splitting Spanning-tree domains; how to block BPDU packets

GridBug · ‎10-14-2009

Hi,

excuse me, this is my first post.skip to ------fast question------ for a quick question, read on for long explanation

I have an existing (other-vendor) network with spanning tree running and multiple vlans, so I place new juniper switches ex4200 and make a new rstp domain.

This existing network has a spanning tree running, and I would like my to keep it running (no-downtime) if one of my switches reboots.

I want to make some of the vlans in the existing network available on my switches without the spanning tree hassle so I create access-ports in the existing network and access ports in the juniper and connect themper vlan.

If I was to make a BPDU guard, my accessport would be disabled every time a BPDU came through. and connectivity to the streched vlan would be interrupted.

So I choose "protocol rstp interface ge-x/x/x disable" but this does not prevent BPDU coming into my RSTP domain.

So now my new RSTP domain thinks the root-bridge is in the existing network (because of priorities)

OS version 9.5R2.7 by the way

I am hoping for an answer that includes an ethernet firewall rule type filter.

------fast question------

Is it possible on a juniper ex 4200 switch to make a filter to prevent BPDU from entering on a access-port without disabling the port completely? if so, how?

wsanders · ‎08-10-2009

"A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00." (Wikipedia)

So,

firewall {

family ethernet-switching {
    filter foo {
        term 1 {
            from {
                destination-mac-address {
                    01:80:c2:00:00:00;
                }
            }
            then discard;

ought to work *if* the interface does not have a layer 3 family configured on it. And if you have layer 3 configured on it, you don't have to worry about STP (mostly).

We're combining a large old Cisco PVST+ STP domain ("empire" is a better word) with a new large Juniper RSTP (for now) domain. The native VLANs are separated by Layer 3 links, so the old and new native VLAN STP domains simply can't see each other. Sooner or later, we will have to link the old and new domains with some Layer 2 trunks, but we will have to be careful to not loop the Juniper network or it will block a port. That should be easy, our new core is routed, and runs OSPF; the old core was all-switched "router-on-a-stick", which was very prone to meltdowns caused by STP problems.

Message Edited by wsanders on 10-14-2009 10:15 AM

Message Edited by wsanders on 10-14-2009 10:16 AM

W Sanders
System and Network Administrator
St Marys College of California

wsanders · ‎08-10-2009

Just a followup: We have now configured mstp instead of rstp as the default on all of our EX's, simply with no options in most cases:

protocols {

...

mstp;

...

}

In the case where we want to run a Cisco-legacy VLAN "through" the EX's, we break out the VLAN into its own MSTP domain:

mstp {
    msti 148 {
        vlan 148;
    }
}

We still have PVST+ running on the Ciscos, but as long as we don't make a loop that goes Cisco - Juniper - Juniper - Cisco or Juniper - Cisco -Cisco - Juniper we're OK.

W Sanders
System and Network Administrator
St Marys College of California

splitting Spanning-tree domains; how to block BPDU packets

Re: splitting Spanning-tree domains; how to block BPDU packets

Re: splitting Spanning-tree domains; how to block BPDU packets