[j-nsp] SRX secure wire and layer 2 pdus

Ben Dale bdale at comlinx.com.au
Tue Apr 28 18:53:06 EDT 2015


Hi Ross,

On 29 Apr 2015, at 1:43 am, Ross Vandegrift <ross at kallisti.us> wrote:

> Hi all,
> 
> The documentation for SRX secure wire has thrown me for a loop.  It
> says: secure wire is a kind of transparent mode, and transparent mode
> interfaces pass all ARP and non-IP broadcast/multicast.  So a secure
> wire should pass BPDUs and LACPDUs.
> 
> I think that's a mistake.  If both secure wire interfaces land on the
> same switch, RSTP/MSTP ought to block one of the interfaces.  Separate
> switches won't help if both are multihomed to common distribution
> switches.  The secure wire will look like two edge interfaces were
> cabled together, and RSTP/MSTP will block.
> 
> I setup a test with two ex4200s and a secure wire between them.  No
> BPDUs or LACPDUs make it across.  Seems good, but now I'm nervous
> that the behavior doesn't match the documentation.
> 
> Have I missed something?  Case is open, but it stalled at the repeat
> the documentation stage.
> 
> https://www.juniper.net/techpubs/en_US/junos12.3x48/topics/concept/layer-2-secure-wire-understanding.html
> 
> Ross
> 

The doco needs a slight update (or better yet, a cross-reference) to the link below.  

In the documentation for Transparent Mode, it mentions the Layer 2 bridging exceptions on SRX that apply when using a bridge-domain for transparent-mode, which is the same method SecureWire uses for tying interfaces together.

http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/layer-2/index.html?topic-52744.html

You'll see there that xSTP is specifically called out.

Cheers,

Ben


More information about the juniper-nsp mailing list