Example: Configuring BPDU Protection on Edge Interfaces to Prevent STP Miscalculations on EX Series Switches

Requirements

• Two EX Series switches in an RSTP topology
• Junos OS Release 9.1 or later for EX Series switches

• RSTP enabled on the switches.

Note: By default, RSTP is enabled on all EX Series switches.

Overview and Topology

The switches, being in an RSTP topology, support a loop-free network through the exchange of BPDUs. Receipt of outside BPDUs in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on STP interfaces that could receive outside BPDUs. If an outside BPDU is received on a BPDU-protected interface, the interface shuts down to prevent the outside BPDU from accessing the STP interface.

Figure 1 shows the topology for this example. In this example, Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The interfaces on Switch 2 are edge access ports—edge access ports frequently receive outside BPDUs generated by PC applications.

This example configures interface ge-0/0/5.0 and interface ge-0/0/6.0 as edge ports on Switch 2, and then configures BPDU protection on those ports. With BPDU protection enabled, these interfaces shut down when they encounter an outside BPDU sent by the PCs connected to Switch 2.

Figure 1: BPDU Protection Topology

Table 1 shows the components that will be configured for BPDU protection.

This configuration example uses RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.

Configuration

To configure BPDU protection on two access interfaces:

CLI Quick Configuration

Quickly configure RSTP on the two Switch 2 interfaces, and then configure BPDU protection on all edge ports on Switch 2 by copying the following commands and pasting them into the switch terminal window:

Step-by-Step Procedure

1. Configure RSTP on interface ge-0/0/5.0 and interface ge-0/0/6.0, and configure them as edge ports:
   [edit protocols rstp]
user@switch# set interface ge-0/0/5.0 edge
user@switch# set interface ge-0/0/6.0 edge
2. Configure BPDU protection on all edge ports on this switch:
   [edit protocols rstp]
user@switch# set bpdu-block-on-edge


Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly:

• Displaying the Interface State Before BPDU Protection Is Triggered
• Verifying That BPDU Protection Is Working Correctly

Displaying the Interface State Before BPDU Protection Is Triggered

Purpose

Before BPDUs can be received from PCs connected to interface ge-0/0/5.0 and interface ge-0/0/6.0, confirm the interface state.

Action

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
ge-0/0/0.0     128:513      128:513  32768.0019e2503f00     20000  BLK    DIS  
ge-0/0/1.0     128:514      128:514  32768.0019e2503f00     20000  BLK    DIS  
ge-0/0/2.0     128:515      128:515  32768.0019e2503f00     20000  BLK    DIS  
ge-0/0/3.0     128:516      128:516  32768.0019e2503f00     20000  FWD    DESG 
ge-0/0/4.0     128:517      128:517  32768.0019e2503f00     20000  FWD    DESG 
ge-0/0/5.0     128:518      128:518  32768.0019e2503f00     20000  FWD    DESG 
ge-0/0/6.0     128:519      128:519  32768.0019e2503f00     20000  FWD    DESG 
[output truncated] 

Meaning

The output from the operational mode command show spanning-tree interface shows that ge-0/0/5.0 and interface ge-0/0/6.0 are ports in a forwarding state.

Verifying That BPDU Protection Is Working Correctly

Purpose

In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is working on the interfaces.

Action

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
ge-0/0/0.0     128:513      128:513  32768.0019e2503f00     20000  BLK    DIS  
ge-0/0/1.0     128:514      128:514  32768.0019e2503f00     20000  BLK    DIS  
ge-0/0/2.0     128:515      128:515  32768.0019e2503f00     20000  BLK    DIS  
ge-0/0/3.0     128:516      128:516  32768.0019e2503f00     20000  FWD    DESG 
ge-0/0/4.0     128:517      128:517  32768.0019e2503f00     20000  FWD    DESG 
ge-0/0/5.0     128:518      128:518  32768.0019e2503f00     20000  BLK    DIS (Bpdu—Incon)
ge-0/0/6.0     128:519      128:519  32768.0019e2503f00     20000  BLK    DIS (Bpdu—Incon)
ge-0/0/7.0     128:520        128:1  16384.00aabbcc0348     20000  FWD    ROOT 
ge-0/0/8.0     128:521      128:521  32768.0019e2503f00     20000  FWD    DESG 
[output truncated] 

Meaning

When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state causes the interfaces to shut down.

Disabling the BPDU protection configuration on an interface does not automatically re-enable the interface. However, if the disable-timeout (Spanning Trees) statement has been included in the BPDU configuration, the interface does return to service after the timer expires. Otherwise, you must use the operational mode command clear ethernet-switching bpdu-error to unblock and re-enable the interface.

If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state, causing them to shut down. In such cases, you need to find and repair the misconfiguration on the PCs that is sending BPDUs to Switch 2.