Example: Configuring Loop Protection to Prevent Interfaces from Transitioning from Blocking to Forwarding in a Spanning Tree
 | Note: This example uses Junos OS for SRX Series devices with support for the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Getting Started with Enhanced Layer 2 Software. |
SRX Series devices provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Loop protection increases the efficiency of STP, RSTP, and MSTP by preventing interfaces from moving into a forwarding state that would result in a loop opening up in the network.
This example describes how to configure loop protection for an interface on a SRX Series device in an RSTP topology:
Requirements
This example uses the following software and hardware components:
- Junos OS Release 15.1X49-D70 or later
- Three SRX Series devices in an RSTP topology
Before you configure the interface for loop protection, be sure you have:
- RSTP operating on the devices.
Overview
A loop-free network in spanning-tree topologies is supported through the exchange of a special type of frame called bridge protocol data unit (BPDU). Peer STP applications running on the device interfaces use BPDUs to communicate. Ultimately, the exchange of BPDUs determines which interfaces block traffic (preventing loops) and which interfaces become root ports and forward traffic.
A blocking interface can transition to the forwarding state in error if the interface stops receiving BPDUs from its designated port on the segment. Such a transition error can occur when there is a hardware error on the device or software configuration error between the device and its neighbor. When this happens, a loop opens up in the spanning tree. Loops in a Layer 2 topology cause broadcast, unicast, and multicast frames to continuously circle the looped network. As a device processes a flood of frames in a looped network, its resources become depleted and the ultimate result is a network outage.
 | Caution: An interface can be configured for either loop protection or root protection, but not for both. |
In this example, they are configured for RSTP and create a loop-free topology. Interface ge-0/0/6 is blocking traffic between device 3 and device 1; thus, traffic is forwarded through interface ge-0/0/7 on device 2. BPDUs are being sent from the root bridge on device 1 to both of these interfaces.
This example shows how to configure loop protection on interface ge-0/0/6 to prevent it from transitioning from a blocking state to a forwarding state and creating a loop in the spanning-tree topology.
A spanning-tree topology contains ports that have specific roles:
- The root port is responsible for forwarding data to the root bridge.
- The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port.
- The designated port forwards data to the downstream network segment or device.
This configuration example uses an RSTP topology. However, you also can configure loop protection for MSTP topologies at the [edit protocols mstp ] hierarchy level.
Configuration
To configure loop protection on an interface:
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
To configure loop protection:
- Configure interface ge-0/0/6 on device 3:
[edit protocols rstp]
user@host# set interface ge-0/0/6 bpdu-timeout-action block
Results
Check the results of the configuration:
Verification
To confirm that the configuration is working properly, perform these tasks:
- Displaying the Interface State Before Loop Protection Is Triggered
- Verifying That Loop Protection Is Working on an Interface
Displaying the Interface State Before Loop Protection Is Triggered
Purpose
Before loop protection is triggered on interface ge-0/0/6, confirm that the interface is blocking.
Action
Use the operational mode command:
user@host> show spanning-tree interfaceSpanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5 128:518 128:518 32768.0019e2503f00 20000 FWD DESG
ge-0/0/6 128:519 128:2 16384.00aabbcc0348 20000 BLK ALT
[output truncated]
Meaning
The output from the operational mode command show spanning-tree interface shows that ge-0/0/6 is the alternate port and in a blocking state.
Verifying That Loop Protection Is Working on an Interface
Purpose
Verify the loop protection configuration on interface ge-0/0/6. RSTP has been disabled on interface ge-0/0/4 on device 1. This will stop BPDUs from being sent to interface ge-0/0/6 and trigger loop protection on the interface.
Action
Use the operational mode command:
user@host> show spanning-tree interfaceSpanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5 128:518 128:518 32768.0019e2503f00 20000 FWD DESG
ge-0/0/6 128:519 128:519 32768.0019e2503f00 20000 BLK DIS (Loop-Incon)
[output truncated]
Meaning
The operational mode command show spanning-tree interface shows that interface ge-0/0/6 has detected that BPDUs are no longer being forwarded to it and has moved into a loop-inconsistent state. The loop-inconsistent state prevents the interface from transitioning to a forwarding state. To clear the BPDU error, issue the operational mode command clear error bpdu interface on the device. The interface recovers and transitions back to its original state as soon as it receives BPDUs.
