- J-Net
- :
- Forums
- :
- Ethernet Switching
- :
- BPDU filtering
- Application Acceleration 
- BLOG: Community Talk 
- BLOG: Information Experience (iX) 
- Community Feedback 
- Contrail Platform Developers 
- Ethernet Switching 
- Identity & Policy Control - SBR Carrier & SRC 
- Intrusion Prevention 
- Junos 
- Junos Automation (Scripting) 
- Junos Space Developer 
- Junosphere 
- Management 
- Routing 
- ScreenOS Firewalls (NOT SRX) 
- SRX Services Gateway 
- Training, Certification, and Career Topics 
- vMX 
- vSRX 
- Wireless LAN 
- Juniper Open Learning 
- Day One Books Archive 
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
BPDU filtering
Hello,
i have a switch ex3200-48t and i need to enable BPDU filtering on the interface. The only command that i see is the bpdu-block. Do you know any other commands?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
what would you want to do with bpdus ? if you give more detail, we can try to help to you
If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
I want to enable BPDU filtering on my switch because it is connected with another switch that sends BPDU's and blocks our port. The only solution that i found is the bpdu-block.
Thnx!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
I need a command like bpdu-filter like Cisco.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
You can disable stp port for one link like "set protocols rstp interface ge-0/0/0.0 disable"
or you can use firewall filter for that
http://forums.juniper.net/t5/Ethernet-Switching/spanning-tree-bpdufilter/td-p/113048
If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
Thank you!!
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
Hi,
since we also needed this feature, we also used the firewall filters workaround and still use it.
However with some newer junos release there should now also be a drop function for bpdu-block which should behave the way like ciscos bpdufilter - although it is not that simple to configure..
user@switch# set protocols rstp interface ge-0/0/5.0 disable
user@switch# set protocols rstp interface ge-0/0/6.0 disable
user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/5.0 drop
user@switch# set ethernet-switching-options bpdu-block interface ge-0/0/6.0 drop
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
hi all,
koma_wu is right, the BPDU drop options is available from 12.2:
http://forums.juniper.net/t5/Ethernet-Switching/12-2-Filtering-BPDUs/m-p/161220
jtb
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
Can someone explain to me why you would filter/drop BPDUs as opposed to just disabling stp on the interface which would have the same effect?
The only difference from the switch would be that with the filter configured the switchport would still *send* BPDUs, but I'm not sure the benefit of this if the far side is an "untrusted" switch?
If someone looped this port back to the same switch, you'd still end up with a broadcast storm..
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
I cannot explain why somebody would want bpdu filter on an untrusted switch port. Seems like a horrible idea to me. I would want to know if someone looped a port on me. Instead I would guard root and possibly add storm control.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Re: BPDU filtering
[ Edited ]I don't believe that turning OFF STP will acheive the same affect as you claimed...
As a switch I will do one of two things upon receipt of an STP BPDU:
- If (x)STP is enabled, the switch will absorb the BPDU in the data-plane, punt it to the control-plane for processing and regenerate a new BPDU to forward upstream as a 'responsible xSTP citizen'
- If (x)STP is *disabled*, then BPDUs are simply seen as data-plane traffic that pass through the switch like any other frame.
So one way to address the 'rogue device' sending BPDUs is to turn xSTP *on* and then enable 'edge mode' on that port so that BPDUs will always be blocked, but the port will remain active. Another way would be to enable 'bpdu-guard' but this will block BPDUs and put the port into a 'bpdu error' state (refer to 'show interface <interface-name> extensive | match error' and/or 'show spanning-tree interface' and look for the port in question and it should be in a blocking state) and this error state will need to be cleared in order for the port to return to a forwarding state.
However, if you have no need for spanning-tree in your environment, but you have a device connected that is sending BPDUs (and you don't have the ability to stop the BPDUs from being generated from that device in the first-place) then you might want to block BPDUs from traversing the network and the command 'set protocols layer2-control bpdu-block interface <interface-name> gives you the ability to block BPDUs without having to create a firewall filter and apply it to an interface nor enable spanning-tree to achieve the same affect plus possibily incur other unwanted side-effects from adding STP to your enivronment just for the sake of BPDU blocking.
Hope this helps.
SC