Hi Hector,  the BDI is untagged and from what I read untagged BDIs do not run Spanningtree.  It is a layer2 broadcast domain.

Untagged frames are usually handled by the Layer 2 device (Switch or "bridge") as in Vlan 1 which is the default native Vlan.

It sounds to me that Spanning-Tree (STP) should determine here the path traffic takes by logically blocking one link. Just like if you were connecting three Layer 2 Switches in a triangle.

In a triangle topology with no STP, broadcast and unknown unicast frames would loop forever. 

This by assuming that you are also bridging the two interfaces in your SRX just like you are doing on the Routers.

Hello Neil,

Hector is right : STP is needed to build a working network if there is L2 redundancy.

In other words if STP would be disabled your network would become a bridging loop and will be unstable and unusable.

Also the SRX is a single node or it is a cluster of two SRXs?

Hope to help

Giuseppe

The SRX interface is not layer two so does not forward broadcast of multicast traffic. I don't have a broadcast problem what i would like to know is if the BDI uses one mac address for all interfaces how is the path to the destination selected?

Hello Neil,

I have reviewed your network diagram you are using the redundant ethernet feature on the SRX.

see

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-redundant-ethernet-interfaces.html

As far as I remember both child physical interfaces are active and L3 processing is performed by the node that owns the reth configuration (the node that is active for the redundancy group to which the reth logical interface is associated)

So I agree you have not bridging loop issues. However, I would expect frames sourced by SRX to use a single source MAC address associated to the reth interface (for ARP resolution consistency just to make an example)

In the bridge domain on Cisco routers MAC address learning should determine the path to use.

And if only one source MAC address is used by SRX on both child physical interfaces the path will change over time using the last active SRX child interface.

Be aware that on the SRX side the reth interface will be up until the child interface on the active node is up as explained in the document linked above

>> A redundant Ethernet interface inherits its failover properties from the redundancy group x that it belongs to. A redundant Ethernet interface remains active as long as its primary child interface is available or active. For example, if reth0 is associated with redundancy group 1 and redundancy group 1 is active on node 0, then reth0 is up as long as the node 0 child of reth0 is up. 

This means that for achieving fault tolerance at node level you should use two different reth interfaces on SRX using two different pairs of child interfaces and connect them to two bridge domains on the Cisco router side.

I can confirm that the behaviour is the one described in the sentence above I have seen it in lab tests performed some years ago.

Hope to help

Giuseppe

Thanks for the input Guiseppe,  We're happy with the SRX configuration.