[j-nsp] RSTP best practices on ELS switching (EX2300/3400/4300)

Chuck Anderson cra at WPI.EDU
Thu Sep 28 10:38:40 EDT 2017 

Yes, I'm using bpdu-block-on-edge with disable-timeout 3600 (1 hour).
I'm also using mac-limits with port shutdown.

Until a location is ready for IPv6:

set interfaces interface-range EDGE member-range ge-0/0/0 to ge-0/0/47
set interfaces interface-range EDGE unit 0 family ethernet-switching filter input DROP-IPv6
set interfaces interface-range EDGE unit 0 family ethernet-switching filter output DROP-IPv6
set firewall family ethernet-switching filter DROP-IPv6 term DROP-IPv6 from ether-type 0x86dd
set firewall family ethernet-switching filter DROP-IPv6 term DROP-IPv6 then discard
set firewall family ethernet-switching filter DROP-IPv6 term DROP-IPv6 then count DROP-IPv6
set firewall family ethernet-switching filter DROP-IPv6 term ACCEPT then accept

Storm-Control set to 100 Mbps (this needs to be adjusted according to normal baseline):

set interfaces interface-range EDGE unit 0 family ethernet-switching storm-control SC-EDGE
set forwarding-options storm-control-profiles SC-EDGE all bandwidth-level 100000

BPDU block:

set protocols layer2-control bpdu-block disable-timeout 3600
set protocols rstp interface EDGE edge
set protocols rstp bpdu-block-on-edge

MAC-limit (adjust for normal baseline of # of MACs per port):

set switch-options interface EDGE interface-mac-limit 16
set switch-options interface EDGE interface-mac-limit packet-action shutdown

On Thu, Sep 28, 2017 at 09:43:26PM +1000, Chris Lee via juniper-nsp wrote:
> Hi All,
> 
> Interested to know what others have as their RSTP best practice setups for
> access-layer switches in the ELS platform, specifically EX2300/3400/4300's
> 
> Until today I had thought that having defined my access interfaces (to end
> devices like PC's/printers etc) with "edge" and "no-root-port" was offering
> protection from people plugging in random stuff like other switches.
> 
> After some more research it looks like I should probably be defining
> bpdu-block-on-edge,so interested to know if others are defining this along
> with a disable-timeout setting like 5 minutes, or do you not generally
> bother with a disable-timeout and manually clear these if they occur ?
> 
> Options I'm looking at defining :-
> 
> [edit protocols]
> +   layer2-control {
> +       bpdu-block {
> +           disable-timeout 300;
> +       }
> +   }
> [edit protocols rstp]
> +   bpdu-block-on-edge;
> 
> Thanks,
> Chris

More information about the juniper-nsp mailing list