Switching

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  spanning-tree bpdufilter

    Posted 10-10-2011 00:00

    Hi

     

    We have Juniper EX4200 virtual chassis installed in the network with MSTP configured. 

    Everything works fine. But I do need a following feature - I need some ports nor send netiher receive BPDU, but still participate in traffic forwarding.

    On Cisco switches I would do the following configuration on the interface: 

     

    spanning-tree portfast
    spanning-tree bpdufilter enable

    Of course, I must be aware that that port doesn't cause loop. It transitions to the forwarding state quickly and doesn't send BPDUs and filters BPDUs coming to it while still forwarding other traffic. In contrast to it, bpduguard  sends the port to the err-disabled state when it receives BPDUs, thus stopping traffic forwarding. 

     

    As far as i know, juniper's analogue of cisco's 'spanning-tree portfst' is setting the 'edge' option to the port. And 'bpduguard' analogue is BPDU-Protection. But first option is designated to fast port state transition, while the second option on receiving BPDUs locks down the port. Without the BDPUprotection feature enabled and with the STP disabled on the port, the port still transparently  forwards BPDU to the network which may cause port inconsistency and some instability in the network. But I haven't found any option in Junos which is similar to Cisco's bpdufilter option. Google'ing and searching through the forum and documentation didn't give me results except creating mac filter as follows: 

    family ethernet-switching {
        filter BPDU_FILTER {
            term discard-bpdu {
                from {
                    destination-mac-address {
                        01:80:c2:00:00:00;
                        01:00:0c:cc:cc:cd;
                    }
                }
                then {
                    discard;
                    count BPDU_FILTER;
                }
            }
            term allow-other {
                then accept;
            }
        }
    }

     and applying it to the interface.  The stp shoud be disabled on the interface as well.

    So, It seems to be a simple workaround but is there any better option in performing the task I need? 


    #ex4200
    #bpdufilter
    #spanning-tree
    #mstp


  • 2.  RE: spanning-tree bpdufilter

     
    Posted 10-10-2011 04:03

    Hi Jadmin,

     

    AFAIK, your workaround is the only solution to implement bpdufilter like functionality on EX now. Yes, it would make sense to see Junos enhancement here.

    jtb



  • 3.  RE: spanning-tree bpdufilter
    Best Answer

    Posted 10-13-2011 23:39

    Well then. In the lack of other options I am using the following filter from my previous message: 

    set firewall family ethernet-switching filter bpdufilter term discard-bpdu from destination-mac-address 01:80:c2:00:00:00/48
    set firewall family ethernet-switching filter bpdufilter term discard-bpdu from destination-mac-address 01:00:0c:cc:cc:cd/48
    set firewall family ethernet-switching filter bpdufilter term discard-bpdu then discard
    set firewall family ethernet-switching filter bpdufilter term discard-bpdu then count BPDU_FILTER
    set firewall family ethernet-switching filter bpdufilter term allow-other then accept