View Only


This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.

  • 1.  splitting Spanning-tree domains; how to block BPDU packets

    Posted 10-14-2009 05:03



    excuse me, this is my first post.skip to  ------fast question------ for a quick question, read on for long explanation


    I have an existing (other-vendor) network with spanning tree running and multiple vlans, so I place new juniper switches ex4200 and make a new rstp domain.

     This existing network has a spanning tree running, and I would like my to keep it running (no-downtime) if one of my switches reboots.

    I want to make some of the vlans in the existing network available on my switches without the spanning tree hassle so I create access-ports in the existing network and access ports in the juniper and connect themper vlan.


    If I was to make a BPDU guard, my accessport would be disabled every time a BPDU came through. and connectivity to the streched vlan would be interrupted.

    So I choose "protocol rstp interface ge-x/x/x disable" but this does not prevent BPDU coming into my RSTP domain.

    So now my new RSTP domain thinks the root-bridge is in the existing network (because of priorities) 


    OS version 9.5R2.7 by the way

    I am hoping for an answer that includes an ethernet firewall rule type filter.

     ------fast question------

    Is it possible on a juniper ex 4200 switch to make a filter to prevent BPDU from entering on a access-port without disabling the port completely? if so, how?


  • 2.  RE: splitting Spanning-tree domains; how to block BPDU packets
    Best Answer

    Posted 10-14-2009 10:06

    "A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00." (Wikipedia)




    firewall  {

    family ethernet-switching {
        filter foo {
            term 1 {
                from {
                    destination-mac-address {
                then discard;

    ought to work *if* the interface does not have a layer 3 family configured on it. And if you have layer 3 configured on it, you don't have to worry about STP (mostly).


    We're combining a large old Cisco PVST+ STP domain ("empire" is a better word) with a new large Juniper RSTP (for now) domain. The native VLANs are separated by Layer 3 links, so the old and new native VLAN STP domains simply can't see each other. Sooner or later, we will have to link the old and new domains with some Layer 2 trunks, but we will have to be careful to not loop the Juniper network or it will block a port. That should be easy, our new core is routed, and runs OSPF; the old core was all-switched "router-on-a-stick", which was very prone to meltdowns caused by STP problems.

    Message Edited by wsanders on 10-14-2009 10:15 AM
    Message Edited by wsanders on 10-14-2009 10:16 AM


  • 3.  RE: splitting Spanning-tree domains; how to block BPDU packets

    Posted 12-18-2009 10:31

    Just a followup: We have now configured mstp instead of rstp as the default on all of our EX's, simply with no options in most cases:


    protocols {






    In the case where we want to run a Cisco-legacy  VLAN "through" the EX's, we break out the VLAN into its own MSTP domain:


    mstp {
        msti 148 {
            vlan 148;


    We still have PVST+ running on the Ciscos, but as long as we don't make a loop that goes Cisco - Juniper - Juniper - Cisco  or Juniper - Cisco -Cisco - Juniper we're OK.