Just a quick one today. I had planned to take the JNCIS-Security this month but accidentally booked JNCIS-Enterprise. Not to worry in the slightest. The same great content will be served up, just with a focus on routing and switching. Remember back to an earlier post where I made a virtual lab? Well now it is going to come in very handy for Protocols. Before we get there it is time to brush up on some switching differences.
Now BPDU guard is a feature that is a must. Spanning-tree hasn’t died yet and you just never know when someone might do something silly like, oh, plug an older switch into the network. This innocent act could drop your network, suboptimally optimally alter your L2 topology, or get a managerial foot knee-deep somewhere painful. Let’s protect this with our Junos based switch/SRX. Let us change firstly the spanning-tree mode from the default of STP to RSTP.
set protocols rstp commit and-quit comment "Change STP mode"
Just confirming my edge port. This port, along with fe-0/0/2 and 3 are access ports. I will never plan on plugging a switch into this device and expect only end users.
[email protected]> show spanning-tree interface fe-0/0/1 Spanning tree interface parameters for instance 0 Interface Port ID Designated Designated Port State Role port ID bridge ID Cost fe-0/0/1.0 128:514 128:514 32768.b0a86e66e208 200000 FWD DESG
Okay. Now we confirm that Spanning-tree is running and my port is forwarding let us add some RSTP enhancements. I want to enable these ports to transition to forwarding immediately, avoiding listening and learning, and to shut down if a BPDU is received. On IOS, the prior is known as Portfast. I do not want to apply a global configuration in this example.
set protocols rstp interface fe-0/0/1.0 edge set protocols rstp interface fe-0/0/2.0 edge set protocols rstp interface fe-0/0/3.0 edge set ethernet-switching-options bpdu-block interface fe-0/0/1.0 set ethernet-switching-options bpdu-block interface fe-0/0/2.0 set ethernet-switching-options bpdu-block interface fe-0/0/3.0
RSTP edge ports allow an automatic transition to forwarding and bpdu-block will violate and shutdown a port if a BPDU is detected. A quick verification of what we configured is important.
[email protected]> show ethernet-switching interfaces fe-0/0/1.0 Interface State VLAN members Tag Tagging Blocking fe-0/0/1.0 up vlan-trust 3 untagged unblocked [email protected]> show spanning-tree interface fe-0/0/1 detail Spanning tree interface parameters for instance 0 Interface name : fe-0/0/1.0 Port identifier : 128.514 Designated port ID : 128.514 Port cost : 200000 Port state : Forwarding Designated bridge ID : 32768.b0:a8:6e:66:e2:08 Port role : Designated Link type : Pt-Pt/EDGE Boundary port : NA Edge delay while expiry count : 10 Rcvd info while expiry count : 0
Spanning-tree commands show To confirm EDGE status you can see under the link type that EDGE is listed. Now if I plug a switch with a lower priority what happens?
[email protected]> show ethernet-switching interfaces fe-0/0/1.0 Interface State VLAN members Tag Tagging Blocking fe-0/0/1.0 down vlan-trust 3 untagged Disabled by bpdu-control
Network safe for now. Time to hunt down the culprit. Now we have to recover the port for further use. Use the following command to recover the port
clear ethernet-switching bpdu-error
It would be a pain to recover ports if you have this sort of issue occurring frequently. You can use JUNOS’ version of the IOS command err-disable recovery.
[email protected]# set ethernet-switching-options bpdu-block disable-timeout ? Possible completions: Disable timeout for BPDU Protect (10..3600 seconds) set ethernet-switching-options bpdu-block disable-timeout 60
Good feature. Remember that shut and no shut won’t fix the port that is violated. It must be cleared of its error. I prefer automatic but you may not need the auto-clear feature. It has saved me many times in the past and now you know how to configure it for Junos. Thanks for reading!