[an error occurred while processing this directive] [an error occurred while processing this directive]

Example: Configuring BPDU Protection on non-STP Interfaces to Prevent STP Miscalculations on EX Series Switches

EX Series switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Configure BPDU protection on non-STP interfaces that are connected to switches with spanning trees to prevent the non-STP interfaces from receiving BPDUs. When non-STP interfaces receive BPDUs, it can result in an STP misconfiguration, which could lead to network outages.

This example describes how to configure BPDU protection on non-STP interfaces on an EX Series switch:

Requirements

This example uses the following hardware and software components:

  • JUNOS Release 9.1 or later for EX Series switches
  • One EX Series switch in an RSTP topology
  • One EX Series switch that is not in a spanning-tree topology

Before you configure the interface for BPDU protection, be sure you have:

  • RSTP operating on Switch 1.
  • Disabled RSTP on Switch 2.

Note: By default, RSTP is enabled on all EX Series switches.

Overview and Topology

A loop-free network is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Receipt of BPDUs on certain interfaces can lead to network outages by triggering an STP miscalculation. Enable BPDU protection on those interfaces that should not receive BPDUs to prevent network outages.

BPDU protection for non-STP interfaces can be enabled on interfaces on a non-STP switch connected to an STP switch through a trunk interface. Enable BPDU protection on interfaces on which no BPDUs are expected, such as access ports connected to user devices. If BPDUs are received on a BPDU-protected interface, the interface transitions to a blocking state and stops forwarding frames.

Two EX Series switches are displayed in Figure 1. In this example, Switch 1 and Switch 2 are connected through a trunk interface. Switch 1 is configured for RSTP, but Switch 2 has no spanning tree. Switch 2 has two access ports: interface ge-0/0/5 and interface ge-0/0/6.

This example shows you how to configure BPDU protection on interface ge-0/0/5 and interface ge-0/0/6. When BPDU protection is enabled, the interfaces will transition to a blocking state if BPDUs are received.

Figure 1: BPDU Protection Topology

Image g020153.gif

Table 1 shows the components that will be configured for BPDU protection.

Table 1: Components of the Topology for Configuring BPDU Protection on EX Series Switches

Property

Settings

Switch 1 (Distribution Layer)

Switch 1 is connected to Switch 2 through a trunk interface. Switch 1 is configured for RSTP.

    Switch 2 (Access Layer)

    Switch 2 has RSTP disabled and has these access ports that require BPDU protection:

    • ge-0/0/5
    • ge-0/0/6

    Caution: When configuring BPDU protection on a non-STP configured switch connected to an STP-configured switch, be careful that you do not configure BPDU protection on all interfaces. Doing so could prevent BPDUs being received on interfaces (such as a trunk interface) that should be receiving BPDUs from an STP-configured switch.

    Configuration

    To configure BPDU protection on the interfaces:

    CLI Quick Configuration

    To quickly configure BPDU protection on Switch 2, copy the following commands and paste them into the switch terminal window:


    [edit]
    set ethernet-switching-options bpdu-block interface ge-0/0/5
    set ethernet-switching-options bpdu-block interface ge-0/0/6

    Step-by-Step Procedure

    To configure BPDU protection:

    1. Configure interface ge-0/0/5 and interface ge-0/0/6 on Switch 2:

      [edit ethernet-switching-options]
      user@switch# set bpdu-block interface ge-0/0/5
      user@switch# set bpdu-block interface ge-0/0/6

    Results

    Check the results of the configuration:

    user@switch> show ethernet-switching-options
    bpdu-block {
    interface ge-0/0/5.0;
    interface ge-0/0/6.0;
    }

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Displaying the Interface State Before BPDU Protection Is Triggered

    Purpose

    Before BPDUs are being received from the PCs connected to interface ge-0/0/5 and interface ge-0/0/6, confirm the interface state.

    Action

    Use the operational mode command:


     
    Interface   State    VLAN members           Blocking 
    ge-0/0/0.0  down     default                unblocked
    ge-0/0/1.0  down     default                unblocked
    ge-0/0/2.0  down     default                unblocked
    ge-0/0/3.0  up       default                unblocked
    ge-0/0/4.0  up       v1                     unblocked
    ge-0/0/5.0  up       v1                     unblocked
    ge-0/0/6.0  up       default                unblocked
    [output truncated]
    

    Meaning

    The output from the operational mode command show ethernet-switching interfaces shows that ge-0/0/5.0 and interface ge-0/0/6.0 are up and unblocked.

    Verifying That BPDU Protection Is Working Correctly

    Purpose

    In this example, the PCs connected to Switch 2 start sending BPDUs to interface ge-0/0/5.0 and interface ge-0/0/6.0. Verify that BPDU protection is configured on the interfaces.

    Action

    Use the operational mode command:


    Interface   State    VLAN members           Blocking 
    ge-0/0/0.0  up       default                unblocked
    ge-0/0/1.0  up       default                unblocked
    ge-0/0/2.0  up       default                unblocked
    ge-0/0/3.0  up       default                unblocked
    ge-0/0/4.0  up       v1                     unblocked
    ge-0/0/5.0  down     v1                     blocked - blocked by bpdu-control
    ge-0/0/6.0  down     default                blocked - blocked by bpdu-control
    [output truncated]
    

    Meaning

    When BPDUs are sent from the PCs to interface ge-0/0/5.0 and interface ge-0/0/6.0 on Switch 2, the output from the operational mode command show spanning-tree interface shows that the interfaces have transitioned to a BPDU inconsistent state. The BPDU inconsistent state makes the interfaces shut down and prevents them from forwarding traffic.

    Disabling the BPDU protection configuration on an interface does not unblock the interface. If the disable-timeout statement has been included in the BPDU configuration, the interface automatically returns to service after the timer expires. Otherwise, use the operational mode command clear ethernet-switching bpdu-error to recover from the error condition and restore the interface to service.

    If the PCs connected to Switch 2 send BPDUs to the interfaces again, BPDU protection is triggered once more and the interfaces transition back to the BPDU inconsistent state. In such cases, you need to find and repair the misconfiguration on the PCs that is triggering BPDUs being sent to Switch 2.


    Published: 2009-10-08

    [an error occurred while processing this directive]