SRX STP

In smaller sites when rolling out low end SRXs, it's not uncommon for them to be connected to Cisco switches that may be running multiple VLANs

How can we connect up our SRXs to Cisco switches without stuffing up spanning tree on the core Cisco switch and still prevent loops? Lets see what happens when we aim to work with that situation from a spanning tree (STP) perspective.


1) CISCO SWITCH STP BASELINE

Our Cisco switch (C2960-LANBASEK9-M) has 3 vlans. Lets see what STP looks like on them before we connect up our SRX.

AUHOSW071#sh spanning-tree vlan 2

VLAN0002
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8194   (priority 8192 sys-id-ext 2)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec


AUHOSW071#sh spanning-tree vlan 3

VLAN0003
  Spanning tree enabled protocol rstp
  Root ID    Priority    8195
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8195   (priority 8192 sys-id-ext 3)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec


AUHOSW071#sh spanning-tree vlan 7

VLAN0007
  Spanning tree enabled protocol rstp
  Root ID    Priority    8199
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8199   (priority 8192 sys-id-ext 7)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec


Clearly we can see that for the 3 VLANs, the switch AUHOSW071 is the root which is what we want as per our config below.

Here is the Cisco switch STP config...


spanning-tree mode rapid-pvst
spanning-tree extend system-id
spanning-tree vlan 2-3,7 priority 8192


Another way to see the above STP situation...
AUHOSW071#sh spanning-tree vlan 2 detail

 VLAN0002 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 8192, sysid 2, address 108c.cf54.4700
  Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
  We are the root of the spanning tree

AUHOSW071#sh spanning-tree vlan 3 detail

 VLAN0003 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 8192, sysid 3, address 108c.cf54.4700
  Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
  We are the root of the spanning tree

AUHOSW071#sh spanning-tree vlan 7 detail          

 VLAN0007 is executing the rstp compatible Spanning Tree protocol
  Bridge Identifier has priority 8192, sysid 7, address 108c.cf54.4700
  Configured hello time 2, max age 20, forward delay 15, transmit hold-count 6
  We are the root of the spanning tree


All good so far.

Now we want to connect those 3 VLANs to our SRX to, for example, provide local Internet access with UTM features.
So we will make 3 connections between the SRX and the switch, one for each VLAN and see what happens..



2) SRX AND CISCO SETUP

Before we connect lets set the STP to RSTP to match the Cisco and see what STP looks like on the SRX before we plug anything in.

[edit]
root# delete protocols stp

[edit]
root# set protocols rstp

[edit]
root# commit
commit complete

[edit]
root# exit

Exiting configuration mode

root> show spanning-tree bridge

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.40:b4:f0:8f:2d:48
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 0
  Number of topology changes        : 0
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0

root>


For the SRX we also have 3 VLANs, each assigned to one port. Here is the parts of the config that matter

:
set interfaces fe-0/0/2 unit 0 family ethernet-switching vlan members vlan-trust
set interfaces fe-0/0/3 unit 0 family ethernet-switching vlan members trust-vl3
:
set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members trust-vl7
set interfaces vlan unit 2 family inet address 10.61.254.22/27
set interfaces vlan unit 3 family inet address 192.168.0.2/24
set interfaces vlan unit 7 family inet address 192.168.7.2/24
:
set protocols rstp
:
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces vlan.2
:
set security zones security-zone trust-l3 host-inbound-traffic system-services all
set security zones security-zone trust-l3 host-inbound-traffic protocols all
set security zones security-zone trust-l3 interfaces vlan.3
set security zones security-zone trust-l7 host-inbound-traffic system-services all
set security zones security-zone trust-l7 host-inbound-traffic protocols all
set security zones security-zone trust-l7 interfaces vlan.7
set vlans trust-vl3 vlan-id 3
set vlans trust-vl3 l3-interface vlan.3
set vlans trust-vl7 vlan-id 7
set vlans trust-vl7 l3-interface vlan.7
set vlans vlan-trust vlan-id 2
set vlans vlan-trust l3-interface vlan.2


On the Cisco side the config for the switchports that connect to the SRX is..

!
interface GigabitEthernet0/2
 switchport access vlan 2
!        
interface GigabitEthernet0/3
 switchport access vlan 3
!
interface GigabitEthernet0/7
 switchport access vlan 7
!


Access ports all around. No fancy features.


3) CONNECTING THE SRX TO THE CISCO SWITCH

First we connect VLAN2 up. Cisco port g0/2 to SRX fe-0/0/2

Cisco side spanning tree

AUHOSW071#sh spanning-tree

VLAN0002
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8194   (priority 8192 sys-id-ext 2)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg FWD 19        128.2    P2p


SRX side spanning tree

root> show spanning-tree bridge vlan-id 2

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 8194.10:8c:cf:54:47:00
  Root cost                         : 200000
  Root port                         : fe-0/0/2.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1
  Number of topology changes        : 4
  Time since last topology change   : 122 seconds
  Topology change initiator         : fe-0/0/2.0
  Topology change last recvd. from  : 10:8c:cf:54:47:02
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0


All good. The Cisco is still the root as we expect.

Now lets connect up the other 2 ports. Cisco port g0/3 to SRX fe-0/0/3 and Cisco port g0/7 to SRX fe-0/0/7

Cisco side spanning tree output after connecting all 3 ports...

AUHOSW071#sh spanning-tree

VLAN0002
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8194   (priority 8192 sys-id-ext 2)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg FWD 19        128.2    P2p

         
VLAN0003
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             Cost        200019
             Port        3 (GigabitEthernet0/3)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8195   (priority 8192 sys-id-ext 3)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3               Root FWD 19        128.3    P2p

         
VLAN0007
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             Cost        200019
             Port        7 (GigabitEthernet0/7)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8199   (priority 8192 sys-id-ext 7)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/7               Root FWD 19        128.7    P2p


WHAT THE...!

The Cisco is saying that the root bridge for VLANs 3 and 7 is the Cisco VLAN 2 bridge!
We can tell that because even though each Cisco bridge on our switch has the same address, each bridge also has a different priority.
So the root bridge in question for VLANs 3 and 7 on the Cisco switch is Priority 8194 (8192 + 2) and Address 108c.cf54.4700 I.e VLAN 2 on the Cisco Switch

Why is this a problem?
Because it changed our by design network topology whereby we wanted that Cisco switch to always be the root bridge for its VLANs - as it was before we connected the SRX.
We now have an unexpected STP topology. The Unexpected and Networking should generally be avoided.

SRX side spanning tree output after connecting all 3 ports...

root> show spanning-tree bridge vlan-id 2

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 8194.10:8c:cf:54:47:00
  Root cost                         : 200000
  Root port                         : fe-0/0/2.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1
  Number of topology changes        : 10
  Time since last topology change   : 180 seconds
  Topology change initiator         : fe-0/0/3.0
  Topology change last recvd. from  : 10:8c:cf:54:47:03
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0

root> show spanning-tree bridge vlan-id 3   

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 8194.10:8c:cf:54:47:00
  Root cost                         : 200000
  Root port                         : fe-0/0/2.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1
  Number of topology changes        : 10
  Time since last topology change   : 184 seconds
  Topology change initiator         : fe-0/0/3.0
  Topology change last recvd. from  : 10:8c:cf:54:47:03
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0

root> show spanning-tree bridge vlan-id 7   

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 8194.10:8c:cf:54:47:00
  Root cost                         : 200000
  Root port                         : fe-0/0/2.0
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 1
  Number of topology changes        : 10
  Time since last topology change   : 187 seconds
  Topology change initiator         : fe-0/0/3.0
  Topology change last recvd. from  : 10:8c:cf:54:47:03
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0

root> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/2.0     128:515        128:2   8194.108ccf544700    200000  FWD    ROOT
fe-0/0/3.0     128:516      128:516  32768.40b4f08f2d48    200000  FWD    DESG
fe-0/0/7.0     128:520      128:520  32768.40b4f08f2d48    200000  FWD    DESG


Do you see it? All 3 VLANs on the SRX have the same bridge ID. Can only mean there is only one bridge running on the SRX for all VLANs.
Or to say it another way, it looks like a single instance of spanning tree on the SRX and BPDUs are being flooded across VLAN domains.
If anyone would like to correct me on the above statement then please do. But that whats it looks like to me.

Hence why on the Cisco, VLANs 3 and 7 hear the best BPDU from the Cisco VLAN 2 via the SRX and consider that the root of their spanning trees.

At least none of the ports are blocking (All ports on both Cisco and SRX in FWD state)

Now a little research shows this is not an unknown issue. Or at least it seems similar...
http://kb.juniper.net/InfoCenter/index?page=content&id=KB22965 


We need to find a way to stop this happening. A way to keep the Cisco the root bridge of all VLANs and still prevent loops. 


4) SOLUTIONS THAT DON'T WORK.

The above KB offers a possible solution.

root# set security flow bridge ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  block-non-ip-all     Block all non-IP and non-ARP traffic including broadcast/multicast
  bpdu-vlan-flooding   Set 802.1D BPDU flooding based on VLAN
  bypass-non-ip-unicast  Allow all non-IP (including unicast) traffic
> no-packet-flooding   Stop IP flooding, send ARP/ICMP to trigger MAC learning
[edit]
root# set security flow bridge bpdu-vlan-flooding

[edit]
root# commit
commit complete


Sadly I report that this doesn't make a difference in my case. (srx210he / 12.1R6.5)
Neither does adding block-non-ip-all
And that's even after a reboot...

What about MSTP?

root# set protocols m      
                     ^
'm' is ambiguous.
Possible completions:
> mld                  MLD options
> mld-snooping         MLD Snooping configuration
> mpls                 Multiprotocol Label Switching options
> msdp                 MSDP configuration

[edit]
root#


Not even an option on this platform.

Neither is this something we can control from the security zone itself. No STP options under host-inbound-traffic system-services or protocols.

Now Juniper does have a protocol similar to Cisco's PVST. Its called VSTP and they do appear to be interoperable from comments on J-Net.
Could we run it?

root# set protocols vstp ? 
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
  disable              Disable VSTP
  force-version        Force protocol version
> vlan                 VLAN spanning tree options
> vlan-group           Spanning tree options for group of VLANs
[edit]


Looks positive!

root# set protocols vstp vlan ?
Possible completions:
  <id-name>            VLAN id or name
  all                  All VLANs
  trust-vl3            tag(3)
  trust-vl7            tag(7)
  vlan-trust           tag(2)
[edit]

root# set protocols vstp vlan all   

[edit]
root# commit
commit complete

[edit]
root#


YES!

[edit]

root# run show configuration protocols
rstp;
##
## Warning: configuration block ignored: unsupported platform (srx210he)
##

vstp {
    vlan all;
}

[edit]
root#


ARGH! Oh well. Come on Juniper! The Branch SRXs have switching features so why cant we have VSTP as well? Would solve our issue perfectly here I believe.


5) SOLUTIONS THAT DO WORK or SORT OF WORK...

A) The Trunk (Sorta works..)

Instead of making 3 seperate connections what about making a single connection with a trunk between Cisco port g0/2 to SRX fe-0/0/2.

SRX side changes for trunk connectivity

root> show configuration interfaces fe-0/0/2 
unit 0 {
    family ethernet-switching {
        port-mode trunk;
        vlan {
            members [ vlan-trust trust-vl3 trust-vl7 ];
        }
    }
}

Cisco side changes for Trunk connectivity

AUHOSW071#sh run int g 0/2
Building configuration...

Current configuration : 96 bytes
!
interface GigabitEthernet0/2
 switchport trunk allowed vlan 2,3,7
 switchport mode trunk
end


Check the trunk is up Cisco side..

AUHOSW071#sh interfaces g0/2 trunk

Port        Mode             Encapsulation  Status        Native vlan
Gi0/2       on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/2       2-3,7

Port        Vlans allowed and active in management domain
Gi0/2       2-3,7

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/2       2-3,7
AUHOSW071#

 
Check the trunk is up SRX side..

root> show ethernet-switching interfaces fe-0/0/2 
Interface    State  VLAN members        Tag   Tagging  Blocking
fe-0/0/2.0   up     trust-vl3           3     tagged   unblocked
                    trust-vl7           7     tagged   unblocked
                    vlan-trust          2     tagged   unblocked


Now lets check the STP situation.

Cisco side..

AUHOSW071#sh spanning-tree 

VLAN0002
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8194   (priority 8192 sys-id-ext 2)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg FWD 19        128.2    P2p

         
VLAN0003
  Spanning tree enabled protocol rstp
  Root ID    Priority    8195
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8195   (priority 8192 sys-id-ext 3)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg FWD 19        128.2    P2p

         
VLAN0007
  Spanning tree enabled protocol rstp
  Root ID    Priority    8199
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8199   (priority 8192 sys-id-ext 7)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg FWD 19        128.2    P2p


Great! We have full connectivity over all VLANs and the Cisco is the root of each of the STP instances.

SRX side..

root> show spanning-tree bridge vlan-id 2

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.40:b4:f0:8f:2d:48
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 0
  Number of topology changes        : 1
  Time since last topology change   : 2895 seconds
  Topology change initiator         : fe-0/0/2.0
  Topology change last recvd. from  : 10:8c:cf:54:47:02
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0

root>

root> show spanning-tree bridge vlan-id 3   

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.40:b4:f0:8f:2d:48
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 0
  Number of topology changes        : 1
  Time since last topology change   : 2898 seconds
  Topology change initiator         : fe-0/0/2.0
  Topology change last recvd. from  : 10:8c:cf:54:47:02
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0

root> show spanning-tree bridge vlan-id 7   

STP bridge parameters
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 32768.40:b4:f0:8f:2d:48
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 0
  Number of topology changes        : 1
  Time since last topology change   : 2935 seconds
  Topology change initiator         : fe-0/0/2.0
  Topology change last recvd. from  : 10:8c:cf:54:47:02
  Local parameters
    Bridge ID                       : 32768.40:b4:f0:8f:2d:48
    Extended system ID              : 0
    Internal instance ID            : 0


Not so Great..The SRX bridge is also saying its the root - Bridge ID matches Root ID.

Note: The reality is as there is only one bridge on the SRX you don't really need to run the above 3 commands - just show spanning-tree bridge

root> show spanning-tree interface

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/2.0     128:515      128:515  32768.40b4f08f2d48    200000  FWD    DESG


Again I reiterate that connectivity is good between the Cisco and SRX over all VLANs but this is a little unusual/uncomfortable to see both side claiming to be root. Its just looks wrong. So while it is a solution I wouldn't recommend it and am really just showing it to show what happens.

B) TURN OFF SPANNING TREE (Works)

I am afraid it has come to this. You knew this was where we were heading didn't you. Sacrilege you say! The network will be vulnerable to loops you say!
Well maybe or maybe not.

What if you turned off STP on just the port or ports on the SRX that connect to the Cisco switch.


Your installing the SRX (Or who ever is, is under your control/direction - right?). You know exactly what port(s) on the SRX will connect to the switch on what VLAN(s) and you know that as its all connected up there will be no loops because that's the way, you, Mr Network Engineer, designed it.


So STP not needed on the ports that connect the SRX and Cisco because you KNOW that connectivity will be loop free.

What of the other ports on the SRX? Well if they are not needed then shut them down so no one can connect up a switch to a couple of ports on it and cause a loop. If on the other hand, You do need those ports to be available for end user connectivity in the branch, then DO run STP on just those ports.  


That way if Mr Branch Worker connects up a switch to 2 or more ports on the unused ports on the SRX, the network will be protected and the port(s) will be blocked on the SRX.You know that certain cheap low end unmanaged switches dont actually run STP right? The exact kind of switch that Mr Branch Worker will buy himself at his local Computer/Electronics store...

Look I know this no-STP solution may not be perfect or may be giving some of you shivers up the spine but its well worth considering to see its its a practicable solution for your environment. It can work if carefully planned. For one of my clients it works perfectly.

Lets test it..

So we are now back to the 3 separate connections between the SRX and Cisco. The Trunk is gone and we turn off STP on the SRX.

root> edit
Entering configuration mode

[edit]
root# run show configuration protocols
rstp;
##
## Warning: configuration block ignored: unsupported platform (srx210he)
##
vstp {
    vlan all;
}

[edit]

root# delete protocols rstp

[edit]
root# delete protocols vstp  

[edit]
root# commit
commit complete


STP status.
The Cisco says its root of each spanning tree instance, not blocking any ports. The SRX says...

root> show spanning-tree interface
Spanning-tree is not enabled at global level.

 
Connectivity confirmed over all VLANS.

Lets now turn on STP on all unused ports on the SRX -  I.e SRX ports for end users or devices  that don't connect to the Cisco switch.


If you do go down this path (As opposed to completely turning off STP and disabling unused ports) you also must specifically disable STP on the ports on the SRX that connect to the Cisco as otherwise STP will be running on those ports by default and we have our root bridge problem again.

root# run show configuration protocols                  
rstp {
    interface ge-0/0/0.0 {
        edge;
    }
    interface ge-0/0/1.0 {
        edge;
    }
    interface fe-0/0/2.0 {
        disable;
    }
    interface fe-0/0/3.0 {
        disable;
    }
    interface fe-0/0/4.0 {
        edge;
    }
    interface fe-0/0/5.0 {
        edge;
    }
    interface fe-0/0/6.0 {
        edge;
    }
    interface fe-0/0/7.0 {
        disable;                       
    }
}


With only the ports between the SRX and Cisco connected, what does STP look like.
The Cisco switch is still the root of all spanning tree instances and no ports being blocked

AUHOSW071#sh spanning-tree

VLAN0002
  Spanning tree enabled protocol rstp
  Root ID    Priority    8194
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8194   (priority 8192 sys-id-ext 2)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/2               Desg FWD 19        128.2    P2p

         
VLAN0003
  Spanning tree enabled protocol rstp
  Root ID    Priority    8195
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8195   (priority 8192 sys-id-ext 3)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/3               Desg FWD 19        128.3    P2p

         
VLAN0007
  Spanning tree enabled protocol rstp
  Root ID    Priority    8199
             Address     108c.cf54.4700
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8199   (priority 8192 sys-id-ext 7)
             Address     108c.cf54.4700
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/7               Desg FWD 19        128.7    P2p 

 
On the SRX..

root> show spanning-tree interface   

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/2.0     128:515        128:2   8194.108ccf544700    200000  DIS    DIS 
fe-0/0/3.0     128:516      128:516  32768.40b4f08f2d48    200000  DIS    DIS 
fe-0/0/7.0     128:520      128:520  32768.40b4f08f2d48    200000  DIS    DIS


Ok the ports we want are in a STP disabled state. What this means is that the SRX will never send any BPDUs to the Cisco. 

I.e the Cisco is isolated from topology changes on the SRX and will always be root bridge for our VLANs.

A quick debug on the Cisco shows that its not getting any BPDUs at all from the SRX though it is trying to send its own BPDUs to the SRX and the SRX just ignores them.

AUHOSW071#debug spanning-tree bpdu
AUHOSW071#
*May 22 00:49:42.858: RSTP(2): sending BPDU out Gi0/2
*May 22 00:49:43.286: RSTP(7): sending BPDU out Gi0/7
*May 22 00:49:43.286: RSTP(3): sending BPDU out Gi0/3
AUHOSW071#
*May 22 00:49:44.872: RSTP(2): sending BPDU out Gi0/2
*May 22 00:49:45.300: RSTP(7): sending BPDU out Gi0/7
*May 22 00:49:45.300: RSTP(3): sending BPDU out Gi0/3
AUHOSW071#
*May 22 00:49:46.885: RSTP(2): sending BPDU out Gi0/2
*May 22 00:49:47.313: RSTP(7): sending BPDU out Gi0/7
*May 22 00:49:47.313: RSTP(3): sending BPDU out Gi0/3
AUHOSW071#
*May 22 00:49:48.898: RSTP(2): sending BPDU out Gi0/2
*May 22 00:49:49.326: RSTP(7): sending BPDU out Gi0/7
*May 22 00:49:49.326: RSTP(3): sending BPDU out Gi0/3


Lets now try and intentionally create loops.

Mr Branch Worker wants a few more ports near his desk and goes out and buys an unmanaged Netgear switch without telling IT. Naturally.
For some reason he connects up 2 unused ports on the SRX to this Netgear.

First Port 4 is connect to the Netgear...

root> show spanning-tree interface          

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/2.0     128:515        128:2   8194.108ccf544700    200000  DIS    DIS 
fe-0/0/3.0     128:516      128:516  32768.40b4f08f2d48    200000  DIS    DIS 
fe-0/0/4.0     128:517      128:517  32768.40b4f08f2d48    200000  FWD    DESG
fe-0/0/7.0     128:520      128:520  32768.40b4f08f2d48    200000  DIS    DIS 


Port 4 on the SRX forwarding. Looks good.

Then port 5 is connected to the Netgear...

root> show spanning-tree interface   

Spanning tree interface parameters for instance 0

Interface    Port ID    Designated      Designated         Port    State  Role
                         port ID        bridge ID          Cost
fe-0/0/2.0     128:515        128:2   8194.108ccf544700    200000  DIS    DIS 
fe-0/0/3.0     128:516      128:516  32768.40b4f08f2d48    200000  DIS    DIS 
fe-0/0/4.0     128:517      128:517  32768.40b4f08f2d48    200000  FWD    DESG
fe-0/0/5.0     128:518      128:517  32768.40b4f08f2d48    200000  BLK    BKUP
fe-0/0/7.0     128:520      128:520  32768.40b4f08f2d48    200000  DIS    DIS 


Port 5 blocked and assigned a RSTP backup role. I.e a backup to the designated port 4.

Whats perhaps interesting is that it doesn't matter if the 2 ports on the SRX that connect to the Netgear are in the same VLAN or not.
You get the same result, the port with the higher Port ID always gets blocked. Reason: SRX = 1 bridge.
 

Through all this Netgear connectivity plugging in and out, the STP on the Cisco had no events and was always the root as expected as it is isolated on an STP level from the SRX.

Note: As the SRX ports running RSTP are edge ports they wouldn't generate BPDUs with the TC bit set anyway.

6) SUMMARY

We disabled STP on the ports on the SRX that connected to the Cisco switch to maintain the root bridge integrity of the Cisco.
We enabled STP on all the other switch ports on the SRX to prevent loops (And therefore broadcast storms) being caused by other devices that might be unintelligently or unintentionally connected to the SRX.

So to me is a good workable solution for the STP interconnectivity between the SRX and Cisco.Hopefully has given you guys some ideas of some of the things that might happen when you connect up your SRXs to the real world. 


Of course there are ways for the Cisco to protect itself from losing root or even seeing BPDUs that I haven't explored here. But they will result in the Cisco err-disabling or blocking ports and therefore an ultimate loss of some connectivity between the Cisco and the SRX.
The above solution keeps connectivity between the Core Cisco switch and SRX and blocks end user ports if needed on the SRX where the impact will be much lower.

So that's it folks. SRX and STP. An interesting story.

1 comment:

  1. Awesome post. Just ran into this problem. Fixed it the same way you suggested... by disabling STP on the SRX.

    ReplyDelete