Ethernet Switching
Highlighted
Ethernet Switching

spanning-tree bpdufilter

‎10-10-2011 12:00 AM

Hi

 

We have Juniper EX4200 virtual chassis installed in the network with MSTP configured. 

Everything works fine. But I do need a following feature - I need some ports nor send netiher receive BPDU, but still participate in traffic forwarding.

On Cisco switches I would do the following configuration on the interface: 

 

spanning-tree portfast
spanning-tree bpdufilter enable

Of course, I must be aware that that port doesn't cause loop. It transitions to the forwarding state quickly and doesn't send BPDUs and filters BPDUs coming to it while still forwarding other traffic. In contrast to it, bpduguard  sends the port to the err-disabled state when it receives BPDUs, thus stopping traffic forwarding. 

 

As far as i know, juniper's analogue of cisco's 'spanning-tree portfst' is setting the 'edge' option to the port. And 'bpduguard' analogue is BPDU-Protection. But first option is designated to fast port state transition, while the second option on receiving BPDUs locks down the port. Without the BDPUprotection feature enabled and with the STP disabled on the port, the port still transparently  forwards BPDU to the network which may cause port inconsistency and some instability in the network. But I haven't found any option in Junos which is similar to Cisco's bpdufilter option. Google'ing and searching through the forum and documentation didn't give me results except creating mac filter as follows: 

family ethernet-switching {
    filter BPDU_FILTER {
        term discard-bpdu {
            from {
                destination-mac-address {
                    01:80:c2:00:00:00;
                    01:00:0c:cc:cc:cd;
                }
            }
            then {
                discard;
                count BPDU_FILTER;
            }
        }
        term allow-other {
            then accept;
        }
    }
}

 and applying it to the interface.  The stp shoud be disabled on the interface as well.

So, It seems to be a simple workaround but is there any better option in performing the task I need? 

2 REPLIES 2
Highlighted
Ethernet Switching

Re: spanning-tree bpdufilter

‎10-10-2011 04:02 AM

Hi Jadmin,

 

AFAIK, your workaround is the only solution to implement bpdufilter like functionality on EX now. Yes, it would make sense to see Junos enhancement here.

jtb

Highlighted
Ethernet Switching
Solution
Accepted by topic author Jadmin
‎08-26-2015 01:27 AM

Re: spanning-tree bpdufilter

‎10-13-2011 11:39 PM

Well then. In the lack of other options I am using the following filter from my previous message: 

set firewall family ethernet-switching filter bpdufilter term discard-bpdu from destination-mac-address 01:80:c2:00:00:00/48
set firewall family ethernet-switching filter bpdufilter term discard-bpdu from destination-mac-address 01:00:0c:cc:cc:cd/48
set firewall family ethernet-switching filter bpdufilter term discard-bpdu then discard
set firewall family ethernet-switching filter bpdufilter term discard-bpdu then count BPDU_FILTER
set firewall family ethernet-switching filter bpdufilter term allow-other then accept