View Only
last person joined: 4 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  splitting Spanning-tree domains; how to block BPDU packets

    Posted 10-14-2009 05:03



    excuse me, this is my first post.skip to  ------fast question------ for a quick question, read on for long explanation


    I have an existing (other-vendor) network with spanning tree running and multiple vlans, so I place new juniper switches ex4200 and make a new rstp domain.

     This existing network has a spanning tree running, and I would like my to keep it running (no-downtime) if one of my switches reboots.

    I want to make some of the vlans in the existing network available on my switches without the spanning tree hassle so I create access-ports in the existing network and access ports in the juniper and connect themper vlan.


    If I was to make a BPDU guard, my accessport would be disabled every time a BPDU came through. and connectivity to the streched vlan would be interrupted.

    So I choose "protocol rstp interface ge-x/x/x disable" but this does not prevent BPDU coming into my RSTP domain.

    So now my new RSTP domain thinks the root-bridge is in the existing network (because of priorities) 


    OS version 9.5R2.7 by the way

    I am hoping for an answer that includes an ethernet firewall rule type filter.

     ------fast question------

    Is it possible on a juniper ex 4200 switch to make a filter to prevent BPDU from entering on a access-port without disabling the port completely? if so, how?


  • 2.  RE: splitting Spanning-tree domains; how to block BPDU packets
    Best Answer

    Posted 10-14-2009 10:06

    "A bridge sends a BPDU frame using the unique MAC address of the port itself as a source address, and a destination address of the STP multicast address 01:80:C2:00:00:00." (Wikipedia)




    firewall  {

    family ethernet-switching {
        filter foo {
            term 1 {
                from {
                    destination-mac-address {
                then discard;

    ought to work *if* the interface does not have a layer 3 family configured on it. And if you have layer 3 configured on it, you don't have to worry about STP (mostly).


    We're combining a large old Cisco PVST+ STP domain ("empire" is a better word) with a new large Juniper RSTP (for now) domain. The native VLANs are separated by Layer 3 links, so the old and new native VLAN STP domains simply can't see each other. Sooner or later, we will have to link the old and new domains with some Layer 2 trunks, but we will have to be careful to not loop the Juniper network or it will block a port. That should be easy, our new core is routed, and runs OSPF; the old core was all-switched "router-on-a-stick", which was very prone to meltdowns caused by STP problems.

    Message Edited by wsanders on 10-14-2009 10:15 AM
    Message Edited by wsanders on 10-14-2009 10:16 AM


  • 3.  RE: splitting Spanning-tree domains; how to block BPDU packets

    Posted 12-18-2009 10:31

    Just a followup: We have now configured mstp instead of rstp as the default on all of our EX's, simply with no options in most cases:


    protocols {






    In the case where we want to run a Cisco-legacy  VLAN "through" the EX's, we break out the VLAN into its own MSTP domain:


    mstp {
        msti 148 {
            vlan 148;


    We still have PVST+ running on the Ciscos, but as long as we don't make a loop that goes Cisco - Juniper - Juniper - Cisco  or Juniper - Cisco -Cisco - Juniper we're OK.