Training and Certification

Hello,

Currently working on my JNCIS-ENT and labbing wih the Junos vswitch and vrouters images.

I'm having issues wth my labs and BPDU protection,  where BPDUS recieved on a port that is protected doesn't shutdown.  

Need verification that this is a shortcoming with the kvm images themselves

------------------------------
Terry Williams
------------------------------

Terry,

I don't have a definite answer for you on this query but I am looking into it to see if I can dig anything up. I have not tested this functionality using the vJunos switch or router images. I have engaged a couple colleagues on the team to see if anyone has tested this within the curriculum team. Our switching courses are using hardware platforms because there are/were some limitations with the virtual images in the past with this type of feature. 

I am not super familiar with the official feature support of the vJunos-switch these days and you may need to engage JTAC regarding the feature not working if it is supposed to be supported.

It may also be that the BPDU messages are being absorbed by the KVM virtual switch connection between your VMs. I will update once I have heard from the folks I have reached out to, but this may end up being something that you will have to investigate further with TAC.

------------------------------
Josh Verhaal
Certification and Courseware developer @ HPE Juniper Networking
------------------------------

Terry,

One of my colleagues did some testing in our environment and the test results revealed that, contrary to what was specified in Pathfinder, BPDU protection is not working on vJunos-Switch. After configuring BPDU protection and receiving BPDU packets, the interface does not shut down, and BPDUs are continuously being received and sent. This appears to be a software issue. The same issue was found on both vEX and vJunos-Switch.

/* BPDU protection config and status */

[edit]

user@access2# show configuration protocols layer2-control    

bpdu-block {

    interface ge-0/0/4;

    interface ge-0/0/3;

    disable-timeout 600;

}

 

[edit]

user@access2# run show layer2-control bpdu-block                

 

Recovery Timeout for Port Shutdown: 600 seconds

 

Interface name     Action Configured     BPDUs dropped

ge-0/0/3*          shutdown              0        

ge-0/0/4*          shutdown              0        

 

/* BPDU Error was detected, but the interface is still up */

[edit] 

user@access2# run show interfaces ge-0/0/3 | match BPDU          

  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 1000mbps, BPDU Error: Detected, Loop Detect PDU Error: None,

 

[edit] 

user@access2# run show spanning-tree statistics interface ge-0/0/3

Interface     BPDUs       BPDUs        Next BPDU       TCs        Proposal    Agreement

              Sent        Received     Transmission    Tx/Rx      Tx/Rx       Tx/Rx    

ge-0/0/3       106         108             0           0/5         0/0       0/108  

 

[edit]

user@access2# run show log messages| match BPDU

May 28 10:03:42  access2 l2cpd[6798]: L2CPD_RECEIVE_BPDU_BLOCK_ENABLED: BPDU_PROTECT: Interface ge-0/0/3 is DOWN: BPDU error detected

May 28 10:13:44  access2 l2cpd[6798]: L2CPD_RECEIVE_BPDU_BLOCK_ENABLED: BPDU_PROTECT: Interface ge-0/0/3 is DOWN: BPDU error detected

[edit]

user@access2# run show interfaces terse ge-0/0/3

Interface               Admin Link Proto    Local                 Remote

ge-0/0/3                up    up

ge-0/0/3.0              up    up   eth-switch

 

I am not sure exactly why the interface is not disabled after the L2CPD detects the error. This seems to be an issue with the virtual platform. If you need answers, I would recommend that you reach out the JTAC and pursue it further through the support side.

------------------------------
Josh Verhaal
Certification and Courseware developer @ HPE Juniper Networking
------------------------------

Terry,

After a bit of additional investigation I also found that while vJunos is distributed for free, unfortunately, technical support via JTAC is not available. You may be able to find some answers in the vJunos-switch community.

------------------------------
Josh Verhaal
Certification and Courseware developer @ HPE Juniper Networking
------------------------------

Original Message:
Sent: 05-28-2026 11:23
From: Josh Verhaal
Subject: Junos Vswitch and protection options

Terry,

One of my colleagues did some testing in our environment and the test results revealed that, contrary to what was specified in Pathfinder, BPDU protection is not working on vJunos-Switch. After configuring BPDU protection and receiving BPDU packets, the interface does not shut down, and BPDUs are continuously being received and sent. This appears to be a software issue. The same issue was found on both vEX and vJunos-Switch.

/* BPDU protection config and status */

[edit]

user@access2# show configuration protocols layer2-control    

bpdu-block {

    interface ge-0/0/4;

    interface ge-0/0/3;

    disable-timeout 600;

}

 

[edit]

user@access2# run show layer2-control bpdu-block                

 

Recovery Timeout for Port Shutdown: 600 seconds

 

Interface name     Action Configured     BPDUs dropped

ge-0/0/3*          shutdown              0        

ge-0/0/4*          shutdown              0        

 

/* BPDU Error was detected, but the interface is still up */

[edit] 

user@access2# run show interfaces ge-0/0/3 | match BPDU          

  Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Speed: 1000mbps, BPDU Error: Detected, Loop Detect PDU Error: None,

 

[edit] 

user@access2# run show spanning-tree statistics interface ge-0/0/3

Interface     BPDUs       BPDUs        Next BPDU       TCs        Proposal    Agreement

              Sent        Received     Transmission    Tx/Rx      Tx/Rx       Tx/Rx    

ge-0/0/3       106         108             0           0/5         0/0       0/108  

 

[edit]

user@access2# run show log messages| match BPDU

May 28 10:03:42  access2 l2cpd[6798]: L2CPD_RECEIVE_BPDU_BLOCK_ENABLED: BPDU_PROTECT: Interface ge-0/0/3 is DOWN: BPDU error detected

May 28 10:13:44  access2 l2cpd[6798]: L2CPD_RECEIVE_BPDU_BLOCK_ENABLED: BPDU_PROTECT: Interface ge-0/0/3 is DOWN: BPDU error detected

[edit]

user@access2# run show interfaces terse ge-0/0/3

Interface               Admin Link Proto    Local                 Remote

ge-0/0/3                up    up

ge-0/0/3.0              up    up   eth-switch

 

I am not sure exactly why the interface is not disabled after the L2CPD detects the error. This seems to be an issue with the virtual platform. If you need answers, I would recommend that you reach out the JTAC and pursue it further through the support side.

------------------------------
Josh Verhaal
Certification and Courseware developer @ HPE Juniper Networking
------------------------------