SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

STP protocol problem

  • 1.  STP protocol problem

    Posted 04-04-2019 01:51

    Hello Everybody,

    I  have following setup modem --> SRX100H2--> Netgear GS716Tv3 switch--> (rest of th network including Hyper-V infrustructure, DC/DHCP, and Unifi WAP)  

    On SRX100H2 I have folllowing interfaces that are all part of vlan1 configured with an ip address of 192.168.1.254/24 and Windows Server (DC) is a DHCP server for this subnet.

    fe-0/0/1 - fe-0/0/6  

     

    Interface fe-0/0/7 is currently configured in trunk mode with 2 vlans (Home, Office)

    vlan Home - ip address is 10.0.20.1/24 and SRX100H2 is DHCP for this subnet

    vlan Office - ip address is 192.168.10.1/24 and SRX100H2 is DHCP for this subnet

     

    I am experiencing a problem where with SPT protocol enabled on SRX clients on fe-0/0/7 (and Home, Office) are not getting DHCP addresses.

     

    Worth mentioning that the netgear switch connected to fe-0/0/7 has STP enabled.

     

    Here is what I can see on SRX100H2 with STP enabled (DHCP not distributing IP addresses)


    > show ethernet-switching interfaces
    Interface State VLAN members Tag Tagging Blocking
    fe-0/0/1.0 down vlan1 3 untagged blocked by STP
    fe-0/0/2.0 up vlan1 3 untagged unblocked
    fe-0/0/3.0 down vlan1 3 untagged blocked by STP
    fe-0/0/4.0 down vlan1 3 untagged blocked by STP
    fe-0/0/5.0 down vlan1 3 untagged blocked by STP
    fe-0/0/6.0 down vlan1 3 untagged blocked by STP
    fe-0/0/7.0 up Home 10 untagged blocked by STP
    Home 10 tagged blocked by STP
    Office 20 tagged blocked by STP

     

    Here is what I can see on SRX100H2 with STP disabled (Clients are getting IP addresses ok)

    show ethernet-switching interfaces
    Interface State VLAN members Tag Tagging Blocking
    fe-0/0/1.0 down vlan1 3 untagged unblocked
    fe-0/0/2.0 up vlan1 3 untagged unblocked
    fe-0/0/3.0 down vlan1 3 untagged unblocked
    fe-0/0/4.0 down vlan1 3 untagged unblocked
    fe-0/0/5.0 down vlan1 3 untagged unblocked
    fe-0/0/6.0 down vlan1 3 untagged unblocked
    fe-0/0/7.0 up Home 10 untagged unblocked
    Home 10 tagged unblocked
    Office 20 tagged unblocked

     

    I guess it is not recommended to disable STP on fe-0/0/7. How to resolve this problem then. Please help.



  • 2.  RE: STP protocol problem

    Posted 04-04-2019 09:58

    Hi itcode

     

    Can you share the following command from both scenarios: 

     

    > show spanning-tree interface

     



  • 3.  RE: STP protocol problem

    Posted 04-04-2019 10:19

    Outcome with STP enabled;

    Spanning tree interface parameters for instance 0

    Interface Port ID Designated Designated Port State Role
    port ID bridge ID Cost
    fe-0/0/2.0 128:515 128:6 32768.10da4300d464 200000 FWD ROOT
    fe-0/0/7.0 128:520 128:12 32768.10da4300d464 200000 BLK ALT

     

    Outcome with STP disabled;

    Spanning-tree is not enabled at global level.

     

    Thanks

     



  • 4.  RE: STP protocol problem

    Posted 04-04-2019 10:30

    itcode,

     

    The port is getting blocked due to STP calculations, is your topology redundant for vlan Home?

     

    Please share:

     

    # show interface fe-0/0/7

    show ethernet-switching interfaces fe-0/0/7 detail

    show spanning-tree bridge detail

     



  • 5.  RE: STP protocol problem

    Posted 04-04-2019 10:49

    # show interfaces fe-0/0/7
    fastether-options {
    no-loopback;
    no-auto-negotiation;
    }
    unit 0 {
    family ethernet-switching {
    port-mode trunk;
    vlan {
    members [ Home Office ];
    }
    native-vlan-id 10;
    }
    }

    > show ethernet-switching interfaces fe-0/0/7 detail
    Interface: fe-0/0/7.0, Index: 81, State: up, Port mode: Trunk
    Native vlan: Home
    Ether type for the interface: 0x8100
    VLAN membership:
    Home, 802.1Q Tag: 10, untagged, msti-id: 0, blocked by STP
    Home, 802.1Q Tag: 10, tagged, msti-id: 0, blocked by STP
    Office, 802.1Q Tag: 20, tagged, msti-id: 0, blocked by STP
    Number of MACs learned on IFL: 0


    > show spanning-tree bridge detail

    STP bridge parameters
    Context ID : 0
    Enabled protocol : STP
    Root ID : 32768.10:da:43:00:d4:64
    Root cost : 200000
    Root port : fe-0/0/2.0
    Hello time : 2 seconds
    Maximum age : 20 seconds
    Forward delay : 15 seconds
    Message age : 1
    Number of topology changes : 1
    Time since last topology change : 1838 seconds
    Topology change initiator : fe-0/0/2.0
    Topology change last recvd. from : 10:da:43:00:d4:66
    Local parameters
    Bridge ID : 32768.50:c5:8d:2f:c9:c8
    Extended system ID : 0
    Internal instance ID : 0
    Hello time : 2 seconds
    Maximum age : 20 seconds
    Forward delay : 15 seconds
    Path cost method : 32 bit



  • 6.  RE: STP protocol problem

    Posted 04-04-2019 11:17

    It looks like the topology is redundant via fe-0/0/2 because we are using regular STP. 

     

    > show spanning-tree bridge detail

STP bridge parameters
Context ID : 0
Enabled protocol : STP
Root ID : 32768.10:da:43:00:d4:64
Root cost : 200000
Root port : fe-0/0/2.0

    Can you confirm if ports fe-0/0/1-6 also connect to the Netgear Switch? 

    I believe you can enabled STP per vlan with the following command:

     

    # set protocols vstp

     



  • 7.  RE: STP protocol problem

    Posted 04-04-2019 11:27

    only ports fe-0/0/2 and fe-0/0/7 are in use and yes they are both connected to netgear switch.

     

    Sorry, I'm not sure if I understand; are you saying that I should enable stp for all vlans and disable globaly?



  • 8.  RE: STP protocol problem

    Posted 04-04-2019 11:39
    The STP you are using (legacy stp) works globally and will block redundant ports disregarding of configured vlans. In your case you have 2 ports going to the same switch so STP will block one of these ports because they are redundant.

    Ideally, STP should work per vlan (per vlan STP). In this case the devices will understand that fe-0/0/7 is part of vlan Home but fe-0/0/2 is not, hence those ports are not redundant and will not be blocked. I hope I was able to explain myself, please let me know.

    I suggest to check how to enable per vlan STP on both devices.



  • 9.  RE: STP protocol problem

    Posted 04-04-2019 12:00

    I think I understand.

     

    I enabled STP per vlan as you advised using following command;

    set protocols vstp vlan [vlan name]

    I am unable to test if it worked as there is no clients/devices connected to Home WiFi now but I'll test tomorrow.

     

    Thanks for all you help for now.



  • 10.  RE: STP protocol problem

    Posted 04-04-2019 12:11
    Maybe in the meantime you can check if the ports are still showing in block status. Please also note that the change has to be done on the netgear switch as well.


  • 11.  RE: STP protocol problem

    Posted 04-04-2019 12:22
    I already checked. Here is the outcome:

    > show ethernet-switching interfaces
    Interface State VLAN members Tag Tagging Blocking
    fe-0/0/1.0 down vlan1 3 untagged unblocked
    fe-0/0/2.0 up vlan1 3 untagged unblocked
    fe-0/0/3.0 down vlan1 3 untagged unblocked
    fe-0/0/4.0 down vlan1 3 untagged unblocked
    fe-0/0/5.0 down vlan1 3 untagged unblocked
    fe-0/0/6.0 down vlan1 3 untagged unblocked
    fe-0/0/7.0 up Home 10 untagged unblocked
    Home 10 tagged unblocked
    Office 20 tagged unblocked

    >

    Re netgear switch. I can't see the option anywhere in web interface to get this done. I'll do some more research on this.


  • 12.  RE: STP protocol problem

    Posted 04-04-2019 14:09

    Nice, at least we can see they are unblocked now. Keep us updated.

     

     



  • 13.  RE: STP protocol problem

    Posted 04-04-2019 15:23

    Hi there,

     

    I see that the issue is already resolved by using vstp instead of stp, but ideally any switch interface connected to an L-3 interface on SRX should NOT be using STP at all because by definition L3 interfaces break any L2 loops.

     

    Thanks!



  • 14.  RE: STP protocol problem

    Posted 04-04-2019 15:51
    Well, we don’t know yet whether the problem is resolved or not. I’ll test it tomorrow.

    Could you please send a link to juniper kb or any other source material that would support what you just said.

    Just want to be sure that I am following best practices before disabling STP on the netgear switch all together.


  • 15.  RE: STP protocol problem
    Best Answer

    Posted 04-04-2019 17:43

    Actually I dont think it is resolved, I just confirmed that VSTP is not supported in SRX:

     

    "VSTP is not supported on the SRX platform - just STP/RSTP/MSTP are supported on SRX Series."

     

    Ref: https://www.juniper.net/documentation/en_US/junos/topics/concept/spanning-trees-ex-series-vstp-understanding.html

    Ref: https://www.juniper.net/documentation/en_US/junos/topics/topic-map/spanning-tree-configuring-vstp.html

     

    Being this the case, I will suggest any of the two following options:

     

    1. Make both links trunk and pass all the three vlans (Home, Office and vlan1) over them so that no matter which link is blocked the traffic will still be forwarded between the SRX and the Switch. If the primary link fail the redundant one will be unblocked and the traffic from the 3 vlans will continue to work.

     

    2. Create a Aggregate Ethernet interface (bundle of physical interfaces) between the SRX and the Switch and configure it as trunk passing the 3 vlans. This ways both devices will see the interface as 1 link and there will be no problems with redundant links getting blocked. If any of the physical interfaces fails, the rest will continue to be part of the Aggregate Ethernet interface and not traffic disruption should happen. Plus you will have the bandwidht of all the ports combine in a single logical link.

     

          https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/link-aggregation-cli.html

     

     

     



  • 16.  RE: STP protocol problem

    Posted 04-05-2019 06:02

    Its all getting very complicated as for my client's small network.

     

    question;

    Is it possible to add interface fe-0/0/7 to vlan.1 as well as vlan Home and vlan Office?

     

    This way I could unplug the cable connected to fe-0/0/2 and I could enable STP globally.

     

    The question is;

    Is it possible to pass traffic from vlan.1 and also tagged traffic from Home and Office vlans on one interface (fe-0/0/7) ?

     

    Would that work?

    Basicaly I want for the clients connected to WiFi in 'Home' vlan to be denied access to 'vlan.1' and 'Office'

    And allow traffic

    vlan.1 <-> Office

     

    I will have to document the network and I want it to be as simple as possible for 1st line Engineers to be able to support this.

     



  • 17.  RE: STP protocol problem

    Posted 04-08-2019 03:39

    I just read your comment again and I realsied that you actually suggested very similar approach to mine;

    If I am going to add vlan.1 on fe-0/0/7 interface and unplug the cable from fe-0/0/2 interface I will have same solution you described in bullet point 1.

    There is no need to configure all remaining ports as trunk as they won't be used anyway.

    Then I can enable STP protocol globally.



  • 18.  RE: STP protocol problem

    Posted 04-08-2019 10:03

    Ok that worked!

    For everyone interested:

     

    Added Home vlan to fe-0/0/7

    set interfaces fe-0/0/7 unit 0 family ethernet-switching vlan members Home

     

    Then completely removed Office vlan and zone (no longer required)

     

    Then set the native vlan for fe-0/0/7 interface to be vlan.1

    set interfaces fe-0/0/7 unit 0 family ethernet-switching native-vlan-id 3

     

    This basically means that untagged traffic from vlan.1 and tagged 10 (Home) traffic is being sent to the switch.

    source: https://kb.juniper.net/InfoCenter/index?page=content&id=KB17419

     

    Then enabled STP protocol:

    set protocols stp

     

     

    Then disabled interface fe-0/0/2 to make sure there is no loop and voila!

    set interfaces fe-0/0/2 disable

     

    and here is how it looks in action:

    show ethernet-switching interfaces
    Interface State VLAN members Tag Tagging Blocking
    fe-0/0/1.0 down vlan1 3 untagged blocked by STP
    fe-0/0/2.0 down vlan1 3 untagged blocked by STP
    fe-0/0/3.0 down vlan1 3 untagged blocked by STP
    fe-0/0/4.0 down vlan1 3 untagged blocked by STP
    fe-0/0/5.0 down vlan1 3 untagged blocked by STP
    fe-0/0/6.0 down vlan1 3 untagged blocked by STP
    fe-0/0/7.0 up vlan1 3 untagged unblocked
    Home 10 tagged unblocked

     

    Thanks epaniagua!