Example: Configuring BPDU Protection on STP Interfaces to Prevent STP Miscalculations on EX Series Switches
EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Configure BPDU protection on interfaces to prevent them from receiving BPDUs that could result in STP misconfigurations, which could lead to network outages.
This example describes how to configure BPDU protection on access interfaces on an EX Series switch in an RSTP topology:
Requirements
This example uses the following hardware and software components:
- Junos OS Release 9.1 or later for EX Series switches
- Two EX Series switches in an RSTP topology
Before you configure the interfaces on Switch 2 for BPDU protection, be sure you have:
- RSTP operating on the switches.
 | Note: By default, RSTP is enabled on all EX Series switches. |
Overview and Topology
A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces in an STP, RSTP, or MSTP topology, however, can lead to network outages by triggering an STP misconfiguration. To prevent such outages, enable BPDU protection on those interfaces that should not receive BPDUs.
Enable BPDU protection on switch interfaces connected to user devices or on interfaces on which no BPDUs are expected, such as edge ports. If a BPDU is received on a BPDU-protected interface, the interface is disabled and stops forwarding frames.
Two EX Series switches are displayed in Figure 1. In this example, Switch 1 and Switch 2 are configured for RSTP and create a loop-free topology. The interfaces on Switch 2 are access ports.
This example shows you how to configure interface ge-0/0/5 and interface ge-0/0/6 as edge ports and to configure BPDU protection. When BPDU protection is enabled, the interfaces will transition to a blocking state when BPDUs are received on them.
Figure 1: BPDU Protection Topology
Table 1 shows the components that will be configured for BPDU protection.
Table 1: Components of the Topology for Configuring BPDU Protection on EX Series Switches
Property | Settings |
|---|---|
Switch 1 (Distribution Layer) | Switch 1 is connected to Switch 2 on a trunk interface. |
Switch 2 (Access Layer) | Switch 2 has these access ports that require BPDU protection:
|
This configuration example is using an RSTP topology. You also can configure BPDU protection for STP or MSTP topologies at the [edit protocols (mstp | stp)] hierarchy level.
Configuration
To configure BPDU protection on two access interfaces:
CLI Quick Configuration
To quickly configure BPDU protection on Switch 2, copy the following commands and paste them into the switch terminal window:
[edit] set protocols rstp
interface ge-0/0/5 edge
set protocols rstp interface ge-0/0/6 edge
set protocols
rstp bpdu-block-on-edge Step-by-Step Procedure
To configure BPDU protection:
- Configure interface ge-0/0/5 and interface ge-0/0/6 on Switch 2 as edge ports:
[edit protocols rstp]
user@switch# set interface ge-0/0/5 edge
user@switch#set interface ge-0/0/6 edge - Configure BPDU protection on all edge ports:
[edit protocols rstp]
user@switch# set bpdu-block-on-edge
Results
Check the results of the configuration:
Verification
To confirm that the configuration is working properly:
- Displaying the Interface State Before BPDU Protection Is Triggered
- Verifying That BPDU Protection is Working Correctly
Displaying the Interface State Before BPDU Protection Is Triggered
Purpose
Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state.
Action
Use the operational mode command:
user@switch> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 FWD DESG
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 FWD DESG
[output truncated]
Meaning
The output from the operational mode command show spanning-tree interface shows that ge-0/0/5.0 and interface ge-0/0/6.0 are designated ports in a forwarding state.
Verifying That BPDU Protection is Working Correctly
Purpose
In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0 . Verify that BPDU protection is configured on the interfaces.
Action
Use the operational mode command:
user@switch> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1.0 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2.0 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3.0 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4.0 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5.0 128:518 128:518 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)
ge-0/0/6.0 128:519 128:519 32768.0019e2503f00 20000 BLK DIS (Bpdu—Incon)
ge-0/0/7.0 128:520 128:1 16384.00aabbcc0348 20000 FWD ROOT
ge-0/0/8.0 128:521 128:521 32768.0019e2503f00 20000 FWD DESG
[output truncated]
Meaning
When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces block and prevents them from forwarding traffic.
Disabling the BPDU protection configuration on an interface does not unblock the interface. If the disable-timeout statement has been included in the BPDU configuration, the interface automatically returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error to unblock the interface.
If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state. In such cases, you need to find and repair the misconfiguration on the PCs that is triggering BPDUs being sent to Switch 2.
Related Topics
- Example: Configuring Faster Convergence and Improving Network Stability with RSTP on EX Series Switches
- Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX Series Switches
- Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree on EX Series Switches
- Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees on EX Series Switches
- Understanding BPDU Protection for STP, RSTP, and MSTP on EX Series Switches
