Example: Configuring Root Protection to Enforce Root Bridge Placement in Spanning Trees
 | Note: This example uses Junos OS for SRX Series devices with support for the Enhanced Layer 2 Software (ELS) configuration style. For ELS details, see Getting Started with Enhanced Layer 2 Software. |
SRX Series devices provide Layer 2 loop prevention through Spanning Tree Protocol (STP), Rapid Spanning Tree protocol (RSTP), and Multiple Spanning Tree Protocol (MSTP). Root protection increases the efficiency of STP, RSTP, and MSTP by allowing network administrators to manually enforce the root bridge placement in the network.
This example describes how to configure root protection on an interface on a SRX Series device:
Requirements
This example uses the following software and hardware components:
- Junos OS Release 15.1X49-D70 or later
- Four SRX Series devices in an RSTP topology
Before you configure the interface for root protection, be sure you have:
- RSTP operating on the devices.
Overview
Peer STP applications running on device interfaces exchange a special type of frame called a bridge protocol data unit (BPDU). Devices communicate interface information using BPDUs to create a loop-free topology that ultimately determines the root bridge and which interfaces block or forward traffic in the spanning tree.
However, a root port elected through this process has the possibility of being wrongly elected. A user bridge application running on a PC can generate BPDUs, too, and interfere with root port election.
To prevent this from happening, enable root protection on interfaces that must not receive superior BPDUs from the root bridge and must not be elected as the root port. These interfaces are typically located on an administrative boundary and are designated ports.
When root protection is enabled on an interface:
- The interface is blocked from becoming the root port.
- Root protection is enabled for all STP instances on that interface.
- The interface is blocked only for instances for which it receives superior BPDUs. Otherwise, it participates in the spanning-tree topology.
 | Caution: An interface can be configured for either root protection or loop protection, but not for both. |
In this example, they are configured for RSTP and create a loop-free topology. Interface ge-0/0/7 on device 1 is a designated port on an administrative boundary. It connects to device 4. Device 3 is the root bridge. Interface ge-0/0/6 on device 1 is the root port.
This example shows how to configure root protection on interface ge-0/0/7 to prevent it from transitioning to become the root port.
- The root port is responsible for forwarding data to the root bridge.
- The alternate port is a standby port for the root port. When a root port goes down, the alternate port becomes the active root port.
- The designated port forwards data to the downstream network segment or device.
This configuration example uses an RSTP topology. However, you also can configure root protection for STP or MSTP topologies at the [edit protocols mstp ] hierarchy level.
Configuration
To configure root protection on an interface:
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
To configure root protection:
- Configure interface ge-0/0/7:
[edit protocols rstp]user@host#
set interface ge-0/0/7 no-root-port
Results
Check the results of the configuration:
Verification
To confirm that the configuration is working properly:
- Displaying the Interface State Before Root Protection Is Triggered
- Verifying That Root Protection Is Working on the Interface
Displaying the Interface State Before Root Protection Is Triggered
Purpose
Before root protection is triggered on interface ge-0/0/7, confirm the interface state.
Action
Use the operational mode command:
user@host> show spanning-tree interface Spanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5 128:518 128:2 16384.00aabbcc0348 20000 BLK ALT
ge-0/0/6 128:519 128:1 16384.00aabbcc0348 20000 FWD ROOT
ge-0/0/7 128:520 128:520 32768.0019e2503f00 20000 FWD DESG
[output truncated]
Meaning
The output from the operational mode command show spanning-tree interface shows that ge-0/0/7 is a designated port in a forwarding state.
Verifying That Root Protection Is Working on the Interface
Purpose
A configuration change takes place on device 4. A smaller bridge priority on the device 4 causes it to send superior BPDUs to interface ge-0/0/7. Receipt of superior BPDUs on interface ge-0/0/7 will trigger root protection. Verify that root protection is operating on interface ge-0/0/7.
Action
Use the operational mode command:
user@host> show spanning-tree interfaceSpanning tree interface parameters for instance 0
Interface Port ID Designated Designated Port State Role
port ID bridge ID Cost
ge-0/0/0 128:513 128:513 32768.0019e2503f00 20000 BLK DIS
ge-0/0/1 128:514 128:514 32768.0019e2503f00 20000 BLK DIS
ge-0/0/2 128:515 128:515 32768.0019e2503f00 20000 BLK DIS
ge-0/0/3 128:516 128:516 32768.0019e2503f00 20000 FWD DESG
ge-0/0/4 128:517 128:517 32768.0019e2503f00 20000 FWD DESG
ge-0/0/5 128:518 128:2 16384.00aabbcc0348 20000 BLK ALT
ge-0/0/6 128:519 128:1 16384.00aabbcc0348 20000 FWD ROOT
ge-0/0/7 128:520 128:520 32768.0019e2503f00 20000 BLK DIS (Root—Incon)
[output truncated]
Meaning
The operational mode command show spanning-tree interface shows that interface ge-0/0/7 has transitioned to a root inconsistent state. The root inconsistent state makes the interface block, discarding any received BPDUs, and prevents the interface from becoming a candidate for the root port. When the root bridge no longer receives superior STP BPDUs from the interface, the interface will recover and transition back to a forwarding state. Recovery is automatic.
