Yes, I'm using bpdu-block-on-edge with disable-timeout 3600 (1 hour). I'm also using mac-limits with port shutdown.
Until a location is ready for IPv6: set interfaces interface-range EDGE member-range ge-0/0/0 to ge-0/0/47 set interfaces interface-range EDGE unit 0 family ethernet-switching filter input DROP-IPv6 set interfaces interface-range EDGE unit 0 family ethernet-switching filter output DROP-IPv6 set firewall family ethernet-switching filter DROP-IPv6 term DROP-IPv6 from ether-type 0x86dd set firewall family ethernet-switching filter DROP-IPv6 term DROP-IPv6 then discard set firewall family ethernet-switching filter DROP-IPv6 term DROP-IPv6 then count DROP-IPv6 set firewall family ethernet-switching filter DROP-IPv6 term ACCEPT then accept Storm-Control set to 100 Mbps (this needs to be adjusted according to normal baseline): set interfaces interface-range EDGE unit 0 family ethernet-switching storm-control SC-EDGE set forwarding-options storm-control-profiles SC-EDGE all bandwidth-level 100000 BPDU block: set protocols layer2-control bpdu-block disable-timeout 3600 set protocols rstp interface EDGE edge set protocols rstp bpdu-block-on-edge MAC-limit (adjust for normal baseline of # of MACs per port): set switch-options interface EDGE interface-mac-limit 16 set switch-options interface EDGE interface-mac-limit packet-action shutdown On Thu, Sep 28, 2017 at 09:43:26PM +1000, Chris Lee via juniper-nsp wrote: > Hi All, > > Interested to know what others have as their RSTP best practice setups for > access-layer switches in the ELS platform, specifically EX2300/3400/4300's > > Until today I had thought that having defined my access interfaces (to end > devices like PC's/printers etc) with "edge" and "no-root-port" was offering > protection from people plugging in random stuff like other switches. > > After some more research it looks like I should probably be defining > bpdu-block-on-edge,so interested to know if others are defining this along > with a disable-timeout setting like 5 minutes, or do you not generally > bother with a disable-timeout and manually clear these if they occur ? > > Options I'm looking at defining :- > > [edit protocols] > + layer2-control { > + bpdu-block { > + disable-timeout 300; > + } > + } > [edit protocols rstp] > + bpdu-block-on-edge; > > Thanks, > Chris _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp