Guard the edge with Junos


Just a quick one today. I had planned to take the JNCIS-Security this month but accidentally booked JNCIS-Enterprise. Not to worry in the slightest. The same great content will be served up, just with a focus on routing and switching. Remember back to an earlier post where I made a virtual lab? Well now it is going to come in very handy for Protocols. Before we get there it is time to brush up on some switching differences.

Now BPDU guard is a feature that is a must. Spanning-tree hasn’t died yet and you just never know when someone might do something silly like, oh, plug an older switch into the network. This innocent act could drop your network, suboptimally optimally  alter your L2 topology, or get a managerial foot knee-deep somewhere painful. Let’s protect this with our Junos based switch/SRX. Let us change firstly the spanning-tree mode from the default of STP to RSTP.

set protocols rstp
commit and-quit comment "Change STP mode"

Just confirming my edge port. This port, along with fe-0/0/2 and 3 are access ports. I will never plan on plugging a switch into this device and expect only end users.

[email protected]> show spanning-tree interface fe-0/0/1    

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/1.0     128:514      128:514  32768.b0a86e66e208    200000  FWD    DESG

Okay. Now we confirm that Spanning-tree is running and my port is forwarding let us add some RSTP enhancements. I want to enable these ports to transition to forwarding immediately, avoiding listening and learning, and to shut down if a BPDU is received. On IOS, the prior is known as Portfast. I do not want to apply a global configuration in this example.

set protocols rstp interface fe-0/0/1.0 edge  
set protocols rstp interface fe-0/0/2.0 edge 
set protocols rstp interface fe-0/0/3.0 edge  
set ethernet-switching-options bpdu-block interface fe-0/0/1.0
set ethernet-switching-options bpdu-block interface fe-0/0/2.0
set ethernet-switching-options bpdu-block interface fe-0/0/3.0

RSTP edge ports allow an automatic transition to forwarding and bpdu-block will violate and shutdown a port if a BPDU is detected. A quick verification of what we configured is important.

[email protected]> show ethernet-switching interfaces fe-0/0/1.0    
Interface    State  VLAN members        Tag   Tagging  Blocking 
fe-0/0/1.0   up     vlan-trust          3     untagged unblocked

[email protected]> show spanning-tree interface fe-0/0/1 detail

Spanning tree interface parameters for instance 0

Interface name : fe-0/0/1.0
Port identifier : 128.514
Designated port ID : 128.514
Port cost : 200000
Port state : Forwarding
Designated bridge ID : 32768.b0:a8:6e:66:e2:08
Port role : Designated
Link type : Pt-Pt/EDGE
Boundary port : NA
Edge delay while expiry count : 10
Rcvd info while expiry count : 0

Spanning-tree commands show To confirm EDGE status you can see under the link type that EDGE is listed. Now if I plug a switch with a lower priority what happens?

[email protected]> show ethernet-switching interfaces fe-0/0/1.0    
Interface    State  VLAN members        Tag   Tagging  Blocking 
fe-0/0/1.0   down   vlan-trust          3     untagged Disabled by bpdu-control

Network safe for now. Time to hunt down the culprit. Now we have to recover the port for further use. Use the following command to recover the port

clear ethernet-switching bpdu-error

It would be a pain to recover ports if you have this sort of issue occurring frequently. You can use JUNOS’ version of the IOS command err-disable recovery.

[email protected]# set ethernet-switching-options bpdu-block disable-timeout ?
Possible completions:
      Disable timeout for BPDU Protect (10..3600 seconds)

set ethernet-switching-options bpdu-block disable-timeout 60

Good feature. Remember that shut and no shut won’t fix the port that is violated. It must be cleared of its error. I prefer automatic but you may not need the auto-clear feature. It has saved me many times in the past and now you know how to configure it for Junos. Thanks for reading!

Clarity : BPDU Guard vs BPDU Filter

In a stunning moment of clarity I figured out the two. It did take far longer that what was required but I feel now I can tick these two technologies off as being understood why you would use them and when you would use them.

Bridge Protocol Data Unit’s known also as BPDU’s play a fundamental part in a spanning-tree topology. No matter your flavour you will have BPDU’s.

BPDU – A quick breakdown

BPDU’s are sent out by a switch to exchange information about bridge ID’s and cost’s of the root path. A switch will use it’s MAC address and sent it to the STP multicast address of 01:80:c2:00:00:00. There are Configuration BPDU’s, Topology Change Notification BPDU’s and Topology Change Notification Acknowledgement BPDU’s. Exchanged at a frequency of every 2 seconds by default, BPDU’s allow switches to keep a track of network changes and when to block or forward ports to ensure a loop free topology.

BPDU Guard

BPDU Guard is designed to protect your switching network. Remember that a Port-fast port is designed to be connected to a device where BPDU’s aren’t expected. This could be a end user device, server or access-point.  When an unexpected BPDU is detected (an end-user wants to plug in a switch in his cubicle) the port will shutdown and enter a err-disable state.

When enabled globally this is a fantastic solution to protecting port-fast ports on access switches where you don’t expect a switch to be plugged in. BPDU guard when enabled on a per port interface, is conditional. It requires the port to be portfast enabled. If you require BPDU guard to be enabled unconditionally then you must do that on the port itself.


SW1(config)# spanning-tree portfast bpduguard default


SW1(config)# int gi0/10
SW1(config-if)# spanning-tree bpduguard enable

BPDU Filter

Initially I was stumped as to why you would use this. Why on earth would you want to stop BPDU’s from being sent or received on a port. I immediate though it was ludicrous. It wasn’t until I had a discussion with the man of infinite wisdom @networkjanitor (Kurt Bales) did I understand it’s use. The point of demarcation is a fantastic place to use BPDU filter. When an ISP hands off a tail in the DC from their switch infrastructure, neither party want’s anything to do with the others STP topology. This one of the uses of this feature. Probably the best one I have found.

First of all, BPDU filter disables spanning-tree on a port period. It does this by restricting sending and receiving BPDU’s. Simple enough. When enabled on a global level, BPDU filter will apply to all portfast ports. When a port links up it will transmit some BPDU’s out before the port starts to filter BPDUs.

Remember that if a BPDU is received on a portfast interface, the interface will lose portfast status and because BPDU filtering relies on this it will become disabled.


SW1(config)# spanning-tree portfast default
SW1(config)# spanning-tree portfast bpdufilter default


SW1(config)# int gi0/24
SW1(config-if)# spanning-tree bpdufilter enable


Anthony’s Wrap

I’ve used BPDU guard a whole lot. After learning at college you could bring down an entire block of lab’s with a switch configured a certain way, I made sure that no network under my jurisdiction would suffer the same fate. Couple BPDU guard with err-disable recovery and you have protection. BPDU filter could also be placed on access layer ports too. Another way to negate pesky attacks from inquisitive minds.