BPDU filtering

what would you want to do with bpdus ? if you give  more detail, we can try to help to you

I want to enable BPDU filtering on my switch because it is connected with another switch that sends BPDU's and blocks our port. The only solution that i found is the bpdu-block.

Thnx!

I need a command like bpdu-filter like Cisco.

You can disable stp port for one link like "set protocols rstp interface ge-0/0/0.0 disable"
or you can use firewall filter for that 
http://forums.juniper.net/t5/Ethernet-Switching/spanning-tree-bpdufilter/td-p/113048

Thank you!!

Hi,

since we also needed this feature, we also used the firewall filters workaround and still use it.

However with some newer junos release there should now also be a drop function for bpdu-block which should behave the way like ciscos bpdufilter - although it is not that simple to configure..

---

user@switch# set protocols rstp interface ge-0/0/5.0 disable
user@switch# set protocols rstp interface ge-0/0/6.0 disable
user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/5.0 drop
user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/6.0 drop

---

https://www.juniper.net/techpubs/en_US/junos/topics/example/spanning-trees-bpdu-protection-no-stp-ex...

hi all,

koma_wu is right, the BPDU drop options is available from 12.2:

http://forums.juniper.net/t5/Ethernet-Switching/12-2-Filtering-BPDUs/m-p/161220

jtb

Can someone explain to me why you would filter/drop BPDUs as opposed to just disabling stp on the interface which would have the same effect?

The only difference from the switch would be that with the filter configured the switchport would still *send* BPDUs, but I'm not sure the benefit of this if the far side is an "untrusted" switch?

If someone looped this port back to the same switch, you'd still end up with a broadcast storm..

I cannot explain why somebody would want bpdu filter on an untrusted switch port. Seems like a horrible idea to me. I would want to know if someone looped a port on me. Instead I would guard root and possibly add storm control.

I don't believe that turning OFF STP will acheive the same affect as you claimed...

As a switch I will do one of two things upon receipt of an STP BPDU:

   -  If (x)STP is enabled, the switch will absorb the BPDU in the data-plane, punt it to the control-plane for processing and regenerate a new BPDU to forward upstream as a 'responsible xSTP citizen'

  -  If (x)STP is *disabled*, then BPDUs are simply seen as data-plane traffic that pass through the switch like any other frame.  

So one way to address the 'rogue device' sending BPDUs is to turn xSTP *on* and then enable 'edge mode' on that port so that BPDUs will always be blocked, but the port will remain active.  Another way would be to enable 'bpdu-guard' but this will block BPDUs and put the port into a 'bpdu error' state (refer to 'show interface <interface-name> extensive | match error' and/or 'show spanning-tree interface' and look for the port in question and it should be in a blocking state) and this error state will need to be cleared in order for the port to return to a forwarding state.

However, if you have no need for spanning-tree in your environment, but you have a device connected that is sending BPDUs (and you don't have the ability to stop the BPDUs from being generated from that device in the first-place) then you might want to block BPDUs from traversing the network and the command 'set protocols layer2-control bpdu-block interface <interface-name> gives you the ability to block BPDUs without having to create a firewall filter and apply it to an interface nor enable spanning-tree to achieve the same affect plus possibily incur other unwanted side-effects from adding STP to your enivronment just for the sake of BPDU blocking.  

Hope this helps.

SC