Knowledge Search


×
 

[SRX] Example – Configuring Transparent-Bridging as of Junos 15.1X49

  [KB31081] Show Article Properties


Summary:

SRX300 series, SRX550M and SRX1500 support both transparent-bridging and ethernet-switching Layer-2 modes. This article will assist in configuring the device for transparent-bridging L2 mode.

This article provides an example on how to configure the SRX for transparent-bridging L2 mode.

Background:

Starting in Junos OS 15.1X49-D50 and Junos OS 17.3R1, the factory-default configuration includes ‘set protocols l2-learning global-mode switching. When these devices are loaded or reset with the factory-default configuration, they start up in switching mode.


As of Junos OS 15.1X49:

  • L2 modes transparent-bridging and ethernet-switching both use ‘set interfaces <> family ethernet-switching
  • L2 mode selection is based on device configuration
    • set protocols l2-learning global-mode <switching | transparent-bridge>
  • irb.x interfaces replace vlan.x interfaces and are used based on L2 mode selection:
    • Transparent-Bridging
      • IRB interface is used as local management interface
    • Ethernet-Switching
      • IRB interface is associated to layer-2 VLANs to allow L3-based routing

Note:  When not explicitly configured using ‘set protocols l2-learning global-mode’, the L2 mode is selected as follows when interfaces are configured with family ethernet-switching:

SRX300 Series & SRX550M
  • 15.1X49-D10 - 15.1X49-D90    = Transparent-Bridging
  • 15.1X49-D100  and subsequent versions = Switching
SRX1500
  • 15.1X49-D50  and subsequent versions = Transparent-Bridging


For configuring Transparent-Bridging on SRX devices using earlier Junos versions, refer to KB21421: Configuration Example - Transparent mode on SRX platforms

Solution:

Technical documentation, Layer 2 Networking, provides detailed information on the use of switching and transparent-bridging modes on SRX security devices.


Configuration Example:

1) Review current L2 mode setting:

root@SRX340> show ethernet-switching global-information
Global Configuration:

MAC aging interval : 0
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 0
MAC limit hit : Disabled
MAC packet action drop: Disabled
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Switching
NOTE: Value of 'not set' appears when no interfaces are configured with family ethernet-switching

2) Adjust L2 mode for transparent-bridging:

set protocols l2-learning global-mode transparent-bridge

3) Add interfaces for transparent-bridging:

set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode trunk
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan10
Note: The 'interface-mode' for an interface is by default in 'access' mode, it does not have to be explicitly configured if using untagged traffic.

4) Add irb.0 interface for management access:

set interfaces irb unit 0 family inet address 10.10.10.1/24

5) Add interfaces to zones:

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/2.0
Note:  Device management allowed services for connections to irb.x is based on incoming interface zone allowance of host-inbound-services

6) Define VLAN bridge domain and associated device management access:

set vlans vlan10 vlan-id 10
set vlans vlan10 l3-interface irb.0

7) Define security policy for transparent traffic: 

set security policies from-zone trust to-zone untrust policy allow match source-address any
set security policies from-zone trust to-zone untrust policy allow match destination-address any
set security policies from-zone trust to-zone untrust policy allow match application any 
set security policies from-zone trust to-zone untrust policy allow then permit

8) Save configuration to apply changes:

commit
warning:  L2 global mode is changed from switching mode to transparent mode.
Please use the command request system reboot on current node or all nodes in case of HA cluster!
commit complete

9) Reboot device to activate transparent-bridging mode:

        >request system reboot=

10) Verify L2 mode adjustment to transparent mode:

root@SRX340> show ethernet-switching global-information
Global Configuration:

MAC aging interval : 0
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 0
MAC limit hit : Disabled
MAC packet action drop: Disabled
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Transparent bridge
Modification History:
2019-08-03: Organization updates and technical refresh of content.
2018-03-29: Corrected Junos version where default mode is changed (in D50 only factory default config was changed)
Related Links: