Guard the edge with Junos


Just a quick one today. I had planned to take the JNCIS-Security this month but accidentally booked JNCIS-Enterprise. Not to worry in the slightest. The same great content will be served up, just with a focus on routing and switching. Remember back to an earlier post where I made a virtual lab? Well now it is going to come in very handy for Protocols. Before we get there it is time to brush up on some switching differences.

Now BPDU guard is a feature that is a must. Spanning-tree hasn’t died yet and you just never know when someone might do something silly like, oh, plug an older switch into the network. This innocent act could drop your network, suboptimally optimally  alter your L2 topology, or get a managerial foot knee-deep somewhere painful. Let’s protect this with our Junos based switch/SRX. Let us change firstly the spanning-tree mode from the default of STP to RSTP.

set protocols rstp
commit and-quit comment "Change STP mode"

Just confirming my edge port. This port, along with fe-0/0/2 and 3 are access ports. I will never plan on plugging a switch into this device and expect only end users.

[email protected]> show spanning-tree interface fe-0/0/1    

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/1.0     128:514      128:514  32768.b0a86e66e208    200000  FWD    DESG

Okay. Now we confirm that Spanning-tree is running and my port is forwarding let us add some RSTP enhancements. I want to enable these ports to transition to forwarding immediately, avoiding listening and learning, and to shut down if a BPDU is received. On IOS, the prior is known as Portfast. I do not want to apply a global configuration in this example.

set protocols rstp interface fe-0/0/1.0 edge  
set protocols rstp interface fe-0/0/2.0 edge 
set protocols rstp interface fe-0/0/3.0 edge  
set ethernet-switching-options bpdu-block interface fe-0/0/1.0
set ethernet-switching-options bpdu-block interface fe-0/0/2.0
set ethernet-switching-options bpdu-block interface fe-0/0/3.0

RSTP edge ports allow an automatic transition to forwarding and bpdu-block will violate and shutdown a port if a BPDU is detected. A quick verification of what we configured is important.

[email protected]> show ethernet-switching interfaces fe-0/0/1.0    
Interface    State  VLAN members        Tag   Tagging  Blocking 
fe-0/0/1.0   up     vlan-trust          3     untagged unblocked

[email protected]> show spanning-tree interface fe-0/0/1 detail

Spanning tree interface parameters for instance 0

Interface name : fe-0/0/1.0
Port identifier : 128.514
Designated port ID : 128.514
Port cost : 200000
Port state : Forwarding
Designated bridge ID : 32768.b0:a8:6e:66:e2:08
Port role : Designated
Link type : Pt-Pt/EDGE
Boundary port : NA
Edge delay while expiry count : 10
Rcvd info while expiry count : 0

Spanning-tree commands show To confirm EDGE status you can see under the link type that EDGE is listed. Now if I plug a switch with a lower priority what happens?

[email protected]> show ethernet-switching interfaces fe-0/0/1.0    
Interface    State  VLAN members        Tag   Tagging  Blocking 
fe-0/0/1.0   down   vlan-trust          3     untagged Disabled by bpdu-control

Network safe for now. Time to hunt down the culprit. Now we have to recover the port for further use. Use the following command to recover the port

clear ethernet-switching bpdu-error

It would be a pain to recover ports if you have this sort of issue occurring frequently. You can use JUNOS’ version of the IOS command err-disable recovery.

[email protected]# set ethernet-switching-options bpdu-block disable-timeout ?
Possible completions:
      Disable timeout for BPDU Protect (10..3600 seconds)

set ethernet-switching-options bpdu-block disable-timeout 60

Good feature. Remember that shut and no shut won’t fix the port that is violated. It must be cleared of its error. I prefer automatic but you may not need the auto-clear feature. It has saved me many times in the past and now you know how to configure it for Junos. Thanks for reading!

2 thoughts on “Guard the edge with Junos”

  1. Another good article, mate 🙂 It is
    good to see that SRX platform can be used for learning both routing and
    switching. Do you know if there are significant differences in switching between
    SRX and EX platforms ?

    1. Yes. I believe there are some hardware differences including some configuration options. It doesn’t have all the fancy STP enhancements (bpdu filter doesn’t exist at all, only guard does per interface, not global) like the EX does. It is missing some features but nothing that cripples switching too much. I have been told I can quite comfortably complete most JNCIS ENT topics on a single SRX. That being said, I think it is time to buy an EX2220-C switch. 8 ports of GigE, 2 SFP ports, fanless, for 300ish AUD. Not bad.

Leave a Reply

Your email address will not be published. Required fields are marked *