This lab demonstrates basic configuration and monitoring tasks when implementing spanning tree and some related protection features on EX Series Ethernet Switches.  In this lab, you will use the command-line interface (CLI) to configure and monitor RSTP as well as bridge protocol data unit (BPDU) and loop protection.

EVE-NG Network Topology

You can either modify the existing lab topology that you created from Lab 2, or you can clone that topology to a new one and name it Lab 3.  If you clone the topology, you will need to implement everything from Lab1 and Lab2 into the new lab topology to follow this guide as we will be modifying this lab as if we are continuing from the previous lab configurations.

Below is an export from Lab2 configurations.

set system host-name vqfx-01
set system root-authentication encrypted-password "$1$KrovnU1S$AHV6IRreiZIuP4RA526TH0"
set system services ssh root-login allow
set system services netconf ssh
set system services rest http port 8080
set system services rest enable-explorer
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces xe-0/0/0 description "Switch Trunk Interface"
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 20
set interfaces xe-0/0/1 description "vPC VLAN 10"
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/2 description "vPC VLAN 20"
set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 20
set interfaces em0 unit 0 family inet dhcp
set interfaces em1 unit 0 family inet address 169.254.0.2/24
set interfaces irb unit 10 family inet address 10.0.10.1/24
set interfaces irb unit 20 family inet address 10.0.20.1/24
set forwarding-options storm-control-profiles default all
set protocols igmp-snooping vlan default
set vlans VLAN-10 vlan-id 10
set vlans VLAN-10 l3-interface irb.10
set vlans VLAN-20 vlan-id 20
set vlans VLAN-20 l3-interface irb.20
set vlans default vlan-id 1

----------

set system host-name vqfx-02
set system root-authentication encrypted-password "$1$Kfz7PEKs$lUYDMK/olBURdugO4BTmX0"
set system services ssh root-login allow
set system services netconf ssh
set system services rest http port 8080
set system services rest enable-explorer
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces xe-0/0/0 description "Switch Trunk Interface"
set interfaces xe-0/0/0 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/0 unit 0 family ethernet-switching vlan members 20
set interfaces xe-0/0/1 description "vPC VLAN 10"
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/2 description "vPC VLAN 20"
set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 20
set interfaces em0 unit 0 family inet dhcp
set interfaces em1 unit 0 family inet address 169.254.0.2/24
set forwarding-options storm-control-profiles default all
set protocols igmp-snooping vlan default
set vlans VLAN-10 vlan-id 10
set vlans VLAN-20 vlan-id 20
set vlans default vlan-id 1

Modify the Existing Configuration

In Lab 3, we have expanded the switched network to now include three (3) vQFX switches and moved some of the link connections around for the switch to switch links and the vPC links.  Having three switches will allow us to easily create a realistic network “loop” that happens frequently in real world scenarios.

First, you will need to clear the interface configurations for the old vPC links.  Run the following commands on vQFX-01 and vQFX-02.  vQFX-01 will remain the Layer 3 VLAN router at this time.

delete interfaces xe-0/0/1
delete interfaces xe-0/0/2

Now we need to move our vPC connections to their new interfaces.  Execute the following commands on vQFX-01 and vQFX-02.

set interfaces xe-0/0/4 description "vPC VLAN 10"
set interfaces xe-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/4 unit 0 family ethernet-switching vlan members 10

commit

Since we have also added a new vQFX switch to the network, we will need to get this switch ready to add into the network.  First, lets clean up the configurations from the evaluation configs.

delete system root-authentication
delete system login
delete system extensions

wildcard delete interfaces xe-*
wildcard delete interfaces et-*

set system root-authentication plain-text-password

commit

Now we are going to confirm that we have everything reconfigured correctly.   vPC-01 should be able to communicate with vPC-02, but should not be able to communicate with vPC-03 and vPC-04.

vPC-01> ping 10.0.10.12

84 bytes from 10.0.10.12 icmp_seq=1 ttl=64 time=14.914 ms
84 bytes from 10.0.10.12 icmp_seq=2 ttl=64 time=15.786 ms
84 bytes from 10.0.10.12 icmp_seq=3 ttl=64 time=16.276 ms
84 bytes from 10.0.10.12 icmp_seq=4 ttl=64 time=15.813 ms
84 bytes from 10.0.10.12 icmp_seq=5 ttl=64 time=15.986 ms


vPC-01> ping 10.0.20.11

10.0.20.11 icmp_seq=1 timeout
10.0.20.11 icmp_seq=2 timeout
10.0.20.11 icmp_seq=3 timeout
10.0.20.11 icmp_seq=4 timeout
10.0.20.11 icmp_seq=5 timeout


vPC-01> ping 10.0.20.12

10.0.20.12 icmp_seq=1 timeout
10.0.20.12 icmp_seq=2 timeout
10.0.20.12 icmp_seq=3 timeout
10.0.20.12 icmp_seq=4 timeout
10.0.20.12 icmp_seq=5 timeout

We are now ready to start integrating the new switch into the network topology.

Configuring and Monitoring RSTP

We are first going to configure the RSTP protocols on the vQFX-01 and vQFX-02 switches.  vQFX-01 is going to be set as the root bridge and vQFX-02 is going to be configured as the secondary root bridge for the network.  The root bridge is configured by setting the bridge priority value on each switch.  In most cases, you will only set the primary and secondary bridge priorities, and all additional switches will be left with their default value of 32K.

On vQFX-01, we are going to set the bridge priority to 4K, thereby forcing it to be the primary root bridge as it has the lowest priority.  With Spanning Tree, the lower the priority, the more referred it becomes.  Run the following commands on vQFX-01.

set protocols rstp bridge-priority 4k
set protocols rstp interface all

On vQFX-02, we are going to set the bridge priority to 8K, thereby forcing it to be the secondary root bridge as it has the lower priority from default of 32K.  With Spanning Tree, the lower the priority, the more referred it becomes.  Run the following commands on vQFX-02.

set protocols rstp bridge-priority 8k
set protocols rstp interface all

We have also set the RSTP protocol to include all interfaces by default in the Spanning Tree services.  This means that all interfaces, by default, will listen and transmit BPDU packets. 

Lets confirm that spanning tree is working correctly now.  From vQFX-02, run the command run show spanning-tree bridge. You should see the ROOT priority value of 4096 with a root port of xe-0/0/0 and the local bridge priority of 8192.

root@vqfx-02# run show spanning-tree bridge 
STP bridge parameters 
Routing instance name : GLOBAL
Context ID : 0
Enabled protocol : RSTP
Root ID : 4096.02:05:86:71:0c:02
Root cost : 2000
Root port : xe-0/0/0
Hello time : 2 seconds
Maximum age : 20 seconds
Forward delay : 15 seconds
Message age : 1 
Number of topology changes : 1
Time since last topology change : 342 seconds
Local parameters 
Bridge ID : 8192.02:05:86:71:cc:02
Extended system ID : 0

Now from vQFX-01, run the command run show spanning-tree interface.  You should see all interfaces with a forwarding state and as a designated port role.

root@vqfx-01# run show spanning-tree interface 

Spanning tree interface parameters for instance 0

Interface                  Port ID    Designated         Designated         Port    State  Role
                                       port ID           bridge ID          Cost
xe-0/0/0                   128:490      128:490   4096.020586710c02         2000    FWD    DESG 
xe-0/0/4                   128:491      128:491   4096.020586710c02         2000    FWD    DESG 

If you run the command run show spanning-tree bridge on the vQFX-01 switch, you can see that the local switch is also acting as the primary ROOT bridge.

root@vqfx-01# run show spanning-tree bridge       
STP bridge parameters 
Routing instance name               : GLOBAL
Context ID                          : 0
Enabled protocol                    : RSTP
  Root ID                           : 4096.02:05:86:71:0c:02
  Hello time                        : 2 seconds
  Maximum age                       : 20 seconds
  Forward delay                     : 15 seconds
  Message age                       : 0 
  Number of topology changes        : 1
  Time since last topology change   : 814 seconds
  Local parameters 
    Bridge ID                       : 4096.02:05:86:71:0c:02
    Extended system ID              : 0

Now we are going to configure our interfaces that link to the new switch.  These interfaces will be configured as TRUNK ports, identical to xe-0/0/0 with VLAN 10 and VLAN 20 transporting via the interfaces.

On vQFX-01, apply the following configuration to enable interface xe-0/0/1 connecting to vQFX-03

set interfaces xe-0/0/1 description "Switch vQFX-03 Trunk Interface"
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 20

commit

And then on vQFX-02, apply the following configuration to enable interface xe-0/0/2 connecting to vQFX-03

set interfaces xe-0/0/2 description "Switch vQFX-03 Trunk Interface"
set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 20

commit

We are now ready to bring vQFX-03 into the network connectivity.  Apply the following configurations to vQFX-03 to activate interfaces xe-0/0/1 and xe-0/0/2 along with the RSTP protocol.
We are also going to configure the VLANs on this switch and allocate the interfaces for the vPC connections.

set interfaces xe-0/0/1 description "Switch vQFX-01 Trunk Interface"
set interfaces xe-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/1 unit 0 family ethernet-switching vlan members 20

set interfaces xe-0/0/2 description "Switch vQFX-02 Trunk Interface"
set interfaces xe-0/0/2 unit 0 family ethernet-switching interface-mode trunk
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 10
set interfaces xe-0/0/2 unit 0 family ethernet-switching vlan members 20

set interfaces xe-0/0/4 description "vPC VLAN 20"
set interfaces xe-0/0/4 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/4 unit 0 family ethernet-switching vlan members 20

set interfaces xe-0/0/5 description "vPC VLAN 20"
set interfaces xe-0/0/5 unit 0 family ethernet-switching interface-mode access
set interfaces xe-0/0/5 unit 0 family ethernet-switching vlan members 20

set protocols rstp interface all

set vlans VLAN-10 vlan-id 10
set vlans VLAN-20 vlan-id 20

commit

Now lets see if vPC-01 can communicate with vPC-03 and vPC-04 again ?

vPC-01> ping 10.0.20.11

10.0.20.11 icmp_seq=1 timeout
84 bytes from 10.0.20.11 icmp_seq=2 ttl=63 time=17.233 ms
84 bytes from 10.0.20.11 icmp_seq=3 ttl=63 time=16.662 ms
84 bytes from 10.0.20.11 icmp_seq=4 ttl=63 time=17.136 ms
84 bytes from 10.0.20.11 icmp_seq=5 ttl=63 time=17.962 ms

vPC-01> ping 10.0.20.12

10.0.20.12 icmp_seq=1 timeout
84 bytes from 10.0.20.12 icmp_seq=2 ttl=63 time=19.611 ms
84 bytes from 10.0.20.12 icmp_seq=3 ttl=63 time=18.233 ms
84 bytes from 10.0.20.12 icmp_seq=4 ttl=63 time=24.377 ms
84 bytes from 10.0.20.12 icmp_seq=5 ttl=63 time=16.359 ms

Good.  The vPC machines can communicate again.   Now, lets look at the spanning tree instance on vQFX-03. Run the command run show spanning-tree interface on the vQFX-03 switch.   Why is there not a loop in the network ?

root@vqfx-03# run show spanning-tree interface    

Spanning tree interface parameters for instance 0

Interface                  Port ID    Designated         Designated         Port    State  Role
                                       port ID           bridge ID          Cost
xe-0/0/1                   128:490      128:496   4096.020586710c02         2000    FWD    ROOT 
xe-0/0/2                   128:491      128:495   8192.02058671cc02         2000    BLK    ALT  
xe-0/0/4                   128:495      128:495  32768.020586714702         2000    FWD    DESG 
xe-0/0/5                   128:496      128:496  32768.020586714702         2000    FWD    DESG 

What interface is the ROOT interface, what interface is being blocked and why is it being blocked ?

The ROOT interface is xe-0/0/1 because that is the closest path to the lowest bridge priority (primary).  The secondary path xe-0/0/2 is being blocked because the bridge priority is higher. This his how RSTP protects again a loop that was created in the network. 

Configuring and Monitoring BPDU Protection

We are now going to enable some spanning tree BPDU protection features.  First, we are going to configure interface xe-0/0/1 on vQFX-03 as an edge port and then configure spanning tree to block BPDU packets on all edge ports. 

set protocols rstp bpdu-block-on-edge
set protocols rstp interface xe-0/0/1 edge

commit

Now look at your spanning tree topology.  What did interface xe-0/0/1 do ?

root@vqfx-03# run show spanning-tree interface             

Spanning tree interface parameters for instance 0

Interface                  Port ID    Designated         Designated         Port    State  Role
                                       port ID           bridge ID          Cost
xe-0/0/1                   128:490      128:490  32768.020586714702         2000    FWD    DESG 
xe-0/0/2                   128:491      128:495   8192.02058671cc02         2000    FWD    ROOT 
xe-0/0/4                   128:495      128:495  32768.020586714702         2000    FWD    DESG 
xe-0/0/5                   128:496      128:496  32768.020586714702         2000    FWD    DESG 

Why is interface xe-0/0/1 no longer seen as the root bridge?

Why is interface xe-0/0/2 now the root port ?

Interface xe-0/0/1 is no longer accepting any BPDU packets on that interface because we forced it to be an edge mode port.  The command rstp bpdu-block-on-edge forced any port configured as an Edge port to block all BPDU packets. BPDU packets are still being sent out however. This can be seen if you run a packet capture on the vQFX-01 switch interface xe-0/0/1.

What switch is now performing the loop protection and blocking ?

If you look at vQFX-01, you will now see interface xe-0/0/1 is in a blocking state, even though it is the root switch.  While the port is still in DESG mode, it has to protect against a loop.

root@vqfx-01# run show spanning-tree interface 

Spanning tree interface parameters for instance 0

Interface                  Port ID    Designated         Designated         Port    State  Role
                                       port ID           bridge ID          Cost
xe-0/0/0                   128:490      128:490   4096.020586710c02         2000    FWD    DESG 
xe-0/0/4                   128:491      128:491   4096.020586710c02         2000    FWD    DESG 
xe-0/0/1                   128:496      128:496   4096.020586710c02         2000    BLK    DESG