Configuring Layer 2 Control BPDU Protection

The Spanning Tree Protocol (STP) family is designed to break possible loops in a Layer 2 bridged network. Loop prevention avoids damaging broadcast storms that can potentially render the network useless. STP processes on bridges exchange bridge protocol data units (BPDUs) to determine the LAN topology, decide the root bridge, stop forwarding on some ports, and so on. However, a misbehaving user application or device can interfere with the operation of the STPs and cause network problems.

On the MX-series routers only, you can configure BPDU protection to ignore BPDUs received on interfaces where none should be expected (for example, a LAN interface on a network edge with no other bridges present). If a BPDU is received on a blocked interface, the interface is disabled and stops forwarding frames. By default, all BPDUs are accepted and processed on all interfaces.

You can enable BPDU protection on individual interfaces or on all the edge ports of the bridge.

You can configure BPDU protection on interfaces with the following encapsulation types:

• ethernet-bridge
• etherent-vpls
• extended-vlan-bridge
• vlan-vpls
• extended-vlan-vpls

To configure BPDU blocking on one or more interfaces, include the bpdu-block statement:

You can configure these statements at the following hierarchy levels:

• [edit protocols layer2-control]
• [edit routing-instances routing-instance-name protocols layer2–control]

To configure the interfaces on which the system should not expect to receive BPDUs, include the interfaces interface-name statement at the [edit protocols layer2-control bpdu-block] hierarchy level. You can apply this statement to aggregated Ethernet interfaces. By default, the system accepts all BPDUs received on any interface unless you include this statement. If you configure this statement on a blocked interface, and a BPDU is received on the interface, the system will disable the interface and stop forwarding frames out the interface until the bridging process is restarted. You can alter this behavior with the disable-timeout statement.

To configure the amount of time that interfaces should wait before enabling a blocked interface that has received a BPDU, include the disable-timeout seconds statement at the [edit protocols layer2-control bpdu-block] hierarchy level. By default, if a BPDU is received on a blocked interface, the system will disable the interface and stop forwarding frames out the interface until the interface is cleared. You can alter this behavior with the disable-timeout statement. You specify the time the system waits before unblocking the interface that has received the BPDU. The range is from 10 through 3600 seconds (one hour). A disable-timeout value of 0 is allowed, but this results in the default behavior (the interface is blocked until the interface is cleared).

The following example, when used with a full bridge configuration with aggregated Ethernet, blocks BPDUs on aggregated interface ae0 for ten minutes (600 seconds) before enabling the interface again:

You check the status of the interface with the show interfaces command. If the value of the BPDU Error field is Detected and the link is down, the interface is blocked. If the interface is enabled, the value of the BPDU Error field should be none.

You clear the blocked status of an interface with the clear error bpdu interface interface-name command. (Note that the disable-timeout interval will automatically clear interfaces after the specified interval unless the interval is 0.)

In some cases, the topology determined by one STP bridge protocol might differ from the topology determined by another STP family member. In this case, edge ports to MSTP (for example) might not be edge ports to VSTP. You can block a particular STP family member by blocking BPDU reception on edge ports that should not be receiving BPDUs. In contrast to the bpdu-block statement, bpdu-block-on-edge disables designated edge ports and does not enable them again.

To configure edge port blocking for a particular STP family member, include the bpdu-block-on-edge statement for mstp, rstp, or vstp:

You can configure this statement at the following hierarchy levels:

• [edit protocols ( mstp | rstp | vstp )]
• [edit routing-instances routing-instance-name protocols ( mstp | rstp | vstp )]

You must still fully configure the interfaces and STP protocol.

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.