid network outages.

This example explains how to block outside BPDUs from reaching a switch interface connected to devices that are not part of the STP topology. In this scenario, an interface is shutdown when it encounters an outside BPDU.

Figure 4 shows the topology for this example. Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured for RSTP and Switch 2 does not have a spanning-tree protocol configured on it.

This example configures downstream BPDU protection on Switch 2 interfaces ge-0/0/5 and ge-0/0/6. When BPDU protection is enabled, the switch interfaces will shut down if BPDUs generated by the laptops attempt to access Switch 2.

Caution

When configuring BPDU protection on an interface without spanning trees connected to a switch with spanning trees, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on switch interfaces (such as a trunk interface) that you intended to have receive BPDUs from a switch with spanning trees.

Figure 4: BPDU Protection Topology
BPDU Protection Topology

Table 4 shows the components that will be configured for BPDU protection.

Table 4: Components of the Topology for Configuring BPDU Protection on EX Series Switches

Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured for RSTP.

Switch 2 (Access Layer)

Switch 2 has two downstream access ports connected to laptops:

  • ge-0/0/5

  • ge-0/0/6

Configuration

To configure BPDU protection on the interfaces:

CLI Quick Configuration

This configuration causes the interface to automatically shutdown if it receives BPDUs. To quickly configure BPDU protection on Switch 2 , copy the following commands and paste them into the switch terminal window:

Note

This example configures BPDU protection on specific interfaces. However, starting with Junos OS Release 15.1 for EX Series and QFX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style, you can configure BPDU protection globally on all spanning tree interfaces. See Configuring BPDU Protection on Switch Spanning Tree Interfaces for additional information.

[edit]



user@switch# set protocols layer2-control bpdu-block interface ge-0/0/5
[edit]



user@switch# set protocols layer2-control bpdu-block interface ge-0/0/6

Step-by-Step Procedure

To configure BPDU protection for automatic shutdown.

  1. To shutdown the BPDU interface on the downstream interface ge-0/0/5 on Switch 2:
    [edit protocol layer 2]
    user@switch# set bpdu-block interface ge-0/0/5
  2. To shutdown the BPDU interface on the downstream interface ge-0/0/6 on Switch 2:
    [edit protocol layer 2]
    user@switch# set bpdu-block interface ge-0/0/6

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before any BPDUs can be received on Switch 2 on either interface ge-0/0/5 or interface ge-0/0/6, confirm the state of those interfaces.

Action

Use the operational mode command show interfaces extensive <interface name>:

user@switch> show interfaces extensive ge-0/0/5

Meaning

The output from the operational mode command show interfaces extensive shows that ge-0/0/5 a is enabled.

Verifying That BPDU Shutdown Protection Is Working Correctly

Purpose

Verify that BPDU protection is working correctly in the network by checking to see whether BPDUs have been blocked appropriately.

Action

Issue show interfaces extensive <interface name> to see what happened when the BPDUs reached the two interfaces configured for BPDU protection on Switch 2:

user@switch> show interfaces extensive ge-0/0/5

Meaning

When the BPDUs sent from laptops reached interface ge-0/0/5 on Switch 2, the interface transitioned to a BPDU inconsistent state, shutting down the interface to prevent BPDUs from reaching the laptops.

You need to reenable the blocked interface. There are two ways to do this. If you included the statement disable-timeout(Spanning Trees) in the BPDU configuration, the interface returns to service after the timer expires. Otherwise, use the operational mode command clear error bpdu interface interface-name to unblock and reenable ge-0/0/5. This command will only reenable an interface but the BPDU configuration for the interface will continue to exist unless you remove the BPDU configuration explicitly.

If BPDUs reach the downstream interface on Switch 2 again, BPDU protection is triggered again and the interface shuts down. In such cases, you must find and repair the misconfiguration that is sending BPDUs to interface ge-0/0/5 .

Example: Blocking BPDUs on Aggregated Ethernet Interface for 600 Seconds

The following example, when used with a full bridge configuration with aggregated Ethernet, blocks BPDUs on aggregated interface ae0 for 10 minutes (600 seconds) before enabling the interface again:

Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches

Note

This example uses Junos OS for EX Series switches without support for the Enhanced Layer 2 Software (ELS) configuration style. If your switch runs software that supports ELS, see Example: Configuring BPDU Protection on Interfaces to Prevent STP Miscalculations on EX Series Switches. For ELS details, see Using the Enhanced Layer 2 Software CLI.

Spanning-tree protocols support loop-free network communication through the exchange of a special type of frame called a bridge protocol data unit (BPDU). However, when BPDUs generated by spanning-tree protocols are communicated to devices on which spanning-tree protocols are not configured, these devices recognize the BPDUs, which can lead to network outages. You can, however, enable BPDU protection on switch interfaces to prevent BPDUs generated by spanning-tree protocols from passing through those interfaces. When BPDU protection is enabled, an interface shuts down or drops BPDU packets when any incompatible BPDU is encountered, thereby preventing the BPDUs generated by spanning-tree protocols from reaching the switch. When an interface is configured to drop BPDU packets, all traffic except the incompatible BPDUs can pass through the interface.

Note

The BPDU drop feature can be specified only on interfaces on which no spanning-tree protocol is configured.

This example configures BPDU protection on STP switch downstream interfaces that connect to two PCs:

Requirements

This example uses the following hardware and software components:

  • One EX Series switch in an RSTP topology

  • One EX Series switch that is not in any spanning-tree topology

  • Junos OS Release 9.1 or later for EX Series switches

Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have:

  • Ensured that RSTP is operating on Switch 1.

  • Disabled or enabled RSTP on Switch 2 (depending on the configuration that you plan to implement.)

    If you want to enable the BPDU shutdown feature, then it is optional to disable spanning-tree protocols on the interface.

Note

By default, RSTP is enabled on all EX Series switches.

Overview and Topology

EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). All spanning-tree protocols use a special type of frame called a BPDU to communicate. Other devices also use BPDUs—PC bridging applications, for example, generate their own BPDUs. These different BPDUs are not compatible. When BPDUs generated by spanning-tree protocols are transmitted to a device that uses another type of BPDU, they can cause problems on the device. Similarly, if switches within a spanning-tree topology receive BPDUs from other devices, network outages can occur because of the miscalculations caused by the outside BPDUs. Therefore, you must configure BPDU protection on interfaces in a spanning-tree topology to avoid network outages.

This example explains how to block outside BPDUs from reaching a switch interface connected to devices that are not part of the STP topology. This example addresses two scenarios. In the first scenario, an interface is shutdown when it encounters an outside BPDU. In the second scenario, an interface drops only BPDU packets while retaining the status of the interface as up and allowing all other traffic to pass through the interface.

Figure 5 shows the topology for this example. Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured for RSTP while Switch 2 has a spanning-tree protocol configured on it for the first scenario, and does not have a spanning-tree protocol configured on it for the second scenario.

In the first scenario, this example configures downstream BPDU protection on Switch 2 interfaces ge-0/0/5.0 and ge-0/0/6.0 when the default spanning-tree protocol (RSTP) is not disabled on these interfaces. When BPDU protection is enabled with the shutdown statement, the switch interfaces will shut down if BPDUs generated by the laptops attempt to access Switch 2.

In the second scenario, this example configures downstream BPDU protection on Switch 2 interfaces ge-0/0/5.0 and ge-0/0/6.0 when the default spanning-tree protocol (RSTP) is disabled on these interfaces. When BPDU protection is enabled with the drop statement, the switch interfaces drop only the BPDUs while allowing remaining traffic to pass through and retaining their status as up if BPDUs generated by the laptops attempt to access Switch 2.

Caution

When configuring BPDU protection on an interface without spanning trees connected to a switch with spanning trees, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on switch interfaces (such as a trunk interface) that you intended to have receive BPDUs from a switch with spanning trees.

Figure 5: BPDU Protection Topology
BPDU Protection Topology

Table 5 shows the components that will be configured for BPDU protection.

Table 5: Components of the Topology for Configuring BPDU Protection on EX Series Switches

Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured for RSTP.

Switch 2 (Access Layer)

Switch 2 has two downstream access ports connected to laptops:

  • ge-0/0/5.0

  • ge-0/0/6.0

Configuration

To configure BPDU protection on the interfaces:

CLI Quick Configuration

This is the first scenario that explains configuration for the shutdown statement. To quickly configure BPDU protection on Switch 2 for the shutdown statement, copy the following commands and paste them into the switch terminal window:

[edit]



user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/5.0 shutdown
[edit]



user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/6.0 shutdown

Step-by-Step Procedure

To configure BPDU protection for the shutdown statement:

  1. Configure the BPDU shutdown statement on the downstream interface ge-0/0/5.0 on Switch 2:
    [edit ethernet-switching-options]
    user@switch# set bpdu-block interface ge-0/0/5.0 shutdown
  2. Configure the BPDU shutdown statement on the downstream interface ge-0/0/6.0 on Switch 2:
    [edit ethernet-switching-options]
    user@switch# set bpdu-block interface ge-0/0/6.0 shutdown

Results

Check the results of the configuration:

CLI Quick Configuration

This is the second scenario that explains configuration for the drop statement. To quickly configure BPDU protection on Switch 2 for the drop statement, copy the following commands and paste them into the switch terminal window:

[edit]



user@switch# set protocols rstp interface ge-0/0/5.0 disable

user@switch# set protocols rstp interface ge-0/0/6.0 disable

user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/5.0 drop

user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/6.0 drop
Note

You can also disable RSTP globally using the delete protocols rstp, the set protocols rstp disable, or the set protocols rstp interface all disable command.

Step-by-Step Procedure

To configure BPDU protection for the drop statement:

  1. Disable RSTP on both the interfaces ge-0/0/5.0 and ge-0/0/6.0 interfaces:
    [edit]

    user@switch# set protocols rstp interface ge-0/0/5.0 disable

    user@switch# set protocols rstp interface ge-0/0/6.0 disable
  2. Configure the BPDU drop statement on the downstream interface ge-0/0/5.0 on Switch 2:
    [edit ethernet-switching-options]
    user@switch# set bpdu-block interface ge-0/0/5.0 drop
  3. Configure the BPDU drop statement on the downstream interface ge-0/0/6.0 on Switch 2:
    [edit ethernet-switching-options]
    user@switch# set bpdu-block interface ge-0/0/6.0 drop

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before any BPDUs can be received on Switch 2 on either interface ge-0/0/5.0 or interface ge-0/0/6.0, confirm the state of those interfaces.

Action

Use the operational mode command show ethernet-switching interfaces:

Meaning

The output from the operational mode command show ethernet-switching interfaces shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.

Verifying That BPDU Shutdown Protection Is Working Correctly

Purpose

Verify that BPDU protection is working correctly in the network by checking to see whether BPDUs have been blocked appropriately.

Action

Issue show ethernet-switching interfaces to see what happened when the BPDUs reached the two interfaces configured for BPDU protection on Switch 2:

Meaning

When the BPDUs sent from laptops reached interfaces ge-0/0/5.0 and ge-0/0/6.0 on Switch 2, the interfaces transitioned to a BPDU inconsistent state, shutting down the two interfaces to prevent BPDUs from reaching the laptops.

You need to re-enable the blocked interfaces. There are two ways to do this. If you included the statement disable-timeout in the BPDU configuration, the interface returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error interface to unblock and re-enable ge-0/0/5.0 and ge-0/0/5.0. This command will only re-enable an interface but the BPDU configuration for the interface will continue to exist unless you remove the BPDU configuration explicitly.

If BPDUs reach the downstream interfaces on Switch 2 again, BPDU protection is triggered again and the interfaces shut down. In such cases, you must find and repair the misconfiguration that is sending BPDUs to interfaces ge-0/0/5.0 and ge-0/0/6.0.

Verifying That BPDU Drop Protection Is Working Correctly

Purpose

Verify that BPDU drop protection is working correctly in the network by checking to see whether BPDUs have been blocked appropriately.

Action

Issue show ethernet-switching interfaces to see what happened when the BPDUs reached the two interfaces configured for BPDU protection on Switch 2:

Meaning

When the BPDUs sent from laptops reached interfaces ge-0/0/5.0 and ge-0/0/6.0 on Switch 2, the interfaces dropped those BPDUs to prevent them from reaching Switch 2, and the state of both the interfaces is up.

Release History Table
Release
Description
Starting with Junos OS Release 15.1 for EX Series and QFX Series switches with support for the Enhanced Layer 2 Software (ELS) configuration style, you can also configure BPDU protection globally on all spanning tree interfaces.