Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration Example - Transparent mode on SRX platforms

0

0

Article ID: KB21421 KB Last Updated: 25 Mar 2020Version: 7.0
Summary:

This article provides information about support extended for the Layer 2 transparent mode on SRX platforms.

For additional information, see KB31147 - [SRX L2NG] Configuration Example - Transparent mode on Junos 15.1X49 SRX platform

Symptoms:

From Junos OS Release 11.1 onwards, Layer 2 transparent mode support is available on all SRX platforms.

This feature is now supported on SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, and SRX650 devices; in addition to existing support on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

SRX series devices provide Layer 2 transparent mode, which provides security policies that are enforced on the packets before switching functions are enforced. An SRX Series device operates in the Layer 2 transparent mode when all physical bridging domains on the device are partitioned into logical bridging domains.

Note:  Refer to the Junos Release Notes for features that are not supported in the Layer 2 transparent mode.

Solution:

To deploy the transparent mode on SRX, bridge-domain and interface family bridge must be configured.

Configuration example:

interfaces {
    ge-0/0/0 {
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 10;
            }
        }
    }
    ge-0/0/7 {
        unit 0 {
            family bridge {             
                interface-mode access;
                vlan-id 10;
            }
        }
    }
    irb {
        unit 0 {
            family inet {
                address 172.27.186.63/24;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 next-hop 172.27.186.1;
    }
}
security {
    policies {
        from-zone trust to-zone untrust {
            policy 1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                    log {
                        session-init;
                        session-close;
                    }
                }
            }
        }
    }
    log {
        mode stream;
        format sd-syslog;
        source-address 172.27.186.63;
        stream test {
            host {
                172.27.186.57;
            }
        }
    }
    zones {
        security-zone untrust {
            interfaces {
                ge-0/0/0.0 {            
                    host-inbound-traffic {
                        system-services {
                            dhcp;
                            tftp;
                            all;
                        }
                    }
                }
            }
        }
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/7.0;
            }
        }
    }
}
bridge-domains {
    test {
        domain-type bridge;
        vlan-id 10;
        routing-interface irb.0;
    }
}

 

Note: As all the physical interfaces will be configured as L2 interfaces, no L3 IP address can be configured on the physical interface. When the traffic log mode is stream, the log will be sent directly from the forwarding plane. The IRB interface must be configured as the routing interface to implement this feature.

If you are configuring out-of-band management, use the following settings for bridge domains:

bridge-domains {
      test {
           domain-type bridge;
           vlan-id 10;
      }
     oob {
          domain-type bridge;
          vlan-id 30
          routing-interface irb.0
     }
}

You will also need to use the command set security flow bridge bpdu-vlan-flooding if the SRX is connected to an L2 switch.

Note:  After you commit the change, you must reboot the device:

root# commit
warning: Interfaces are changed from route mode to transparent mode. Please reboot the device or all nodes in the HA cluster!
commit complete
Modification History:
2020-03-25: Article reviewed for accuracy; it is valid and accurate

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search