Ethernet Switching
Reply
Visitor
GridBug
Posts: 1
Registered: ‎10-14-2009
0
Accepted Solution

splitting Spanning-tree domains; how to block BPDU packets

Hi,

 

excuse me, this is my first post.skip to  ------fast question------ for a quick question, read on for long explanation

 

I have an existing (other-vendor) network with spanning tree running and multiple vlans, so I place new juniper switches ex4200 and make a new rstp domain.

 This existing network has a spanning tree running, and I would like my to keep it running (no-downtime) if one of my switches reboots.

I want to make some of the vlans in the existing network available on my switches without the spanning tree hassle so I create access-ports in the existing network and access ports in the juniper and connect themper vlan.

 

If I was to make a BPDU guard, my accessport would be disabled every time a BPDU came through. and connectivity to the streched vlan would be interrupted.

So I choose "protocol rstp interface ge-x/x/x disable" but this does not prevent BPDU coming into my RSTP domain.

So now my new RSTP domain thinks the root-bridge is in the existing network (because of priorities) 

 

OS version 9.5R2.7 by the way

I am hoping for an answer that includes an ethernet firewall rule type filter.

 ------fast question------

Is it possible on a juniper ex 4200 switch to make a filter to prevent BPDU from entering on a access-port without disabling the port completely? if so, how?

 

Trusted Contributor
wsanders
Posts: 88
Registered: ‎08-10-2009

Re: splitting Spanning-tree domains; how to block BPDU packets

[ Edited ]

"A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00." (Wikipedia)

 

So,

 

firewall  {

family ethernet-switching {
    filter foo {
        term 1 {
            from {
                destination-mac-address {
                    01:80:c2:00:00:00;
                }
            }
            then discard;


ought to work *if* the interface does not have a layer 3 family configured on it. And if you have layer 3 configured on it, you don't have to worry about STP (mostly).

 

We're combining a large old Cisco PVST+ STP domain ("empire" is a better word) with a new large Juniper RSTP (for now) domain. The native VLANs are separated by Layer 3 links, so the old and new native VLAN STP domains simply can't see each other. Sooner or later, we will have to link the old and new domains with some Layer 2 trunks, but we will have to be careful to not loop the Juniper network or it will block a port. That should be easy, our new core is routed, and runs OSPF; the old core was all-switched "router-on-a-stick", which was very prone to meltdowns caused by STP problems.

Message Edited by wsanders on 10-14-2009 10:15 AM
Message Edited by wsanders on 10-14-2009 10:16 AM
W Sanders
System and Network Administrator
St Marys College of California
Trusted Contributor
wsanders
Posts: 88
Registered: ‎08-10-2009
0

Re: splitting Spanning-tree domains; how to block BPDU packets

Just a followup: We have now configured mstp instead of rstp as the default on all of our EX's, simply with no options in most cases:

 

protocols {

...

    mstp;

...

}

 

In the case where we want to run a Cisco-legacy  VLAN "through" the EX's, we break out the VLAN into its own MSTP domain:

 

mstp {
    msti 148 {
        vlan 148;
    }
}

 

We still have PVST+ running on the Ciscos, but as long as we don't make a loop that goes Cisco - Juniper - Juniper - Cisco  or Juniper - Cisco -Cisco - Juniper we're OK.

 

 

 

W Sanders
System and Network Administrator
St Marys College of California
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.