Switching

Expand all | Collapse all

Filtering RSTP BPDUs

  • 1.  Filtering RSTP BPDUs

     
    Posted 02-06-2021 14:26
    Hi.

    I'm trying to test RSTPs 6 second reaction to having stopped receiving BPDUs.

    I have two switches with 2 links between them and running RSTP.  Switch 1 is the root switch. 

    I have configured an input firewall filter on a switch 2's root port to drop received BPDUs.

    set firewall family ethernet-switching filter block-bpdus term 1 from source-mac-address c0:bf:a7:ee:b7:00/48
    set firewall family ethernet-switching filter block-bpdus term 1 from destination-mac-address 01:80:c2:00:00:00/48
    set firewall family ethernet-switching filter block-bpdus term 1 then discard
    set firewall family ethernet-switching filter block-bpdus term 1 then count dj-drop
    set firewall family ethernet-switching filter block-bpdus term 2 then accept

    I see drop counter increasing, but the root port never goes blocking.

    lab@ex2# run show firewall

    Filter: block-bpdus
    Counters:
    Name         Bytes Packets
    accepted           0                0
    dj-drop   14336           224

    {master:0}[edit]
    lab@ex2# run show spanning-tree interface ge-0/0/1

    Spanning tree interface parameters for instance 0

    Interface Port ID Designated Designated Port State Role
    port ID bridge ID Cost
    ge-0/0/1 128:490 128:490 4096.c0bfa7eeb700 20000 FWD ROOT


    Why is this port refusing to go down?


    Thanks,
    Deepak


  • 2.  RE: Filtering RSTP BPDUs

     
    Posted 02-08-2021 10:20
    Hello Deepak,

    The action of the firewall filter is drooping BPDUs, not blocking the interface.

    If you want to disable the interface you will need to add root protection on the root bridge.

    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-spanning-trees-root-protection-understanding.html


    Regards,

    Randall


  • 3.  RE: Filtering RSTP BPDUs

     
    Posted 02-10-2021 06:58
    Hi Randall.

    I am not trying to disable an interface. I am trying to bring an interface up from the blocking state to the forwarding state by dropping its received BPDUs. However, the firewall filter is not dropping the BPDUs, which is evidenced by the port staying in the blocking STP state.

    I think it's odd that a firewall filter can drop OSPF Hello packets but not STP BPDUs.

    --Deepak


  • 4.  RE: Filtering RSTP BPDUs

     
    Posted 02-10-2021 10:58
    Hello Deepak,

    Try this way, removing the source-mac-address, as explained on KB30304.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB30304&cat=SWITCHING&actp=LIST


    Regards,

    Randall