Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

EX Switches - How to configure root protection to enforce root bridge placement in Spanning Tree

0

0

Article ID: KB15640 KB Last Updated: 26 Nov 2009Version: 1.0
Summary:
EX Switches provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Root protection increases the efficiency of STP, RSTP, and MSTP by allowing network administrators to manually enforce the root bridge placement in the network. This article explains the steps to configure this feature for the EX Switches.
Symptoms:

Solution:
Peer STP applications running on switch interfaces exchange a special type of frame called a bridge protocol data unit (BPDU). Switches communicate interface information using BPDUs to create a loop-free topology that ultimately determines the root bridge and which interfaces block or forward traffic in the spanning tree.

However, a root port elected through this process has the possibility of being wrongly elected. A user bridge application running on a PC can generate BPDUs, too, and interfere with root port election.

To prevent this from happening, enable root protection on interfaces that should not receive superior BPDUs from the root bridge and should not be elected as the root port. These interfaces are typically located on an administrative boundary and are designated ports.

When root protection is enabled on an interface:
  •   The interface is blocked from becoming the root port.
  •   Root protection is enabled for all STP instances on that interface.
  •   The interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it participates in the spanning-tree topology.
Lets take an example that in an existing network with spanning tree, the ROOT port on a switch is supposed to be ge-0/0/0. Instead of this, the addition of a new switch to ge-0/0/47 triggers the STP ROOT election process. This is due to the fact that the new switch has lesser priority value than the current root bridge. This means that the original switch is recieving superior BPDU (Bridge Protocol Data Unit) from the new switch on ge-0/0/47 causing a topology change in the Spanning Tree.

Switch> show spanning-tree interface
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:513 32768.0019e253b3c0 200000 FWD DESG
ge-0/0/45.0 128:558 128:558 32768.0019e253b3c0 20000 FWD DESG
ge-0/0/46.0 128:559 128:559 32768.0019e253b3c0 20000 FWD DESG
ge-0/0/47.0 128:560 128:1008 8192.002283685400 20000 FWD
ROOT

By enabling root protection on ge-0/0/47, the switch ignores the superior BPDUs on the interface by putting it in root inconsistent state. The root inconsistent state makes the interface block and prevents the interface from becoming a candidate for the root port. When the root bridge no longer receives superior STP BPDUs from the interface, the interface will recover and transition back to a forwarding state. Recovery is automatic.

Switch# set protocols mstp interface ge-0/0/47.0 no-root-port

Switch# show protocols mstp
interface ge-0/0/47.0 {
no-root-port;
}

Switch> show spanning-tree interface
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0.0 128:513 128:2 24576.0014a99fb280 200000 FWD ROOT
ge-0/0/45.0 128:558 128:558 32768.0019e253b3c0 20000 FWD DESG
ge-0/0/46.0 128:559 128:559 32768.0019e253b3c0 20000 FWD DESG
ge-0/0/47.0 128:560 128:1008 8192.002283685400 20000 BLK ALT (Root-Incon)
ge-1/0/0.0 128:625 128:625 32768.0019e253b3c0 200000 FWD DESG


Switch> run show spanning-tree interface ge-0/0/47.0 detail

Spanning tree interface parameters for instance 0

Interface name : ge-0/0/47.0
Port identifier : 128.560
Designated port ID : 128.1008
Port cost : 20000
Port state : Blocking
Designated bridge ID : 8192.00:22:83:68:54:00
Port role : Alternate (Root-Inconsistent)
Link type : Pt-Pt/NONEDGE
Boundary port : Yes

NOTE: An interface can be configured for either root protection or loop protection, but not for both.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search