Switches support spanning-tree protocols that prevent loops in a network by creating a tree topology (spanning-tree) of the entire bridged network. All spanning-tree protocols use a special type of frame called bridge protocol data units (BPDUs) to communicate with each other. Other devices in the network, such as PCs, generate their own BPDUs that are not compatible with the spanning-tree BPDUs. When BPDUs generated by other devices are transmitted to switches on which spanning-tree protocols are configured, a mis-configuration can occur in the spanning tree and a network outage can occur. Therefore, it is necessary to protect an interface in a spanning-tree topology from BPDUs generated from other devices.
By default, if a bridge protocol data unit (BPDU) data frame is received on a blocked interface, the system will disable the interface and stop forwarding frames out the interface until the interface is explicitly cleared.
This page explains how to configure a switch-port as an STP edge port (enable BPDU guard), how detection takes place and how to mitigate the issue.
Configuration
The BPDU guard could be configured from switch level or template level. For the below test, we would be setting up BPDU Guard on port ge-0/0/5 on the switch.
Switch level configuration
Navigate to switches > switch configuration > Port Profile > Define a port profile with ‘STP Edge’ enabled
In the below eg: we have configured a new profile bpdu_test where STP Edge is enabled. This would enable BPDU guard on the interface to which the profile is mapped.
Once the profile has been created, we would have to map the respective profile to the port under Port Configuration on the same page. In this case, ge-0/0/5 as follows:
Template level configuration:
Navigate to Organization > Switch Templates > Template config > Shared Elements > Port Profiles > Create a port profile as indicated on the screenshot above.
Once the profile has been created, it could be mapped to the respective interface. For mapping the profile to port under template:
Under template navigate to > Select Switches Configuration > default [or any other rule if any] > Port Config > Add Port Range > Select the port and map the profile.
Once the configs are in place, we should be good to save the configuration.
Post successful config push, we would see port ge-0/0/5 being mapped to profile bpdu_test as follows:
root@cipher-ex2300> show configuration | display set | match 0/0/5
set interfaces interface-range bpdu_test member ge-0/0/5
BPDU Detection
Now that we have the STP Edge/BPDU guard config in place on port ge-0/0/5, the port should get into an err_disabled state if we plug a non edge device into port ge-0/0/5. i.e if we connect any device that generates a BPDU or participates in STP topology the port would be blocked.
For this test, let’s try connecting another EX2300 switch into port 0/0/5 where BPDU guard is enabled:
Once we plug the uplink on 0/0/5 we do see the port getting into DIS (Bpdu-Incon) as seen below.
root@cipher-ex2300> show spanning-tree interface ge-0/0/5
We also see BPDU Error detected on the interface.
{master:0}
root@cipher-ex2300> show interfaces ge-0/0/5
Physical interface: ge-0/0/5, Enabled, Physical link is Down
Interface index: 653, SNMP ifIndex: 519
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Half-duplex, Speed: Auto, BPDU Error: Detected, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled, Remote fault: Online, Media type: Copper, IEEE 802.3az Energy Efficient Ethernet: Disabled, Auto-MDIX: Enabled
Device flags : Present Running Down
We would also see the subsequent ‘Port BPDU Blocked’ event under switch insights.
On navigating to Switches > Switch configuration, we would see ‘BPDU Error’ detected on the panel on port ge-0/0/5:
Mitigation
NOTE: To clear the BPDU error, we must first ensure that the uplink is plugged out of the switch-port.
Once we have removed the uplink which caused the BPDU error, we may recover the port as follows from the UI:
Navigate to Switches > Switch Configuration > Front Panel > Click on the switch-port marked as red with BPDU error > Select ‘Clear BPDU Errors’
Once the errors have been cleared from UI, we could see that the error has been cleared out of the interface as well.
root@cipher-ex2300> show interfaces ge-0/0/5
Physical interface: ge-0/0/5, Enabled, Physical link is Down
Interface index: 653, SNMP ifIndex: 519
Link-level type: Ethernet, MTU: 1514, LAN-PHY mode, Link-mode: Half-duplex, Speed: Auto, BPDU Error: None, Loop Detect PDU Error: None, Ethernet-Switching Error: None, MAC-REWRITE Error: None, Loopback: Disabled,
Source filtering: Disabled, Flow control: Disabled, Auto-negotiation: Enabled, Remote fault: Online, Media type: Copper, IEEE 802.3az Energy Efficient Ethernet: Disabled, Auto-MDIX: Enabled
Device flags : Present Running Down