Junos Enterprise

Spanning Tree Switching

LY
N
O
SE
U
AL
N
R
TE
IN
Spanning Tree

LY
N
O
SE
U
AL

Test Your Knowledge

N

This slide serves as a review of a previously covered concept. The slide illustrates the expected
behavior when a switch receives a broadcast frame or a frame destined to an unknown MAC
R

address. You can see in the example that both Switch-1 and Switch-2 flood the frame out all
interfaces except the interface on which the frame was received. This is an important concept to
TE

understand going forward.

IN

Chapter 4–2 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

What If ...?
N

As previously mentioned, switches flood broadcast frames and frames for unknown MAC addresses
out all ports except the port on which those frames were received. In Layer 2 networks with
R

redundant paths, such as the one illustrated on the slide, switches will continuously flood these
types of frames throughout the network. When a frame is continuously flooded throughout a Layer 2
TE

network, a Layer 2 loop exists. Layer 2 loops can be extremely harmful to a network’s operation and
should be avoided. To avoid Layer 2 loops, you must implement a Layer 2 loop-prevention
mechanism such as the spanning tree protocol (STP). We cover STP on subsequent slides in this
material.
IN

www.juniper.net Chapter 4–3

Spanning Tree

LY
N
O
SE
U
AL

STP
N

STP is defined in the Institute of Electrical and Electronics Engineers (IEEE) 802.1D 1998
specification. STP is a simple Layer 2 protocol that prevents loops and calculates the best path
R

through a switched network that contains redundant paths. STP is highly recommended in any
Layer 2 network environment where redundant paths exist or might exist. When topology changes
TE

occur, STP automatically rebuilds the tree.

Note that newer versions of STP exist including Rapid Spanning Tree Protocol (RSTP), Multiple
Spanning Tree Protocol (MSTP), and VLAN Spanning Tree Protocol (VSTP). These newer versions of
STP include enhancements over the original STP. We cover the RSTP in detail later in this material.
IN

MSTP allows you to run a separate instance of spanning tree for a group of VLANs while VSTP allows
you to run one or more spanning tree instances for each VLAN. MSTP and VSTP are outside the
scope of this material.

Chapter 4–4 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

How Does it Work?

N

This slide highlights the basic steps for creating a spanning tree. We highlight each of these steps in
more detail on subsequent slides.
R
TE
IN

www.juniper.net Chapter 4–5

Spanning Tree

LY
N
O
SE
U
AL

BPDU Ethernet Frame

N

The slide shows the Ethernet frame format of an STP BPDU. Notice that the Ethernet frame does not
contain any 802.1-type VLAN tagging. The source address of the frame is the MAC address of the
R

outgoing port of the sending switch. The destination address is the multicast MAC address that is
reserved for STP. The frame also contains an LLC header that uses a destination service access
TE

point (DSAP) of 0x42, which refers to the bridge STP.

BPDU Types
STP uses BPDU packets to exchange information between switches. Two types of BPDUs exist:
IN

configuration BPDUs and topology change notification (TCN) BPDUs. Configuration BPDUs determine
the tree topology of a LAN. STP uses the information that the BPDUs provide to elect a root bridge, to
identify root ports for each switch, to identify designated ports for each physical LAN segment, and to
prune specific redundant links to create a loop-free tree topology. TCN BPDUs report topology
changes within a switched network.

Chapter 4–6 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Configuration BPDU Format: Part 1

N

When an STP network is first turned up, all participating bridges send out configuration BPDUs to
advertise themselves as candidates for the root bridge. Each bridge uses the received BPDUs to help
R

build the spanning tree and elect the root bridge, root ports, and designated ports for the network.
Once the STP network converges and is stable, the root bridge sends a configuration BPDU once
TE

every few seconds (the hello time default is 2 seconds).

The following list provides a brief explanation of each of the BPDU fields:
• Protocol ID: This value is always 0.
IN

• Protocol Version: This value is always 0.

• BPDU Type: This field determines which of the two BPDU formats this frame contains—
configuration BPDU or TCN BPDU.
• Flags: This field is used to handle changes in the active topology; we discuss this field
later.
• Root ID: This field contains the bridge ID (BID) of the root bridge. After convergence, all
configuration BPDUs in the bridged network should contain the same value for this field
(for a single VLAN). Some network sniffers break out the two BID subfields: bridge
priority and bridge MAC address.
• Root Path Cost: This value is the cumulative cost of all links leading to the root bridge.

www.juniper.net Chapter 4–7

Spanning Tree

LY
N
O
SE
U
AL

Configuration BPDU Format: Part 2

N

The following list is a continuation of the explanation of BPDU fields:

R

• Bridge ID (BID): This value is the identifier of the bridge that created the current BPDU.
This field is the same for all BPDUs sent by a single switch (for a single VLAN), but it
differs between switches. The BID is a combination of the sender bridge’s priority to
TE

become root or designated bridge and the bridge address (a unique MAC address for
the bridge.)
• Port ID: This field contains a unique value for every port. This value is a combination of
the outbound port’s priority and a unique value to represent the port. The default port
IN

priority is 128 for every interface on an EX Series switch. The switch automatically
generates the port number and you cannot configure it. For example, ge-1/0/0 contains
the value 128:513, whereas ge-1/0/1 contains the value 128:514.

Chapter 4–8 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Configuration BPDU Format: Part 3

N

The following list is a continuation of the explanation of BPDU fields:

R

• Message Age: This field records the time since the root bridge originally generated the
information from which the current BPDU is derived.
TE

• Max Age: This value is the maximum time that a BPDU is saved. It also influences the
bridge table aging timer during the topology change notification process.
• Hello Time: This value is the time between periodic configuration BPDUs.
• Forward Delay: This value is the time a bridge spends in the listening and learning
IN

states. It also influences timers during the topology change notification process.

www.juniper.net Chapter 4–9

Spanning Tree

LY
N
O
SE
U
AL

TCN BPDU
N

The slide shows the format of the TCN BPDU. TCN BPDUs are used to announce changes in the
network topology. We describe its usage in more detail later in this material.
R
TE
IN

Chapter 4–10 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Exchange of BPDUs
N

Switches participating in a switched network running STP exchange BPDUs with each other. Through
the exchanged BPDUs, neighboring switches become familiar with each other and learn the
R

information necessary to select a root bridge. Each bridge creates its own configuration BPDUs
based upon the BPDUs that it receives from neighboring routers. Non-STP bridges simply flood
TE

BPDUs as they would any multicast Ethernet frame.

Root Bridge Election

STP elects the root bridge device based on the BID, which actually consists of two distinct elements:
IN

a configurable priority value and a unique device identifier, which is the system MAC address. Each
switch reviews the priority values first to determine the root bridge. If the priority value of one switch
is lower than the priority value of all other switches, that switch is elected as the root bridge. If the
priority values are equal for multiple switches, STP evaluates the system MAC addresses of the
remaining switches and elects the switch with the lowest MAC address as the root bridge.

www.juniper.net Chapter 4–11

Spanning Tree

LY
N
O
SE
U
AL

Port Role and State Determination

N

Once the root bridge election occurs, all nonroot devices perform a least-cost path calculation to the
root bridge. The results of these calculations determine the role of the switch ports. The role of the
R

individual switch ports determines the port state.

All switch ports belonging to the root bridge assume the designated port role and forwarding state.
TE

Each nonroot switch determines a root port, which is the port closest to the root bridge, based on its
least-cost path calculation to the root bridge. Each interface has an associated cost that is based on
the configured speed. An interface operating at 10 Mbps assumes a cost of 2,000,000, an interface
operating at 100 Mbps assumes a cost of 200,000, an interface operating at 1 Gbps assumes a
IN

cost of 20,000, and an interface operating at 10 Gbps assumes a cost of 2000. If a switch has two
equal-cost paths to the root bridge, the switch port with the lower port ID is selected as the root port.
The root port for each nonroot switch is placed in the forwarding state.

STP selects a designated bridge on each LAN segment. This selection process is also based on the
least-cost path calculation from each switch to the root bridge. Once the designated bridge selection
occurs, its port, which connects to the LAN segment, is chosen as the designated port. If the
designated bridge has multiple ports connected to the LAN segment, the port with the lowest ID
participating on that LAN segment is selected as the designated port. All designated ports assume
the forwarding state. All ports not selected as a root port or as a designated port assume the
blocking state. While in blocked state, the ports do not send any BPDUs. However, they listen for
BPDUs.

Chapter 4–12 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Full Tree Convergence

N

Once each switch determines the role and state for its ports, the tree is considered fully converged.
The convergence delay can take up to 50 seconds when the default forwarding delay (15 seconds)
R

and max age timer (20 seconds) values are in effect. The formula to calculate the convergence delay
for STP is 2x the forwarding delay + the maximum age. In the example shown on the slide, all traffic
TE

passing between Host A and Host B transits the root bridge (Switch-1).
IN

www.juniper.net Chapter 4–13

Spanning Tree

LY
N
O
SE
U
AL

Reconvergence Example: Part 1

N

The slide shows the first several steps during a failure and reconvergence scenario.
R
TE
IN

Chapter 4–14 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Reconvergence Example: Part 2

N

The slide shows the remainder of the steps involved in a failure and reconvergence scenario. Once
R

the nonroot bridges change their MAC address forwarding table aging timer to the shortened interval
and wait that period of time (15 seconds by default), they then delete all entries from the MAC table
TE

that were not refreshed within that time frame. All deleted entries must then be learned once again
through the normal learning process.
IN

www.juniper.net Chapter 4–15

Spanning Tree

LY
N
O
SE
U
AL

RSTP Defined
N

Rapid Spanning Tree Protocol (RSTP) was originally defined in the IEEE 802.1w draft and was later
incorporated into the IEEE 802.1D-2004 specification. RSTP introduces a number of improvements
R

to STP while performing the same basic function.

TE

RSTP Convergence Improvements

RSTP provides better reconvergence time than the original STP. RSTP identifies certain links as
point-to-point. When a point-to-point link fails, the alternate link can transition to the forwarding state
IN

without waiting for any protocol timers to expire. RSTP provides fast network convergence when a
topology change occurs and it greatly decreases the state transition time compared to STP. To aid in
the improved convergence, RSTP uses additional features and functionality, such as edge port
definitions and rapid direct and indirect link failure detection and recovery. We examine these
features in more detail later in this material.

Chapter 4–16 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

RSTP Introduces New Port Roles

N

RSTP introduces the alternate and backup port roles. An alternate port is a switch port that has an
alternate—generally higher-cost—path to the root bridge. In the event that the root port fails, the
R

alternate port assumes the role of the root port and is placed in the forwarding state. Alternate ports
are placed in the discarding state but receive superior BPDUs from neighboring switches. Alternate
TE

ports are found on switches participating in a shared LAN segment for which they are not functioning
as the designated bridge.
When a designated bridge has multiple ports connected to a shared LAN segment, it selects one of
those ports as the designated port. The designated port is typically the port with the lower port ID.
IN

RSTP considers all other ports on the designated switch that connects to that same shared LAN
segment as backup ports. In the event that the designated port is unable to perform its role, one of
the backup ports assumes the designated port role upon successful negotiation and it is placed in
the forwarding state.
Backup ports are placed in the discarding state. While in the discarding state, backup ports receive
superior BPDUs from the designated port.

Continued Use of Root and Designated Ports

RSTP continues to use the root and designated port roles. Only ports selected for the root port or
designated port role participate in the active topology. We described the purpose of the root port and
designated ports previously in this material.

www.juniper.net Chapter 4–17

Spanning Tree

LY
N
O
SE
U
AL

STP and RSTP Port States

N

The slide highlights the STP and RSTP port states. In addition to the states listed on the slide, an
interface can have STP administratively disabled (default behavior). An administratively disabled port
R

does not participate in the spanning tree but does flood any BPDUs it receives to other ports
associated with the same VLAN. Administratively disabled ports continue to perform basic bridging
TE

operations and forward data traffic based on the MAC address table. A brief description of the STP
port states follows:
• Blocking - The port drops all data packets and listens to BPDUs. The port is not used in
active topology.
IN

• Listening - The port drops all data packets and listens to BPDUs. The port is
transitioning and will be used in active topology.
• Learning - The port drops all data packets and listens to BPDUs. The port is transitioning
and the switch is learning MAC addresses.
• Forwarding - The port receives and forwards data packets and sends and receives
BPDUs. The port has transitioned and the switch continues to learn MAC addresses.

RSTP uses fewer port states than STP. Any administratively disabled port excluded from the active
topology through configuration, or dynamically excluded from forwarding and learning, is placed in
the discarding state. Ports that are actively learning but not currently forwarding are in the learning
state, whereas ports that are both learning and forwarding simultaneously are in the forwarding
state. As the slide indicates, only root and designated ports use the forwarding state.

Chapter 4–18 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

RSTP BPDUs
N

As previously mentioned, STP uses BPDUs to elect a root bridge, identify root ports for each switch,
identify designated ports for each physical LAN segment, prune specific redundant links to create a
R

loop-free tree topology, and report and acknowledge topology changes. RSTP configuration BPDUs
also function as keepalives. All RSTP bridges send configuration BPDUs every 2 seconds by default.
TE

You can alter this value, if necessary.

By monitoring neighboring switches through the use of BPDUs, RSTP can detect failures of network
components much more quickly than STP can. If a neighboring switch receives no BPDU within three
times the hello interval, it assumes connectivity is faulty and updates the tree. By default, RSTP
IN

detects a failure within 6 seconds, whereas it might take up to 50 seconds when using STP.

Ethernet interfaces operating in full-duplex mode are considered point-to-point links. When a failure
occurs, a switch port operating as a point-to-point link can become a new root port or designated
port and transition to the forwarding state without waiting for the timer to expire. Switch ports
operating in half-duplex mode are considered to be shared (or LAN) links and must wait for the timer
to expire before transitioning to the forwarding state.

www.juniper.net Chapter 4–19

Spanning Tree

LY
N
O
SE
U
AL

Configuration BPDU Differences

N

RSTP is backward compatible with STP. If a device configured for RSTP receives STP BPDUs, it reverts
to STP. In a pure RSTP environment, a single type of the BPDU exists named Rapid Spanning Tree
R

BPDU (RST BPDU). RST BPDUs use a similar format to the STP configuration BPDUs. RSTP devices
detect the type of BPDU by looking at the protocol version and BPDU type fields. The BPDUs contain
TE

several new flags, as shown on the slide. The following is a brief description of the flags:
• TCN Acknowledgment: This flag is used when acknowledging STP TCNs;
• Agreement and Proposal: These flags are used to help quickly transition a new
designated port to the forwarding state;
IN

• Forwarding and Learning: These flags are used to advertise the state of the sending
port;
• Port Role: This flag specifies the role of the sending port: 0 = Unknown, 1 = Alternate or
Backup, 2 = Root, and 3= Designated; and
• Topology Change: RSTP uses configuration BPDUs with this bit set to notify other
switches that the topology has changed.
RST BPDUs contain a Version 1 Length field that is always set to 0x0000. This field allows for future
extensions to RSTP.

Chapter 4–20 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

STP Forwarding State Transition

N

With the original STP, as defined in 802.1D-1998, a port can take more than 30 seconds before it
forwards user traffic. As a port is enabled, it must transition through the listening and learning states
R

before graduating to the forwarding state. STP allows two times the forwarding delay (15 seconds by
default) for this transition to occur.
TE

RSTP Forwarding State Transition

RSTP offers considerable improvements when transitioning to the forwarding state. RSTP converges
faster because it uses a proposal-and-agreement handshake mechanism on point-to-point links
IN

instead of the timer-based process used by STP. On EX Series devices, network ports operating in
full-duplex mode are considered point-to-point links, whereas network ports operating in half-duplex
mode are considered shared (LAN) links.
Root ports and edge ports transition to the forwarding state immediately without exchanging
messages with other switches. Edge ports are ports that have direct connections to end stations.
Because these connections cannot create loops, they are placed in the forwarding state without any
delay. If a switch port does not receive BPDUs from the connecting device, it automatically assumes
the role of an edge port. When a switch receives configuration messages on a switch port that is
configured to be an edge port, it immediately changes the port to a normal spanning-tree port
(nonedge port).
Nonedge-designated ports transition to the forwarding state only after receipt of an explicit
agreement from the attached switch.

www.juniper.net Chapter 4–21

Spanning Tree

LY
N
O
SE
U
AL

Topology Changes
N

When using STP, state transitions on any participating switch port cause a topology change to occur.
RSTP reduces the number of topology changes and improves overall stability within the network by
R

generating TCNs only when nonedge ports transition to the forwarding state. Nonedge ports are
typically defined as ports that interconnect switches. Edge ports are typically defined as ports that
TE

connect a switch to end stations.

RSTP also provides improved network stability because it does not generate a TCN when a port
transitions to the discarding state. With RSTP, TCNs are not generated when a port is administratively
disabled, excluded from the active topology through configuration, or dynamically excluded from
IN

forwarding and learning.

When a TCN is necessary and is generated, the initiating device floods all designated ports as well as
the root port. Unlike traditional STP, neighboring switches that are not in the path of the initiator to
the root bridge do not need to wait for this information from the root bridge. As the changes
propagate throughout the network, the switches flush the majority of the MAC addresses located in
their MAC address forwarding tables. The individual switches do not, however, flush MAC addresses
learned from their locally configured edge ports.

Chapter 4–22 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Indirect Link Failure

N

RSTP performs rapid recovery for link failures. The slide illustrates a typical scenario for an indirect
link failure.
R
TE
IN

www.juniper.net Chapter 4–23

Spanning Tree

LY
N
O
SE
U
AL

Direct Link Failure

N

The slide illustrates a typical scenario in which a direct link failure occurs.
R
TE
IN

Chapter 4–24 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Interoperability Considerations
N

Switches configured for STP and RSTP will interoperate with one another. However, you should keep
a few basic considerations in mind. If a switch supports only STP and interconnects with a switch
R

running RSTP, it will discard the RSTP BPDUs. The RSTP-capable switch, upon receiving STP BPDUs,
reverts to STP mode, thus allowing interoperability between the two devices.
TE
IN

www.juniper.net Chapter 4–25

Spanning Tree

LY
N
O
SE
U
AL

Configuring STP
N

This slide shows some STP configuration options along with a basic STP configuration. EX Series
switches use a version of STP based on IEEE 802.1D-2004, with a forced protocol version of 0,
R

running RSTP in STP mode. Because of this implementation, you can define RSTP configuration
options, such as hello-time, under the [edit protocols stp] configuration hierarchy.
TE
IN

Chapter 4–26 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Configuring RSTP
N

The slide illustrates a sample RSTP configuration along with several highlighted settings. Note that
the max age and forwarding delay values used by a switch always match the values defined on the
R

root bridge device.

TE
IN

www.juniper.net Chapter 4–27

Spanning Tree

LY
N
O
SE
U
AL

Monitoring Spanning Tree Operation: Part 1

N

This slide and the next illustrate some common operational-mode commands used to monitor the
operation of STP and RSTP.
R
TE
IN

Chapter 4–28 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Monitoring Spanning Tree Operation: Part 2

N

This slide shows typical output for the show spanning-tree interface and show
spanning-tree statistics interface commands.
R
TE
IN

www.juniper.net Chapter 4–29

Spanning Tree

LY
N
O
SE
U
AL

Test Your Knowledge: Part 1

N

This slide is designed to test your understanding of the various configuration options and how they
relate to the root bridge election process. As shown in the following output, you can use the show
R

spanning-tree bridge command to verify root bridge information:

user@Switch-1> show spanning-tree bridge
TE

STP bridge parameters

Context ID : 0
Enabled protocol : RSTP
Root ID : 4096.00:26:88:02:74:90
IN

Hello time : 2 seconds

Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 0
Number of topology changes : 1
Time since last topology change : 2114 seconds
Topology change initiator : ge-0/0/1.0
Topology change last recvd. from : 00:26:88:02:6b:81
Local parameters
Bridge ID : 4096.00:26:88:02:74:90
Extended system ID : 0
Internal instance ID : 0

Chapter 4–30 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Test Your Knowledge: Part 2

N

This slide is designed to test your understanding of the various configuration options and how they
relate to port role and state determination. As shown in the following output, you can use the show
R

spanning-tree interface command to verify spanning tree interface information:

user@Switch-2> show spanning-tree interface
TE

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/1.0 16:514 128:514 4096.002688027490 20000 BLK ALT
IN

ge-0/0/8.0 16:521 16:521 8192.002688026b90 20000 FWD DESG

ge-0/0/10.0 128:523 16:523 32768.0019e2516580 1 FWD ROOT

user@Switch-3> show spanning-tree interface

Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/8.0 16:521 128:521 4096.002688027490 2000 FWD ROOT
ge-0/0/10.0 16:523 16:523 32768.0019e2516580 2000 FWD DESG
ge-0/0/12.0 16:525 16:525 32768.0019e2516580 2000 FWD DESG

www.juniper.net Chapter 4–31

Spanning Tree

LY
N
O
SE
U
AL

Test Your Knowledge: Part 3

N

This slide is designed to test your understanding of the various configuration options and how they
relate to port role and state determination. As shown in the following output, you can use the show
R

spanning-tree interface command to verify spanning tree interface information:

user@Switch-2> show spanning-tree interface
TE

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/1.0 16:514 128:514 4096.002688027490 20000 FWD ROOT
IN

ge-0/0/8.0 16:521 16:521 8192.002688026b90 20000 FWD DESG

ge-0/0/10.0 128:523 128:523 8192.002688026b90 1 FWD DESG

user@Switch-3> show spanning-tree interface

Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/10.0 16:523 128:523 8192.002688026b90 2000 FWD ROOT
ge-0/0/12.0 16:525 16:525 32768.0019e2516580 2000 FWD DESG

Chapter 4–32 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Test Your Knowledge: Part 4

N

This slide is designed to test your understanding of the various configuration options and how they
relate to port role and state determination. As shown in the following output, you can use the show
R

spanning-tree interface command to verify spanning tree interface information:

user@Switch-4> show spanning-tree interface
TE

Spanning tree interface parameters for instance 0

Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/8.0 32:521 16:521 32768.002688026b90 20000 BLK ALT
IN

ge-0/0/12.0 16:525 16:525 32768.0019e2516580 20000 FWD ROOT

www.juniper.net Chapter 4–33

Spanning Tree

LY
N
O
SE
U
AL

What If...?
N

The slide illustrates a scenario where User A connects a rogue switch to the network so multiple
devices can participate on the network. Assuming the rogue switch has spanning tree running, it
R

would exchange BPDUs with Switch-2 causing a new spanning tree calculation to occur. Once the
spanning tree calculation is complete, the rogue switch would then become part of the spanning
TE

tree. Having an unauthorized device become part of the spanning tree could have some negative
impact on the network and its performance. For example, a rogue device could trigger a
spanning-tree miscalculation and potentially cause a Layer 2 loop or even a complete network
outage.
IN

Chapter 4–34 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

BPDU Protection
N

You can enable BPDU protection on switch interfaces on which no BPDUs are expected. If a protected
interface receives BPDUs, the switch disables the interface and stops forwarding frames by
R

transitioning the interface to a blocking state.

You can configure BPDU protection on a switch with a spanning tree as well as on a switch that is not
TE

running STP. We cover BPDU configuration next.

IN

www.juniper.net Chapter 4–35

Spanning Tree

LY
N
O
SE
U
AL

Configuring BPDU Protection

N

You can configure BPDU protection on edge ports to block incoming BPDUs. The slide illustrates two
configuration examples; the top configuration example is used when a spanning tree protocol is
R

enabled and the bottom configuration example is used when no spanning tree protocol is in use.
With this configuration enabled, if Switch-2 receives a BPDU from the rogue switch connected to
TE

ge-0/0/6.0, Switch-2 would transition the ge-0/0/6.0 interface to the blocking state and stop
forwarding frames.
IN

Chapter 4–36 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Monitoring BPDU Protection

N

To confirm that the configuration is working properly on the STP-running switch, use the show
spanning-tree interface operational mode command. To confirm that the configuration is
R

working properly on the switch that is not running STP, you should observe the interfaces using the
show ethernet-switching interfaces operational mode command.
TE

These commands provide the information on the state and role changes on the protected interfaces.
Specifically, once the BPDUs are sent from an offending device to the protected interface, the
interface transitions to the DIS role, meaning that it becomes a BPDU inconsistent state. The BPDU
inconsistent state changes the interfaces’ state to blocking (BLK), preventing them from forwarding
IN

traffic.
To unblock the interfaces, use the clear ethernet-switching bpdu-error operational
mode command. Alternatively, you can use the disable-timeout option to allow the interface to
return to service automatically after the timer expires. The following configuration example illustrates
the disable-timeout option:
{master:0}[edit ethernet-switching-options]
user@Switch-2# set bpdu-block disable-timeout ?
Possible completions:
<disable-timeout> Disable timeout for BPDU Protect (10..3600 seconds)
Disabling the BPDU protection configuration for an interface does not unblock the interface. You
must clear the violation using the clear ethernet-switching bpdu-error command or
wait for the configured timer to expire.

www.juniper.net Chapter 4–37

Spanning Tree

LY
N
O
SE
U
AL

What If...?
N

Although the purpose of STP, RSTP, and MSTP is to provide Layer 2 loop prevention, switch hardware
or software errors could result in an erroneous interface state transition from the blocking state to
R

the forwarding state. Such behavior could lead to Layer 2 loops and consequent network outages.
The slide illustrates this point.
TE
IN

Chapter 4–38 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Loop Protection
N

When loop protection is enabled, the spanning-tree topology detects root ports and blocked ports,
and ensures that both are receiving BPDUs. If an interface with the loop protection feature enabled
R

stops receiving BPDUs from its designated port, it reacts as it would react to a problem with the
physical connection on this interface. It does not transition the interface to a forwarding state.
TE

Instead, it transitions the interface to a loop-inconsistent state. The interface recovers and then it
transitions back to the spanning-tree blocking state when it receives a BPDU.
We recommend that if you enable loop protection, you enable it on all switch interfaces that have a
chance of becoming root or designated ports. Loop protection is most effective when it is enabled on
IN

all switches within a network.

www.juniper.net Chapter 4–39

Spanning Tree

LY
N
O
SE
U
AL

Configuring Loop Protection

N

The slide illustrates the required configuration for loop protection on Switch-3’s root and alternate
ports. The example configuration illustrates the use of the block option, which, if a violation occurs,
R

the affected interface immediately transitions to the DIS (Loop-Incon) role and remain in the blocking
(BLK) state. The block option also writes related log entries to the messages log file.
TE

You can alternatively use the alarm option, which does not force a change of the port’s role but
simply writes the related log entries to the messages log file. If the alarm option is used, the
switch port assumes the designated port role and transitions its state to the forwarding (FWD) state
once the max-age timer expires.
IN

Note that an interface can be configured for either loop protection or root protection, but not both.
We discuss root protection in the next section.

Chapter 4–40 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Monitoring Loop Protection

N

To confirm that the configuration is working properly on the STP-running switch, use the show
spanning-tree interface operational mode command prior to configuring loop protection.
R

This command provides information for the interface’s spanning-tree state, which should be blocking
(BLK).
TE

Once BPDUs stop arriving at the protected interface, the loop protection is triggered on that
interface. You can use the show spanning-tree interface command to observe the state of
the interface. This command now shows that the protected interface has transitioned to the DIS
(Loop-Incon) role and remains in the blocking (BLK) state, which prevents the interface from
IN

transitioning to the forwarding state. The interface recovers and transitions back to its original state
when it receives BPDUs.
You can also monitor the interface role transitions using the show log messages command as
shown in the following capture:
{master:0}
user@Switch-3> show log messages | match "loop|protect"
Apr 27 20:04:49 Switch-3 eswd[40744]: Loop_Protect: Port ge-0/0/12.0: Received
information expired on Loop Protect enabled port
Apr 27 20:04:49 Switch-3 eswd[40744]: ESWD_STP_LOOP_PROTECT_IN_EFFECT: ge-0/0/12.0:
loop protect in effect for instance 0
Apr 27 20:05:27 Switch-3 eswd[40744]: ESWD_STP_LOOP_PROTECT_CLEARED: ge-0/0/12.0:
loop protect cleared for instance 0

www.juniper.net Chapter 4–41

Spanning Tree

LY
N
O
SE
U
AL

What If...?
N

The slide illustrates a scenario where a rogue switch running a spanning tree protocol is connected
to the network. Once connected to the network, the rogue switch exchanges BPDUs with Switch-2
R

which in turn causes a new spanning tree calculation to occur. Once the spanning tree calculation is
complete, the rogue switch is the new root bridge for the spanning tree. Having an unauthorized
TE

device become part of the spanning tree or worse become the root bridge for the Layer 2 network
could have some negative impact and affect the network’s overall performance or even cause a
complete network outage.
IN

Chapter 4–42 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Root Protection
N

Enable root protection on interfaces that should not receive superior BPDUs and should not be
elected as the root port. These interfaces become designated ports. If the bridge receives superior
R

BPDUs on a port that has root protection enabled, that port transitions to an inconsistency state,
blocking the interface. This blocking prevents a switch that should not be the root bridge from being
TE

elected the root bridge.

After the switch stops receiving superior BPDUs on the interface with root protection, the interface
returns to a listening state, followed by a learning state, and ultimately back to a forwarding state.
Recovery back to the forwarding state is automatic.
IN

When root protection is enabled on an interface, it is enabled for all the STP instances on that
interface. Interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it
participates in the spanning-tree topology.

www.juniper.net Chapter 4–43

Spanning Tree

LY
N
O
SE
U
AL

Configuring Root Protection

N

This slide illustrates a sample topology and configuration for the two aggregation switches (Switch-1
and Switch-2). In this example, you can see that root protection has been enabled on all ports that
R

should not receive superior BPDUs or be elected as the root port. On Switch-1, all ports should be
elected as designated ports. On Switch-2, ge-0/0/6.0, ge-0/0/7.0, and ge-0/0/8.0 should be
TE

designated ports.
As previously mentioned, you can configure an interface for either loop protection or root protection,
but not both. If both features are configured, the configuration will not commit as shown in the
following output:
IN

{master:0}[edit protocols rstp]

user@Switch-1# show interface ge-0/0/6.0
bpdu-timeout-action {
block;
}
no-root-port;

{master:0}[edit protocols rstp]

user@Switch-1# commit
[edit protocols rstp]
'interface ge-0/0/6.0'
Loop Protect cannot be enabled on a Root Protect enabled port
error: configuration check-out failed

Chapter 4–44 www.juniper.net

 Spanning Tree

LY
N
O
SE
U
AL

Monitoring Root Protection

N

To confirm that the configuration is working properly on the STP-running switch, use the show
spanning-tree interface operational mode command prior to configuring loop protection.
R

This command provides information for the interface’s spanning-tree state.

TE

Once you configure root protection on an interface and that interface starts receiving superior
BPDUs, root protection is triggered. You can use the show spanning-tree interface
command again to observe the state of the impacted interface. This command displays the
loop-inconsistent state for the protected interface, which prevents the interface from becoming a
IN

candidate for the root port. When the root bridge no longer receives superior BPDUs from the
interface, the interface recovers and transitions back to a forwarding state. Recovery is automatic.

www.juniper.net Chapter 4–45

Spanning Tree

LY
N
O
SE
U
AL
N
R
TE
IN

Chapter 4–46 www.juniper.net