[j-nsp] Tricks for killing L2 loops in VPLS and STP "BPDU-less" situations?

Clarke Morledge chmorl at wm.edu
Fri Aug 17 11:08:53 EDT 2012


We have had the unfortunate experience of having users plug in small 
mini-switches into our network that have the capability of filtering out 
(by-default) BPDUs while allowing other traffic through.  The nightmare 
situation is when a user plugs in such a switch accidentally into two of 
our EX switches.  Traffic will loop through the miscreant switch between 
the two EXs and without BPDUs it just looks like MAC addresses keep moving 
between the real source and the two EXs.

In an MX environment running VPLS, this problem can happen easily as there 
are no BPDUs even to protect against loops in VPLS, particularly when your 
VPLS domain ties into a Spanning Tree domain downstream where your 
potential miscreant switch may appear.

I am curious to know if anyone has come up with strategies to kill these 
loops for EXs running Spanning Tree and/or MXs running VPLS. 
Rate-limiting may help, but it doesn't kill loops completely.  I am 
looking for ways to detect lots of MAC address moves (without polling for 
them) and blocking those interfaces involved when those MAC moves exceed a 
certain threshold via some trigger mechanism.

Assume Junos 10.4R10 or more recent.

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187


More information about the juniper-nsp mailing list