[j-nsp] SRX secure wire and layer 2 pdus
Ben Dale
bdale at comlinx.com.au
Tue Apr 28 18:53:06 EDT 2015
Hi Ross,
On 29 Apr 2015, at 1:43 am, Ross Vandegrift <ross at kallisti.us> wrote:
> Hi all,
>
> The documentation for SRX secure wire has thrown me for a loop. It
> says: secure wire is a kind of transparent mode, and transparent mode
> interfaces pass all ARP and non-IP broadcast/multicast. So a secure
> wire should pass BPDUs and LACPDUs.
>
> I think that's a mistake. If both secure wire interfaces land on the
> same switch, RSTP/MSTP ought to block one of the interfaces. Separate
> switches won't help if both are multihomed to common distribution
> switches. The secure wire will look like two edge interfaces were
> cabled together, and RSTP/MSTP will block.
>
> I setup a test with two ex4200s and a secure wire between them. No
> BPDUs or LACPDUs make it across. Seems good, but now I'm nervous
> that the behavior doesn't match the documentation.
>
> Have I missed something? Case is open, but it stalled at the repeat
> the documentation stage.
>
> https://www.juniper.net/techpubs/en_US/junos12.3x48/topics/concept/layer-2-secure-wire-understanding.html
>
> Ross
>
The doco needs a slight update (or better yet, a cross-reference) to the link below.
In the documentation for Transparent Mode, it mentions the Layer 2 bridging exceptions on SRX that apply when using a bridge-domain for transparent-mode, which is the same method SecureWire uses for tying interfaces together.
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/security/software-all/layer-2/index.html?topic-52744.html
You'll see there that xSTP is specifically called out.
Cheers,
Ben
More information about the juniper-nsp
mailing list