Sie sind auf Seite 1von 56

Junos Enterprise Switching

Chapter 4: Spanning Tree

2011 Juniper Networks, Inc. All rights reserved. | www.juniper.net | Worldwide Education Services

Chapter Objectives
After successfully completing this chapter, you will be
able to:
Explain when a spanning tree is required
Describe STP and RSTP operations
List some advantages of using RSTP over STP
Configure and monitor RSTP
Describe the BPDU, loop, and root protection features
Configure and monitor the BPDU, loop, and root protection
features

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-2

Agenda: Spanning Tree


Spanning Tree Protocol
Rapid Spanning Tree Protocol
Configuring and Monitoring RSTP
Protection Features
BPDU Protection
Loop Protection
Root Protection

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-3

Test Your Knowledge


What will Switch-1 and Switch-2 do if they receive a
broadcast frame or a frame destined to an unknown
MAC address?
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95

User A
MAC: 00:26:88:02:74:86

Switch-1

Switch-2

User B
MAC: 00:26:88:02:74:87

User C
MAC: 00:26:88:02:74:88

User D
MAC: 00:26:88:02:74:89

Both switches would flood the frames out all


ports except the port on which the frames arrived

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-4

What If ?
What if a broadcast frame or a frame with an
unknown destination MAC address were sent into a
Layer 2 network with redundant paths?
Example: Source MAC: 00:26:88:02:74:86 / Destination MAC: 00:26:88:02:74:95

User A
MAC: 00:26:88:02:74:86

User B
MAC: 00:26:88:02:74:87

Switch-1

Flood

Layer 2 Loop

Switch-2

User C
MAC: 00:26:88:02:74:88

Flood

User D
MAC: 00:26:88:02:74:89

Switch-3
Flood
User E
MAC: 00:26:88:02:74:90
2011 Juniper Networks, Inc. All rights reserved.

User F
MAC: 00:26:88:02:74:91

Worldwide Education Services

www.juniper.net | 4-5

Spanning Tree Protocol


STP
Defined in the IEEE 802.1D-1998 specification
Builds loop-free paths in redundant Layer 2 networks
Automatically rebuilds tree when topology changes
Switch-1

User Traffic

User Traffic

Loop Free
Environment

Host B

Host A
Switch-2

Switch-3

No User Traffic
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-6

How Does it Work?


Steps for creating a spanning tree include:
1.
2.
3.
4.

Switch-2

Switches exchange bridge protocol data units (BPDUs)


Root bridge is elected
Port role and state are determined
Tree is fully converged
Switch-1

Switch-1 (Root Bridge)

BPDUs

Loop Free
Environment

Switch-3

Switch-2

User Traffic

Switch-3
No User Traffic

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-7

Terms and Concepts (1 of 2)


Key terms and concepts of STP:
Bridge ID: Unique identifier for each switch
Root bridge: Switch with the lowest bridge ID
Root port: The port on each bridge closest to the root bridge
Root path cost: A bridges calculated cost to get from itself
to the root bridge
Equal to the received root path cost from configuration BPDUs plus
the port cost of the root port on the bridge

Port cost: Every interface on a bridge has an assigned port


cost value
Used in the calculation of the root path cost for the local bridge
Configurable value (1200000000)

The default value is 20000 for 1 Gigabit Ethernet


2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-8

Terms and Concepts (2 of 2)


Key terms and concepts of STP (contd.):
Designated bridge: A switch representing the LAN segment
Port ID: A unique identifier for each port on each switch
Designated port: The designated bridges forwarding port on
a LAN segment
The port used by a designated bridge to send traffic from the
direction of the root to the LAN or from the LAN toward the root

Bridge protocol data unit: Packets used to exchange


information between switches
Configuration BPDU
Topology change notification BPDU

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-9

Port States
Each individual port of each bridge can be in one of
four states:
Blocking
The port drops all data packets and listens to BPDUs
The port is not used in active topology

Listening
The port drops all data packets and listens to BPDUs
The port is transitioning and will be used in active topology

Learning
The port drops all data packets and listens to BPDUs
The port is transitioning and the switch is learning MAC addresses

Forwarding
The port receives and forwards data packets and sends and
receives BPDUs
The port has transitioned and the switch continues to learn MAC
addresses
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-10

BPDUEthernet Frame Format


Ethernet Frame
Destination Address: The bridge group
address (01:80:C2:00:00:00)

DA

SA

Length

LLC

Source Address: MAC of the outgoing


port of the originating switch

BPDU

FCS

LLC Header: DSAP and SSAP = 0x42


(Bridge Spanning Tree Protocol)

BPDU types:
Configuration BPDUs
Used to build the spanning-tree topology

Topology change notification (TCN) BPDUs


Reports topology changes
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-11

BPDU Format
Octets
Protocol ID

BPDU Type:
0x00 (Configuration BPDU)
0x80 (TCN BPDU)

Protocol Version
BPDU Type
Flags

Root ID

Port Priority: Used as the tiebreaker to


determine the designated port, the root
port, or both for a LAN (lower is better)

Port Number: The ID of


the transmitting port
Priority

Port Number

2011 Juniper Networks, Inc. All rights reserved.

Root Path Cost

2
1
1
1

Root ID: A unique ID of the bridge that the


transmitting bridge believes to be the root
Bridge Priority: The priority of becoming
the root bridge, the designated bridge,
or both (lower is better)
Priority

2
Bridge ID

Port ID

Message Age

Max Age

Hello Time

Forward Delay

Worldwide Education Services

Bridge Address
6

Bridge Address: The unique MAC


address of the bridge itself

www.juniper.net | 4-12

Building a Spanning Tree (1 of 3)


Switches exchange configuration BPDUs:
They do not floodinstead each bridge uses information in
the received BPDUs to generate its own

Root bridge is elected based on BPDU information:


Criterion for election is the bridge ID
The election process reviews priority firstlowest priority wins
If the priority values are the same, bridge addresses (MAC) are
comparedthe lowest identifier wins
Switch-1 (Root Bridge)
Switches initially exchange
configuration BPDUs, claiming
themselves as the root bridge.

Switch-1 is elected as the root


bridge based on the received
configuration BPDU information.

Host B

Host A
Switch-2
2011 Juniper Networks, Inc. All rights reserved.

Switch-3
Worldwide Education Services

www.juniper.net | 4-14

Building a Spanning Tree (2 of 3)


Least-cost path calculation to root bridge determines
port role; port role determines port state:
Port Role and State Designations
All ports on root bridge assume designated port role and forwarding state

Root ports on switches are placed in the forwarding state; root bridge has no root ports
Designated ports on designated bridges are placed in the forwarding state
All other ports are placed in the blocking state
Switch-1 (Root Bridge)

F,R = Forwarding and root port


F,D = Forwarding and designated port
B

F,D F,D

= Blocking
F,R

Host A

F,D

F,R
F,D

Switch-2
2011 Juniper Networks, Inc. All rights reserved.

F,D

Host B

Switch-3
Worldwide Education Services

www.juniper.net | 4-15

Building a Spanning Tree (3 of 3)


The tree is fully converged
All traffic between Host A to Host B flows through the root
bridge (Switch-1)
Switch-1 (Root Bridge)

Host A

Switch-2

2011 Juniper Networks, Inc. All rights reserved.

F
F

Host B

Switch-3

Worldwide Education Services

www.juniper.net | 4-16

Reconvergence Example (1 of 2)
Steps:
1. Switch G fails
2. Switch Es port leaves forwarding state
3. Switch E sends TCNs out root port
every 2 seconds until Es root port
receives TCN ACK (configuration BPDU)
4. Switch B sends TCN ACK
5. Switch B sends TCN out root port
6. Switch A sends TCN ACK

Root
A

Port leaves forwarding state

G
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Switch fails

www.juniper.net | 4-17

Reconvergence Example (2 of 2)
Steps (contd.):
7. The root bridge sets the topology change flag
and sends an updated configuration BPDU
8. Switches B and C relay the topology
change flag to downstream switches
MAC Fwd
9. All nonroot bridges change the
Table Aging
Time: 15
MAC address forwarding table
Sec
B
aging timer to equal the forwarding
delay time (default: 15 seconds)
D
MAC Fwd
Table Aging
Time: 15 Sec

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Root
A
MAC Fwd
Table Aging
Time: 15
Sec

MAC Fwd
Table Aging
Time: 15 Sec

MAC Fwd
Table Aging
Time: 15 Sec

www.juniper.net | 4-18

Agenda: Spanning Tree


Spanning Tree Protocol
Rapid Spanning Tree Protocol
Configuring and Monitoring RSTP
Protection Features
BPDU Protection
Loop Protection
Root Protection

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-19

STP Drawbacks
Slow convergence time
STP uses timers to transition between port states
STP can take 30 to 50 seconds to respond to a topology change
(20 seconds for a BPDU to age out, 15 seconds for the listening
state, and 15 seconds for the learning state)

Root bridge is responsible for communicating the current


tree topology

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-20

Rapid Spanning Tree Protocol


RSTP was first defined in IEEE 802.1w and later
incorporated into IEEE 802.1D-2004
Convergence improvements:
Point-to-point link designation
Edge port designation
A port that connects to a LAN with no other bridges attached
It is always in the forwarding state

Allows for rapid recovery from failures


A new root port or designated port can transition to forwarding
without waiting for the protocol timers to expire

Direct and indirect link failure and recovery


2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-21

RSTP Port Roles


RSTP introduces new port roles:

Switch-1 (Root Bridge)

Alternate port:
D DD D

Provides an alternate path to the root


bridge (essentially a backup root port)
Blocks traffic while receiving superior
BPDUs from a neighboring switch

R A

R A

D B

A A

Switch-2

Switch-3

Backup port:
Provides a redundant path to a segment
(on designated switches only)
Blocks traffic while a more preferred port
functions as the designated port

RSTP continues to use the root


and designated port roles
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Root Port = R
Designated Port = D
Alternate Port = A
Backup Port = B

www.juniper.net | 4-22

STP and RSTP Port States


RSTP uses fewer states than STP but has the same
functionality
802.1D-1998
STP

802.1D-2004
RSTP

Alternate Backup,
and Disabled Ports

Blocking
Discarding
Listening
Learning

Learning

Forwarding

Forwarding

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Root and Designated Ports

www.juniper.net | 4-23

Rapid Spanning Tree BPDUs


Rapid Spanning Tree BPDUs:
Act as keepalives
RSTP-designated ports send Configuration BPDUs every hello time
(default of 2 seconds)

Provide faster failure detection


If a neighboring bridge receives no BPDU within 3 times the hello
interval (3 x 2 = 6 seconds), connectivity to the neighbor is faulty
Switch-1 (Root Bridge)
DDDD

Switch-2

2011 Juniper Networks, Inc. All rights reserved.

RA

R A

DB

A A

Switch-3

Worldwide Education Services

www.juniper.net | 4-24

RST BPDU Format


Protocol ID
Protocol Version
BPDU Type
Flags

Octets
2
1
1
1

Root ID

Root Path Cost

RST BPDU fields that differ from STP:


Protocol Version0x02
(IEEE 802.1D-2004)
BPDU Type0x02 (RST BPDU)
Flags
Topology Change Acknowledgement Flag (Bit 8)

Agreement Flag (Bit 7)


Bridge ID

Forwarding Flag (Bit 6)


Learning Flag (Bit 5)

Port Role (Bits 3 and 4)

Message Age

Max Age

Proposal Flag (Bit 2)

Hello Time

Forward Delay
Version 1 Length

2
2

Port ID

2011 Juniper Networks, Inc. All rights reserved.

Topology Change Flag (Bit 1)

Version 1 Length0x0000
Worldwide Education Services

www.juniper.net | 4-25

Transitioning to the Forwarding State


STP:
Takes 30 seconds before the ports start forwarding traffic
after port enablement
2x forwarding delay (listening + learning)

RSTP:
Uses a proposal-and-agreement handshake on point-topoint links instead of timers
Exceptions are alternate ports that immediately transition to root,
and edge ports that immediately transition to the forwarding state
Nonedge-designated ports transition to the forwarding state once
they receive explicit agreement

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-26

Topology Change Reconvergence


Topology changes occur only when nonedge ports
transition to the forwarding state:
Port transitions to the discarding state no longer trigger the
STP TCN/TCN Acknowledgment sequence
The initiator sends RSTP TCNs (RST BPDU with TCN flag set)
out of all designated ports as well as out of the root port
Because of the received RSTP TCN, switches flush the
majority of MAC addresses in the bridge table
Switches do not flush MAC addresses learned from edge ports
Switches do not flush MAC addresses learned on port receiving TCN

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-27

Indirect Link Failure


When an indirect link failure occurs:
Switch-2s root port failsit assumes it is the new root
Switch-3 receives inferior BPDUs from Switch-2it moves
the alternate port to the designated port role
Switch-2 receives superior BPDUs, knows it is not the root,
and designates the port connecting to Switch-3 as the
root port
Note: The failure is from the
perspective of Switch-3

Before

Switch-1 (Root Bridge)

After

Switch-1 (Root Bridge)

F F

Forwarding = F

Blocking = B

Root Port = R
R F

R F

D
F Inferior PDU

Switch-2
2011 Juniper Networks, Inc. All rights reserved.

A
B

Switch-3

R
F

D
Superior PDU F

Switch-2
Worldwide Education Services

R F

Designated Port = D
Alternate Port = A

Switch-3
www.juniper.net | 4-28

Direct Link Failure


When a direct link failure occurs:
Alternate port transitions to forwarding state and assumes
root port role following the failure of the old root port
Switch-3 signals upstream switches to flush their MAC
tables by sending RSTP TCNs out new root port
Upstream switches only flush MAC entries that they learned on
active ports that did not receive the RSTP TCNs (except edge ports)
Before

Switch-1 (Root Bridge)

After

Switch-1 (Root Bridge)

F F

Note: The failure is from the


perspective of Switch-3
Forwarding = F

Blocking = B

Root Port = R
R F

R F

D
F

Switch-2
2011 Juniper Networks, Inc. All rights reserved.

A
B

Switch-3

R F

Designated Port = D
D
F

R
F

Switch-2
Worldwide Education Services

Alternate Port = A

Switch-3
www.juniper.net | 4-29

RSTP Interoperability with STP


STP and RSTP interoperability considerations:
If a switch supports only the STP protocol, it discards any
RSTP BPDUs it receives
If an RSTP-capable switch receives BPDUs, it reverts to STP
mode on the receiving interface only and sends STP BPDUs

RSTP

STP

Switch-1
Protocol Version0
(STP)

2011 Juniper Networks, Inc. All rights reserved.

Switch-2
Protocol Version0x02
(RSTP)

Switch-3
Protocol Version0x02
(RSTP)

Worldwide Education Services

www.juniper.net | 4-30

Agenda: Spanning Tree


Spanning Tree Protocol
Rapid Spanning Tree Protocol
Configuring and Monitoring RSTP
Protection Features
BPDU Protection
Loop Protection
Root Protection

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-31

Configuring RSTP
[edit protocols rstp]
user@switch# show
bridge-priority 32k;
max-age 20;
hello-time 2;
forward-delay 15;
interface ge-0/0/10.0 {
disable;
}
interface ge-0/0/13.0 {
cost 20000;
mode point-to-point;
}
interface ge-0/0/14.0 {
priority 128;
mode shared;
}
interface ge-0/0/2.0 {
edge;
}

2011 Juniper Networks, Inc. All rights reserved.

Default RSTP settings

Excludes interface from participating in RSTP

Default cost value for interfaces operating at 1 Gbps


Default interface mode for interfaces operating in full-duplex mode
Default priority value (used to influence downstream devices least-cost path
calculation to root bridgelower is better)
Default interface mode for interfaces operating in half-duplex mode

Default value for interfaces that do not connect to STP-enabled devices

Worldwide Education Services

www.juniper.net | 4-32

Monitoring STP and RSTP (1 of 2)


user@switch> show spanning-tree ?
Possible completions:
bridge
Show STP bridge parameters
interface
Show STP interface parameters
mstp
Show Multiple Spanning Tree Protocol information
statistics
Show STP statistics
user@switch> show spanning-tree bridge
Root Bridges ID
STP bridge parameters
Context ID
: 0
Enabled protocol
: RSTP
Cumulative Cost to
Root ID
: 4096.00:19:e2:55:36:00
Root Bridge
Root cost
: 40000
Root port
: ge-0/0/13.0
Root Port
Hello time
: 2 seconds
Maximum age
: 20 seconds
Forward delay
: 15 seconds
Message age
: 2
Local Devices Bridge ID
Number of topology changes
: 2
Time since last topology change
: 72 seconds
Local parameters
Bridge ID
: 32768.00:19:e2:55:1d:40
Extended system ID
: 0
Internal instance ID
: 0
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-33

Monitoring STP and RSTP (2 of 2)


user@switch> show spanning-tree interface
Spanning tree interface parameters for instance 0

Interface
ge-0/0/10.0
ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0

Port ID
128:523
128:524
128:525
128:526
128:527
128:528

Designated
port ID
128:523
128:524
128:525
128:526
128:527
128:528

Designated
bridge ID
32768.0019e2507c00
32768.0019e2507c00
32768.0019e2507c00
32768.0019e2503fe0
32768.0019e2503fe0
32768.0019e2503fe0

Port
Cost
20000
20000
20000
20000
20000
20000

State

Role

BLK
BLK
BLK
FWD
BLK
BLK

ALT
ALT
ALT
ROOT
ALT
ALT

user@switch> show spanning-tree statistics interface


Interface

ge-0/0/10.0
ge-0/0/11.0
ge-0/0/12.0
ge-0/0/13.0
ge-0/0/14.0
ge-0/0/15.0

BPDUs sent

7
7
7
7
7
7

2011 Juniper Networks, Inc. All rights reserved.

BPDUs received

5
5
5
4
5
5

Next BPDU
transmission
0
0
0
0
0
0

Worldwide Education Services

www.juniper.net | 4-34

Test Your Knowledge (1 of 4)


Which switch will be elected the root bridge?

2011 Juniper Networks, Inc. All rights reserved.

Switch-1

ge-0/0/1.0

Switch-3

Switch-2

ge-0/0/8.0

{master:0}[edit protocols rstp]


user@Switch-3# show
bridge-priority 32k;
interface all {
priority 16;
cost 2000;
}

Root Bridge

ge-0/0/8.0

{master:0}[edit protocols rstp]


user@Switch-1# show
bridge-priority 4k;
interface ge-0/0/8.0 {
cost 1;
}
interface all {
priority 128;
cost 200000;
}

ge-0/0/12.0

Switch-4

{master:0}[edit protocols rstp]


user@Switch-2# show
bridge-priority 8k;
interface ge-0/0/10.0 {
cost 1;
}
interface all {
priority 16;
cost 20000;
}

{master:0}[edit protocols rstp]


user@Switch-4# show
bridge-priority 36k;
interface all {
priority 128;
cost 20000;
}

Worldwide Education Services

www.juniper.net | 4-35

Test Your Knowledge (2 of 4)


What role and state will be assigned to the various
switch ports?

D F

R F

{master:0}[edit protocols rstp]


user@Switch-3# show
bridge-priority 32k;
interface all {
priority 16;
cost 2000;
}

Switch-2

ge-0/0/1.0

D
F

A
B

D
F

Switch-3

ge-0/0/12.0
Forwarding = F
Blocking = B

Root Port = R

D F

ge-0/0/8.0

Root Bridge
Switch-1

ge-0/0/8.0

{master:0}[edit protocols rstp]


user@Switch-1# show
bridge-priority 4k;
interface ge-0/0/8.0 {
cost 1;
}
interface all {
priority 128;
cost 200000;
}

R
F

{master:0}[edit protocols rstp]


user@Switch-2# show
bridge-priority 8k;
interface ge-0/0/10.0 {
cost 1;
}
interface all {
priority 16;
cost 20000;
}

A B

Switch-4

{master:0}[edit protocols rstp]


user@Switch-4# show
bridge-priority 36k;
interface all {
priority 128;
cost 20000;
}

Designated Port = D
Alternate Port = A
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-36

Test Your Knowledge (3 of 4)


Assume ge-0/0/8 on Switch-1 has failed, what role
and state will be assigned to the remaining ports?

{master:0}[edit protocols rstp]


user@Switch-3# show
bridge-priority 32k;
interface all {
priority 16;
cost 2000;
}

D
F

D
F

Switch-3

Switch-2

ge-0/0/1.0

R
F
D

ge-0/0/12.0
Forwarding = F
Blocking = B

Root Port = R

D F

ge-0/0/8.0

Root Bridge
Switch-1

ge-0/0/8.0

{master:0}[edit protocols rstp]


user@Switch-1# show
bridge-priority 4k;
interface ge-0/0/8.0 {
cost 1;
}
interface all {
priority 128;
cost 200000;
}

A
B

{master:0}[edit protocols rstp]


user@Switch-2# show
bridge-priority 8k;
interface ge-0/0/10.0 {
cost 1;
}
interface all {
priority 16;
cost 20000;
}

R F

Switch-4

{master:0}[edit protocols rstp]


user@Switch-4# show
bridge-priority 36k;
interface all {
priority 128;
cost 20000;
}

Designated Port = D
Alternate Port = A
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-37

Test Your Knowledge (4 of 4)


Based on the modified configurations, what role and
state will be assigned to Switch-4s ports?

ge-0/0/1.0

{master:0}[edit protocols rstp]


user@Switch-3# show
bridge-priority 32k;
interface all {
priority 16;
cost 20000;
}

Switch-3

Switch-2

{master:0}[edit protocols rstp]


user@Switch-2# show
bridge-priority 32k;
interface all {
priority 16;
cost 20000;
}

ge-0/0/8.0

Root Bridge
Switch-1

ge-0/0/8.0

{master:0}[edit protocols rstp]


user@Switch-1# show
bridge-priority 4k;
interface all {
priority 128;
cost 20000;
}

ge-0/0/12.0
Forwarding = F
Blocking = B

Root Port = R
Designated Port = D

R
F

A B

Switch-4

{master:0}[edit protocols rstp]


user@Switch-4# show
bridge-priority 36k;
interface ge-0/0/8.0 {
priority 32;
}
interface ge-0/0/12.0 {
priority 16;
}

Alternate Port = A
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-38

Agenda: Spanning Tree


Spanning Tree Protocol
Rapid Spanning Tree Protocol
Configuring and Monitoring RSTP
Protection Features
BPDU Protection
Loop Protection
Root Protection

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-39

What If?
Given the topology below, what if User A connects a
personal (unauthorized) switch running the spanning
tree protocol to Switch-2?
Switch-1 (Root Bridge)

Part of the spanning tree

Switch-1

BPDUs
User A

User A
Switch-2

Switch-2

Switch-3

Switch-3

BPDUs would be exchanged, a new STP calculation would


occur, and the rogue switch would become part of the
spanning tree, potentially leading to a network outage

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-40

BPDU Protection
BPDU protection prevents rogue switches from
connecting to the network and causing undesired
Layer 2 topology changes and possible outages
If a BPDU is received on a protected interface, the interface
is disabled and transitions to the blocking state
Edge port is disabled if BPDU is
received on protected interface

Switch-1 (Root Bridge)

User A
Switch-2

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Switch-3

www.juniper.net | 4-41

Configuring BPDU Protection


BPDU protection can be enabled on switches whether
or not the spanning tree protocol enabled:
{master:0}[edit protocols rstp]
user@Switch-2# show
interface ge-0/0/6.0 {
edge;
}
bpdu-block-on-edge;

Use bpdu-block-on-edge option


when spanning tree protocol is enabled

{master:0}[edit ethernet-switching-options]
user@Switch-2# show
bpdu-block {
interface ge-0/0/6.0;
}

User A

Switch-2

Use bpdu-block option when


spanning tree protocol is not enabled
2011 Juniper Networks, Inc. All rights reserved.

ge-0/0/6.0

Worldwide Education Services

www.juniper.net | 4-42

Monitoring BPDU Protection


Before BPDU is received on protected interface
{master:0}
user@Switch-2> show spanning-tree interface ge-0/0/6.0

ge-0/0/6.0

User A

Switch-2

Spanning tree interface parameters for instance 0


Interface

ge-0/0/6.0

Port ID

128:519

Designated
port ID
128:519

Designated
bridge ID
32768.0019e2516580

Port
Cost
20000

State

Role

FWD

DESG

{master:0}
user@Switch-2> show ethernet-switching interfaces ge-0/0/6.0
Interface
State VLAN members
Tag
Tagging Blocking
ge-0/0/6.0
up
default
untagged unblocked

Before BPDU violation

After BPDU is received on protected interface


{master:0}
user@Switch-2> show spanning-tree interface ge-0/0/6.0

After BPDU violation

{master:0}
user@Switch-2> show ethernet-switching interfaces ge-0/0/6.0
Interface
State VLAN members
Tag
Tagging Blocking
ge-0/0/6.0
down
default
untagged Disabled by bpdu-control

{master:0}
user@Switch-2> clear ethernet-switching bpdu-error interface ge-0/0/6.0

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

Re-enables interface
www.juniper.net | 4-43

Agenda: Spanning Tree


Spanning Tree Protocol
Rapid Spanning Tree Protocol
Configuring and Monitoring RSTP
Protection Features
BPDU Protection
Loop Protection
Root Protection

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-44

What If?
Given the topology below, what if BPDUs sent by
Switch-2 were not received by Switch-3?
Switch-1 (Root Bridge)

Switch-1 (Root Bridge)

Layer 2 Loop
R

Switch-2

BPDUs not received due to a


uni-directional link failure or a
software configuration issue
2011 Juniper Networks, Inc. All rights reserved.

Switch-3

Switch-2

A
D

Switch-3

Switch-3 waits until the max-age timer expires then


transitions its alternate port to the designated port
role and the forwarding state thus removing the
blocked port and causing a Layer 2 loop
Worldwide Education Services

www.juniper.net | 4-45

Loop Protection
The loop protection feature provides additional
protection against Layer 2 loops by preventing nondesignated ports from becoming designated ports
Enable loop protection on all non-designated ports
Ports that detect the loss of BPDUs transition to the loop
inconsistent role which maintains the blocking state
Port automatically transitions back to previous or new role when it
receives a BPDU
Switch-1 (Root Bridge)
D D

Loop
Protection

R
D

Switch-2
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

R
A

Switch-3
www.juniper.net | 4-46

Configuring Loop Protection


Configure loop protection on non-designated ports
(root and alternate ports):
{master:0}[edit protocols rstp]
user@Switch-3# show
interface ge-0/0/10.0 {
bpdu-timeout-action {
block;
}
}
interface ge-0/0/12.0 {
bpdu-timeout-action {
block;
}
}

Switch-1 (Root Bridge)

2011 Juniper Networks, Inc. All rights reserved.

Loop Protection

Use the block or alarm action in


conjunction with the loop protection feature

ge-0/0/12.0
Switch-2

Worldwide Education Services

Switch-3

www.juniper.net | 4-47

Monitoring Loop Protection


When BPDUs are received on protected interface:
{master:0}
user@Switch-3> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface
ge-0/0/10.0
ge-0/0/12.0

Port ID
128:523
128:525

Designated
port ID
128:523
128:525

Designated
bridge ID
4096.002688027490
16384.0019e2516580

Port
Cost
20000
20000

State

Role

FWD
BLK

ROOT
ALT

Port
Cost
20000
20000

State

Role

FWD
BLK

ROOT
DIS (Loop-Incon)

When BPDUs are not received on protected interface:


{master:0}
user@Switch-3> show spanning-tree interface
Spanning tree interface parameters for instance 0
Interface
ge-0/0/10.0
ge-0/0/12.0

Port ID
128:523
128:525

2011 Juniper Networks, Inc. All rights reserved.

Designated
port ID
128:523
128:525

Designated
bridge ID
4096.002688027490
32768.0019e2553600

Worldwide Education Services

www.juniper.net | 4-48

Agenda: Spanning Tree


Spanning Tree Protocol
Rapid Spanning Tree Protocol
Configuring and Monitoring RSTP
Protection Features
BPDU Protection
Loop Protection
Root Protection

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-49

What If?
Given the topology and details below, what if a rogue
switch with a bridge priority of 4K was connected to
the Layer 2 network?
Switch-1 (Root Bridge)
Priority = 8k

New root bridge

Aggregation

BPDUs

Access

Switch-2
Priority = 32k

Switch-1

Switch-3
Priority = 32k

Switch-2

Switch-3

BPDUs would be exchanged, a new STP calculation


would occur, and the rogue switch would become the
new root bridge potentially leading to a network outage
2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-50

Root Protection
Enable root protection to avoid unwanted STP
topology changes and root bridge placement
If a superior BPDU is received on a protected interface, the
interface is disabled and transitions to the blocking state
Switch-1 (Root Bridge)
Priority = 4k

Switch-2
Priority = 8k

Root protection is typically configured


on the ports of aggregation switches
that connect to access switches

Aggregation
Access

Switch-3
Priority = 32k

2011 Juniper Networks, Inc. All rights reserved.

Switch-4
Priority = 32k

Worldwide Education Services

Switch-5
Priority = 32k

www.juniper.net | 4-51

Configuring Root Protection


Enable root protection on ports that should not
receive superior BPDUs from the root bridge and
should not be elected as the root port:
{master:0}[edit protocols rstp]
user@Switch-1# show
bridge-priority 4k;
interface all {
no-root-port;
}

Switch-1 (Root Bridge)


Priority = 4k
ge-0/0/12.0
ge-0/0/13.0

Switch-2
Priority = 8k

{master:0}[edit protocols rstp]


user@Switch-2# show
bridge-priority 8k;
interface ge-0/0/6.0 {
no-root-port;
}
interface ge-0/0/7.0 {
no-root-port;
}
interface ge-0/0/8.0 {
no-root-port;
}

Aggregation

Access
Switch-3
Priority = 32k

Switch-4
Priority = 32k

2011 Juniper Networks, Inc. All rights reserved.

Switch-5
Priority = 32k
Worldwide Education Services

www.juniper.net | 4-52

Monitoring Root Protection


Before superior BPDU is received on protected interface
{master:0}
user@Switch-1> show spanning-tree interface

Spanning tree interface parameters for instance 0


Interface

ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/12.0
ge-0/0/13.0

Port ID

128:519
128:520
128:521
128:525
128:526

Designated
port ID
128:519
128:520
128:521
128:525
128:526

Designated
bridge ID
4096.0019e2516580
4096.0019e2516580
4096.0019e2516580
4096.0019e2516580
4096.0019e2516580

Port
Cost
20000
20000
20000
20000
20000

State

Role

FWD
FWD
FWD
FWD
FWD

DESG
DESG
DESG
DESG
DESG

Switch-1 (Root Bridge)


Priority = 4k

After superior BPDU is received on protected interface


{master:0}
user@Switch-1> show spanning-tree interface

Spanning tree interface parameters for instance 0


Interface
ge-0/0/6.0
ge-0/0/7.0
ge-0/0/8.0
ge-0/0/12.0
ge-0/0/13.0

Port ID
128:519
128:520
128:521
128:525
128:526

2011 Juniper Networks, Inc. All rights reserved.

Designated
port ID
128:519
128:520
128:521
128:525
128:526

Designated
bridge ID
0.002688027490
4096.0019e2516580
4096.0019e2516580
4096.0019e2516580
4096.0019e2516580

Port
Cost
20000
20000
20000
20000
20000

State

Role

BLK
FWD
FWD
FWD
FWD

ALT (Root-Incon)
DESG
DESG
DESG
DESG

Worldwide Education Services

www.juniper.net | 4-53

Summary
In this chapter, we:
Explained when a spanning tree is required
Described STP and RSTP operations
Listed some advantages of using RSTP over STP
Configured and monitored RSTP
Described the BPDU, loop, and root protection features
Configured and monitored the BPDU, loop, and root
protection features

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-54

Review Questions
1.
2.
3.
4.

What is the purpose of STP?


Describe how to build a spanning tree.
How are STP and RSTP different?
What is the purpose of the BPDU protection feature?

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-55

Lab 3: Implementing Spanning Tree


Configure and monitor RSTP and protection features.

2011 Juniper Networks, Inc. All rights reserved.

Worldwide Education Services

www.juniper.net | 4-56

Worldwide Education Services