Add Course Title Here

Spanning Tree

© 2010 Juniper Networks, Inc. All rights reserved. | www.juniper.net

Test Your Knowledge

 What will Switch-1 and Switch-2 do if they receive a

broadcast frame or a frame destined to an unknown
MAC address?
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95

User A User C
MAC: 00:26:88:02:74:86 Switch-1 Switch-2 MAC: 00:26:88:02:74:88

User B User D
MAC: 00:26:88:02:74:87 MAC: 00:26:88:02:74:89

Both switches would flood the frames out all

ports except the port on which the frames arrived

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 2

Chapter 1: Course Introduction 1

Add Course Title Here

What If …?

 What if a broadcast frame or a frame with an

unknown destination MAC address were sent into a
Layer 2 network with redundant paths?
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95

User A User C
MAC: 00:26:88:02:74:86 Switch-1 Switch-2 MAC: 00:26:88:02:74:88

User B Flood Layer 2 Loop Flood User D

MAC: 00:26:88:02:74:87 MAC: 00:26:88:02:74:89

Switch-3

Flood

User E User F
MAC: 00:26:88:02:74:90 MAC: 00:26:88:02:74:91

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 3

Spanning Tree

 Spanning Tree Protocol (STP)

•Defined in the IEEE 802.1D-1998 specification
•Builds loop-free paths in redundant Layer 2 networks
•Automatically rebuilds tree when topology changes
Switch-1

User Traffic User Traffic

Loop Free
Environment

Host A Host B

Switch-2 Switch-3

No User Traffic

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 4

Chapter 1: Course Introduction 2

Add Course Title Here

How Does it Work?

 Steps for creating a spanning tree include:

1. Switches exchange bridge protocol data units (BPDUs)
2. Root bridge is elected
3. Port role and state are determined
4. Tree is fully converged
Switch-1 Switch-1 (Root Bridge)

User Traffic
Loop Free
BPDUs Environment

Switch-2 Switch-3 Switch-2 Switch-3

No User Traffic

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 5

BPDU—Ethernet Frame Format

DA SA L LLC BPDU FCS
 Ethernet frame:
•Destination Address: The bridge group address
(01:80:C2:00:00:00)
•Source Address—The outgoing port of the originating switch
•Length
•LLC Header
• DSAP and SSAP = 0x42 (Bridge Spanning Tree Protocol)
 BPDU types:
•Configuration BPDUs
• Used to build the spanning-tree topology
•Topology change notification (TCN) BPDUs
• Reports topology changes
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 6

Chapter 1: Course Introduction 3

Add Course Title Here

Configuration BPDU Format (1 of 3) Octets

Protocol ID 2
1
Protocol Version
BPDU Type 1  Configuration BPDU fields:
Flags 1
•Protocol ID—0 (STP)
Root ID 8
•Protocol Version—0 (IEEE 802.1D-1998)
•BPDU Type—0 (Configuration BPDU)
Root Path Cost
•Flags
4
• Topology Change Acknowledgment Flag (Bit 8)
• Topology Change Flag (Bit 1)

Bridge ID
•Root ID
8
• A unique ID of the bridge that the transmitting
bridge believes to be the root
Port ID 2

Message Age 2 •Root Path Cost

Max Age 2 • Local switch’s calculated cost to root bridge
Hello Time 2
Forward Delay 2

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 7

Configuration BPDU Format (2 of 3) Octets

Protocol ID 2
1
Protocol Version
BPDU Type 1  Configuration BPDU fields (contd.):
Flags 1
•Bridge ID
• Bridge Priority—The priority of becoming the
Root ID 8 root bridge, the designated bridge, or both
(lower is better)
• Bridge Address—The unique MAC address of
Root Path Cost 4
the bridge itself
•Port ID
• Port Priority—Used as the tiebreaker to
Bridge ID 8
determine the designated port, the root port,
or both for a LAN (lower is better)
• Port Number—The ID of the transmitting port
Port ID 2

Message Age 2 Priority Bridge Address

Max Age 2 2 6
2 Port
Hello Time Priority
Number
Forward Delay 2
1 1
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 8

Chapter 1: Course Introduction 4

Add Course Title Here

Configuration BPDU Format (3 of 3) Octets

Protocol ID 2
1
Protocol Version
BPDU Type 1  Configuration BPDU fields (contd.):
Flags 1
•Message Age—age of configuration
Root ID
message
8
• Time since generation of configuration BPDU
• Enables a bridge to discard information that
exceeds the Max Age
Root Path Cost 4
•Max Age—A timeout value to remove
aging BPDU information (set by the root)
•Hello Time—Interval that configuration
Bridge ID 8
BPDUs are sent by designated ports
Port ID 2
•Forward Delay—The delay time before
Message Age 2 transferring the state of a port to
Max Age 2 forwarding (set by the root)
Hello Time 2
Forward Delay 2

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 9

TCN BPDU Format Octets

Protocol ID 2
1
Protocol Version
BPDU Type 1  TCN BPDU fields
Flags 1
•Protocol ID—0x0000 (STP)
Root ID 8 •Protocol Version—0x00 (IEEE 802.1D-
1998)
Root Path Cost 4
•BPDU Type—0x80 (TCN BPDU)

Bridge ID 8

Port ID 2

Message Age 2
Max Age 2

Hello Time 2
Forward Delay 2

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 10

Chapter 1: Course Introduction 5

Add Course Title Here

Building a Spanning Tree (1 of 3)

 Switches exchange configuration BPDUs:

•They do not flood—instead each bridge uses information in
the received BPDUs to generate its own
 Root bridge is elected based on BPDU information:
•Criterion for election is the bridge ID
• The election process reviews priority first—lowest priority wins
• If the priority values are the same, bridge addresses (MAC) are
compared—the lowest identifier wins
Switch-1 (Root Bridge) Switch-1 is elected as the root
bridge based on the received
Switches initially exchange configuration BPDU information.
configuration BPDUs, claiming
themselves as the root bridge.

Host A Host B

Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 11

Building a Spanning Tree (2 of 3)

 Least-cost path calculation to root bridge determines

port role; port role determines port state:
Port Role and State Designations
All ports on root bridge assume designated port role and forwarding state
Root ports on switches are placed in the forwarding state; root bridge has no root ports
Designated ports on designated bridges are placed in the forwarding state
All other ports are placed in the blocking state

F,R = Forwarding and root port

Switch-1 (Root Bridge)
10Mbps -> Cost 2,000,000
F,D = Forwarding and designated port 100Mbps -> Cost 200,000
F,D F,D
1000Mbps -> Cost 20,000
B = Blocking 10Gbps -> Cost 2,000

F,R F,R

Host A F,D F,D B F,D Host B

Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 12

Chapter 1: Course Introduction 6

Add Course Title Here

Building a Spanning Tree (3 of 3)

 The tree is fully converged
•All traffic between Host A to Host B flows through the root
bridge (Switch-1)

Transition from Blocking to Forwarding: 50s

20s (max age) + 15s (FD) + 15s (FD) Switch-1 (Root Bridge)
Listening Learning

F F

F F
Host A F F Host B

Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 13

Reconvergence Example (1 of 2)

 Steps:
1. Switch G fails
2. Switch E’s port leaves forwarding state
3. Switch E sends TCNs out root port
Root
every 2 seconds until B’s root port A
receives TCN ACK (configuration BPDU)
4. Switch B sends TCN ACK
B C
5. Switch B sends TCN out root port
6. Switch A sends TCN ACK
D E F

Port leaves forwarding state

G Switch fails

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 14

Chapter 1: Course Introduction 7

Add Course Title Here

Reconvergence Example (2 of 2)

 Steps (contd.):
7. The root bridge sets the topology change flag
and sends an updated configuration BPDU
8. Switches B and C relay the topology
Root
change flag to downstream switches
A
9. All nonroot bridges change the MAC Fwd
Table Aging
MAC Fwd
Table Aging
MAC address forwarding table Time: 15
Sec
Time: 15
Sec

aging timer to equal the forwarding B C

delay time (default: 15 seconds)
D E F
MAC Fwd MAC Fwd MAC Fwd
Table Aging Table Aging Table Aging
Time: 15 Sec Time: 15 Sec Time: 15 Sec

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 15

Rapid Spanning Tree Protocol (RSTP)

 RSTP was first defined in IEEE 802.1w and later

incorporated into IEEE 802.1D-2004
 Convergence improvements:
•Point-to-point link designation
• Allows for rapid recovery from failures because a new root port or
designated port can transition to forwarding without waiting for the
protocol timers to expire
•Edge port designation
• A port that connects to a LAN with no other bridges attached
• It is always in the forwarding state
•Direct and indirect link failure and recovery

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 16

Chapter 1: Course Introduction 8

Add Course Title Here

RSTP Port Roles

 RSTP introduces new port roles: Switch-1 (Root Bridge)

•Alternate port:
D DD D
• Provides an alternate path to the root
bridge (essentially a backup root port)
• Blocks traffic while receiving superior R A R A

BPDUs from a neighboring switch Switch-2

D B A A
Switch-3

•Backup port:
• Provides a redundant path to a segment
(on designated switches only)
• Blocks traffic while a more preferred port
Root Port = R
functions as the designated port
Designated Port = D

 RSTP continues to use the root Alternate Port = A

Backup Port = B
and designated port roles
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 17

STP and RSTP Port States

 RSTP (802.1D-2004) uses fewer states than STP

(802.1D-1998) but has the same functionality

802.1D-1998 802.1D-2004 Alternate, Backup,

STP RSTP and Disabled Ports

Disabled

Blocking Discarding

Listening Root, Designated, and Edge Ports

Learning Learning

Forwarding Forwarding

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 18

Chapter 1: Course Introduction 9

Add Course Title Here

RST BPDUs

 RST BPDUs:
•Act as keepalives
• RSTP-designated ports send Configuration BPDUs every hello time
(default of 2 seconds)
•Provide faster failure detection
• If a neighboring bridge receives no BPDU within 3 times the hello
interval (3 x 2 = 6 seconds), connectivity to the neighbor is faulty
Switch-1 (Root Bridge)

DDDD

RA RA
Switch-2 Switch-3
DB A A

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 19

RST BPDU Format

Octets
Protocol ID 2
Protocol Version 1
1
 RST BPDU fields that differ from STP:
BPDU Type
Flags 1
•Protocol Version—0x02
(IEEE 802.1D-2004)
Root ID 8
•BPDU Type—0x02 (RST BPDU)
•Flags
Root Path Cost 4
• Topology Change Acknowledgement Flag (Bit 8)
• Agreement Flag (Bit 7)
Bridge ID 8 • Forwarding Flag (Bit 6)
• Learning Flag (Bit 5)
Port ID 2 • Port Role (Bits 3 and 4)
Message Age 2
Max Age 2
• Proposal Flag (Bit 2)
Hello Time 2 • Topology Change Flag (Bit 1)
Forward Delay 2
Version 1 Length 2 •Version 1 Length—0x0000
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 20

Chapter 1: Course Introduction 10

Add Course Title Here

Transitioning to the Forwarding State

 Original STP (802.1D-1998)

•Takes 30 seconds before the ports start forwarding traffic
after port enablement
• 2x forwarding delay (listening + learning)
 RSTP (802.1D-2004):
•Uses a proposal-and-agreement handshake on point-to-
point links instead of timers
• Exceptions are alternate ports that immediately transition to root,
and edge ports that immediately transition to the forwarding state
• Nonedge-designated ports transition to the forwarding state once
they receive explicit agreement

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 21

Topology Change Reconvergence

 Topology changes occur only when nonedge ports

transition to the forwarding state:
•Port transitions to the discarding state no longer trigger the
STP TCN/TCN Acknowledgment sequence
•The initiator floods RSTP TCNs (RST BPDU with TCN flag set)
out of all designated ports as well as out of the root port
•Because of the received RSTP TCN, switches flush the
majority of MAC addresses in the bridge table
• Switches do not flush MAC addresses learned from edge ports
• Switches do not flush MAC addresses learned on port receiving TCN

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 22

Chapter 1: Course Introduction 11

Add Course Title Here

Indirect Link Failure

 When an indirect link failure occurs:

•Switch-2’s root port fails—it assumes it is the new root
•Switch-3 receives inferior BPDUs from Switch-2—it moves
the alternate port to the designated port role
•Switch-2 receives superior BPDUs, knows it is not the root,
and designates the port connecting to Switch-3 as the
root port
Switch-1 (Root Bridge) Switch-1 (Root Bridge)

Forwarding = F
F F F
Blocking = B
Root Port = R

R F R F Designated Port = D
R F
D A R D Alternate Port = A
F Inferior PDU F Superior PDU F
B
Switch-2 Switch-3 Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 23

Direct Link Failure

 When a direct link failure occurs:

•Alternate port transitions to forwarding state and assumes
root port role following the failure of the old root port
•Switch-3 signals upstream switches to flush their MAC
tables by sending RSTP TCNs out new root port
• Upstream switches only flush MAC entries that they learned on
active ports that did not receive the RSTP TCNs (except edge ports)

Switch-1 (Root Bridge) Switch-1 (Root Bridge)

Forwarding = F
F F F
Blocking = B
Root Port = R

R F R F
Designated Port = D
R F
D A D R Alternate Port = A
F B F F
Switch-2 Switch-3 Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 24

Chapter 1: Course Introduction 12

Add Course Title Here

RSTP Interoperability with STP

 STP and RSTP interoperability considerations:

•If a switch supports only the 802.1D-1998 STP protocol, it
discards any RSTP BPDUs it receives
•If an RSTP-capable switch receives 802.1D-1998 BPDUs, it
reverts to 802.1D-1998 STP mode on the receiving
interface only and sends STP BPDUs

STP RSTP

Switch-1 Switch-2 Switch-3

Protocol Version—0 Protocol Version—0x02 Protocol Version—0x02
(IEEE 802.1D-1998) (IEEE 802.1D-2004) (IEEE 802.1D-2004)

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 25

Configuring STP
[edit protocols stp]
user@switch# set ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
bpdu-block-on-edge Block BPDU on all interfaces configured as edge (BPDU Protect)
bridge-priority Priority of the bridge (in increments of 4k - 0,4k,8k,..60k)
disable Disable STP
forward-delay Time spent in listening or learning state (4..30 seconds)
hello-time Time interval between configuration BPDUs (1..10 seconds)
> interface
max-age Maximum age of received protocol bpdu (6..40 seconds)
> traceoptions Tracing options for debugging protocol operation

[edit protocols stp]

user@switch# show
bridge-priority 32k;
max-age 20; Configuration example illustrates default STP settings
hello-time 2;
forward-delay 15;

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 26

Chapter 1: Course Introduction 13

Add Course Title Here

Configuring RSTP
[edit protocols rstp]
user@switch# show
bridge-priority 32k;
max-age 20; Default RSTP settings
hello-time 2;
forward-delay 15;
interface ge-0/0/10.0 { Excludes interface from participating in RSTP
disable;
} Default priority value (used to influence downstream device’s least-cost path
interface ge-0/0/13.0 { calculation to root bridge—lower is better)
priority 128;
mode point-to-point; Default interface mode for interfaces operating in full-duplex mode
}
interface ge-0/0/14.0 { Default cost value for interfaces operating at 1 Gbps
cost 20000;
mode shared; Default interface mode for interfaces operating in half-duplex mode
}
interface ge-0/0/2.0 {
edge; Default value for interfaces that do not connect to STP-enabled devices
}

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 27

Monitoring STP and RSTP (1 of 2)

user@switch> show spanning-tree ?
Possible completions:
bridge Show STP bridge parameters
interface Show STP interface parameters
mstp Show Multiple Spanning Tree Protocol information
statistics Show STP statistics

user@switch> show spanning-tree bridge Root Bridge’s ID

STP bridge parameters
Context ID : 0
Enabled protocol : RSTP
Cumulative Cost to
Root ID : 4096.00:19:e2:55:36:00 Root Bridge
Root cost : 40000
Root port : ge-0/0/13.0
Hello time : 2 seconds Root Port
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 2
Local Device’s Bridge ID
Number of topology changes : 2
Time since last topology change : 72 seconds
Local parameters
Bridge ID : 32768.00:19:e2:55:1d:40
Extended system ID : 0
Internal instance ID : 0

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 28

Chapter 1: Course Introduction 14

Add Course Title Here

Monitoring STP and RSTP (2 of 2)

user@switch> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
ge-0/0/10.0 128:523 128:523 32768.0019e2507c00 20000 BLK ALT
ge-0/0/11.0 128:524 128:524 32768.0019e2507c00 20000 BLK ALT
ge-0/0/12.0 128:525 128:525 32768.0019e2507c00 20000 BLK ALT
ge-0/0/13.0 128:526 128:526 32768.0019e2503fe0 20000 FWD ROOT
ge-0/0/14.0 128:527 128:527 32768.0019e2503fe0 20000 BLK ALT
ge-0/0/15.0 128:528 128:528 32768.0019e2503fe0 20000 BLK ALT

user@switch> show spanning-tree statistics interface

Interface BPDUs sent BPDUs received Next BPDU

transmission
ge-0/0/10.0 7 5 0
ge-0/0/11.0 7 5 0
ge-0/0/12.0 7 5 0
ge-0/0/13.0 7 4 0
ge-0/0/14.0 7 5 0
ge-0/0/15.0 7 5 0

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 29

Test Your Knowledge (1 of 4)

 Which switch will be elected the root bridge?

{master:0}[edit protocols rstp] {master:0}[edit protocols rstp]
user@Switch-1# show user@Switch-2# show
bridge-priority 4k; bridge-priority 8k;
interface ge-0/0/8.0 { interface ge-0/0/10.0 {
cost 1; cost 1;
Root Bridge
} }
interface all { interface all {
priority 128; Switch-1 Switch-2 priority 16;
cost 200000; ge-0/0/1.0 cost 20000;
} }
ge-0/0/8.0

ge-0/0/8.0

{master:0}[edit protocols rstp] {master:0}[edit protocols rstp]

user@Switch-3# show user@Switch-4# show
bridge-priority 32k; bridge-priority 36k;
interface all { ge-0/0/12.0 interface all {
priority 16; Switch-3 Switch-4 priority 128;
cost 2000; cost 20000;
} }

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 30

Chapter 1: Course Introduction 15

Add Course Title Here

Test Your Knowledge (2 of 4)

 What role and state will be assigned to the various

switch ports?
{master:0}[edit protocols rstp] {master:0}[edit protocols rstp]
user@Switch-1# show user@Switch-2# show
bridge-priority 4k; bridge-priority 8k;
interface ge-0/0/8.0 { Root Bridge interface ge-0/0/10.0 {
cost 1; Switch-1 Switch-2 cost 1;
} D ge-0/0/1.0 A }
interface all { F B interface all {
D F R D F
priority 128; priority 16;
F

ge-0/0/8.0

ge-0/0/8.0
cost 200000; cost 20000;
} }

D
R F F A B
D R
{master:0}[edit protocols rstp] F F {master:0}[edit protocols rstp]
ge-0/0/12.0
user@Switch-3# show Switch-3 Switch-4 user@Switch-4# show
bridge-priority 32k; bridge-priority 36k;
interface all { Forwarding = F interface all {
priority 16; priority 128;
Blocking = B
cost 2000; cost 20000;
} Root Port = R }
Designated Port = D
Alternate Port = A

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 31

Test Your Knowledge (3 of 4)

 Assume ge-0/0/8 on Switch-1 has failed, what role

and state will be assigned to the remaining ports?
{master:0}[edit protocols rstp] {master:0}[edit protocols rstp]
user@Switch-1# show user@Switch-2# show
bridge-priority 4k; bridge-priority 8k;
interface ge-0/0/8.0 { Root Bridge interface ge-0/0/10.0 {
cost 1; Switch-1 Switch-2 cost 1;
} D ge-0/0/1.0 R }
interface all { F F interface all {
D D F
priority 128; priority 16;
F
ge-0/0/8.0

ge-0/0/8.0

cost 200000; cost 20000;

} }

R
F R F
D A
{master:0}[edit protocols rstp] F B {master:0}[edit protocols rstp]
ge-0/0/12.0
user@Switch-3# show Switch-3 Switch-4 user@Switch-4# show
bridge-priority 32k; bridge-priority 36k;
interface all { Forwarding = F interface all {
priority 16; priority 128;
Blocking = B
cost 2000; cost 20000;
} Root Port = R }
Designated Port = D
Alternate Port = A

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 32

Chapter 1: Course Introduction 16

Add Course Title Here

Test Your Knowledge (4 of 4)

 Based on the modified configurations, what role and

state will be assigned to Switch-4’s ports?
{master:0}[edit protocols rstp] {master:0}[edit protocols rstp]
user@Switch-1# show user@Switch-2# show
bridge-priority 4k; bridge-priority 32k;
interface all { Root Bridge interface all {
priority 128; Switch-1 Switch-2 priority 16;
cost 20000; ge-0/0/1.0 cost 20000;
} }

ge-0/0/8.0

ge-0/0/8.0
A B
R
{master:0}[edit protocols rstp] F {master:0}[edit protocols rstp]
ge-0/0/12.0
user@Switch-3# show Switch-3 Switch-4 user@Switch-4# show
bridge-priority 32k; bridge-priority 36k;
interface all { Forwarding = F interface ge-0/0/8.0 {
priority 16; priority 32;
Blocking = B
cost 20000; }
} Root Port = R interface ge-0/0/12.0 {
priority 16;
Designated Port = D
}
Alternate Port = A

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 33

What If…?

 Given the topology below, what if User A connects a

personal (unauthorized) switch running the spanning
tree protocol to Switch-2?
Switch-1 (Root Bridge) Part of the spanning tree Switch-1

BPDUs

User A User A
Switch-2 Switch-3 Switch-2 Switch-3

BPDUs would be exchanged, a new STP calculation would

occur, and the rogue switch would become part of the
spanning tree potentially leading to a network outage

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 34

Chapter 1: Course Introduction 17

Add Course Title Here

BPDU Protection

 BPDU protection prevents rogue switches from

connecting to the network and causing undesired
Layer 2 topology changes and possible outages
•If a BPDU is received on a protected interface, the interface
is disabled and transitions to the blocking state

Switch-1 (Root Bridge)

Edge port is disabled if BPDU is
received on protected interface

User A

Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 35

Configuring BPDU Protection

 BPDU protection can be enabled on switches whether

or not the spanning tree protocol enabled:
{master:0}[edit protocols rstp]
user@Switch-2# show
interface ge-0/0/6.0 {
edge;
} Use bpdu-block-on-edge option
bpdu-block-on-edge;
when spanning tree protocol is enabled

{master:0}[edit ethernet-switching-options]
user@Switch-2# show
bpdu-block {
interface ge-0/0/6.0;
}

ge-0/0/6.0
User A

Use bpdu-block option when Switch-2

spanning tree protocol is not enabled

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 36

Chapter 1: Course Introduction 18

Add Course Title Here

Monitoring BPDU Protection

Before BPDU is received on protected interface
ge-0/0/6.0
{master:0} User A
user@Switch-2> show spanning-tree interface ge-0/0/6.0
Switch-2
Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
ge-0/0/6.0 128:519 128:519 32768.0019e2516580 20000 FWD DESG

{master:0}
user@Switch-2> show ethernet-switching interfaces ge-0/0/6.0
Interface State VLAN members Tag Tagging Blocking
ge-0/0/6.0 up default untagged unblocked Before BPDU violation

After BPDU is received on protected interface

{master:0}
user@Switch-2> show spanning-tree interface ge-0/0/6.0
After BPDU violation
{master:0}
user@Switch-2> show ethernet-switching interfaces ge-0/0/6.0
Interface State VLAN members Tag Tagging Blocking
ge-0/0/6.0 down default untagged Disabled by bpdu-control
edit ethernet-switching-options
{master:0} set bpdu-block disbale-timeout ... 10 .. 3600 seconds
user@Switch-2> clear ethernet-switching bpdu-error interface ge-0/0/6.0 Re-enables interface

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 37

What If…?

 Given the topology below, what if BPDUs sent by

Switch-2 were not received by Switch-3?
Switch-1 (Root Bridge) Switch-1 (Root Bridge)

D D D D

Layer 2 Loop
R R R R

D A D DA

Switch-2 Switch-3 Switch-2 Switch-3

Switch-3 waits until the max-age timer expires then

BPDUs not received due to a transitions its alternate port to the designated port
uni-directional link failure or a role and the forwarding state thus removing the
software configuration issue
blocked port and causing a Layer 2 loop
© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 38

Chapter 1: Course Introduction 19

Add Course Title Here

Loop Protection

 The loop protection feature provides additional

protection against Layer 2 loops by preventing non-
designated ports from becoming designated ports
•Enable loop protection on all non-designated ports
• Ports that detect the loss of BPDUs transition to the “loop
inconsistent” role which maintains the blocking state
• Port automatically transitions back to previous or new role when it
receives a BPDU Switch-1 (Root Bridge)

D D

Loop
R Protection R

D A

Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 39

Configuring Loop Protection

 Configure loop protection on non-designated ports

(root and alternate ports):
{master:0}[edit protocols rstp]
user@Switch-3# show Switch-1 (Root Bridge)
interface ge-0/0/10.0 {
bpdu-timeout-action {
block;
}
D D
}
interface ge-0/0/12.0 {
bpdu-timeout-action {
block;
}
}

R Loop Protection R

D A
Use the block or alarm action in ge-0/0/12.0
conjunction with the loop protection feature
Switch-2 Switch-3

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 40

Chapter 1: Course Introduction 20

Add Course Title Here

Monitoring Loop Protection

When BPDUs are received on protected interface:
{master:0}
user@Switch-3> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
ge-0/0/10.0 128:523 128:523 4096.002688027490 20000 FWD ROOT
ge-0/0/12.0 128:525 128:525 16384.0019e2516580 20000 BLK ALT

When BPDUs are not received on protected interface:

{master:0}
user@Switch-3> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
ge-0/0/10.0 128:523 128:523 4096.002688027490 20000 FWD ROOT
ge-0/0/12.0 128:525 128:525 32768.0019e2553600 20000 BLK DIS (Loop-Incon)

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 41

What If…?

 Given the topology and details below, what if a rogue

switch with a bridge priority of 4096 was connected to
the Layer 2 network?
Switch-1 (Root Bridge)
Priority = 8k New root bridge Switch-1

Aggregation
BPDUs
Access

Switch-2 Switch-3 Switch-2 Switch-3

Priority = 32k Priority = 32k

BPDUs would be exchanged, a new STP calculation

would occur, and the rogue switch would become the
new root bridge potentially leading to a network outage

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 42

Chapter 1: Course Introduction 21

Add Course Title Here

Root Protection

 Enable root protection to avoid unwanted STP

topology changes and root bridge placement
•If a superior BPDU is received on a protected interface, the
interface is disabled and transitions to the blocking state

Switch-1 (Root Bridge) Switch-2

Priority = 4k Priority = 8k

Root protection is typically configured

on the ports of aggregation switches
that connect to access switches Aggregation

Access

Switch-3 Switch-4 Switch-5

Priority = 32k Priority = 32k Priority = 32k

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 43

Configuring Root Protection

 Enable root protection on ports that should not

receive superior BPDUs from the root bridge and
should not be elected as the root port:
{master:0}[edit protocols rstp] {master:0}[edit protocols rstp]
user@Switch-1# show user@Switch-2# show
bridge-priority 4k; bridge-priority 8k;
interface all { interface ge-0/0/6.0 {
no-root-port; no-root-port;
} }
interface ge-0/0/7.0 {
Switch-1 (Root Bridge) Switch-2 no-root-port;
Priority = 4k Priority = 8k }
ge-0/0/12.0 interface ge-0/0/8.0 {
ge-0/0/13.0 no-root-port;
}
Cannot configure an interface
both loop and root protection
Aggregation
Access

Switch-3 Switch-4 Switch-5

Priority = 32k Priority = 32k Priority = 32k

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 44

Chapter 1: Course Introduction 22

Add Course Title Here

Monitoring Root Protection

Before superior BPDU is received on protected interface
{master:0}
user@Switch-1> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
ge-0/0/6.0 128:519 128:519 4096.0019e2516580 20000 FWD DESG
ge-0/0/7.0 128:520 128:520 4096.0019e2516580 20000 FWD DESG
ge-0/0/8.0 128:521 128:521 4096.0019e2516580 20000 FWD DESG
ge-0/0/12.0 128:525 128:525 4096.0019e2516580 20000 FWD DESG
ge-0/0/13.0 128:526 128:526 4096.0019e2516580 20000 FWD DESG

Switch-1 (Root Bridge)

After superior BPDU is received on protected interface Priority = 4k

{master:0}
user@Switch-1> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role

port ID bridge ID Cost
ge-0/0/6.0 128:519 128:519 0.002688027490 20000 BLK ALT (Root-Incon)
ge-0/0/7.0 128:520 128:520 4096.0019e2516580 20000 FWD DESG
ge-0/0/8.0 128:521 128:521 4096.0019e2516580 20000 FWD DESG
ge-0/0/12.0 128:525 128:525 4096.0019e2516580 20000 FWD DESG
ge-0/0/13.0 128:526 128:526 4096.0019e2516580 20000 FWD DESG

© 2010 Juniper Networks, Inc. All rights reserved. www.juniper.net | 45

Chapter 1: Course Introduction 23