This article provides a configuration example for the Layer 2 transparent mode on SRX platforms running Junos OS release 15.1X49.
A new Layer 2 feature has been introduced since Junos OS release 15.1X49. Due to this, there has been some modification in the Layer 2 configuration from Junos OS release 12.3X48 or earlier. Junos OS release 15.1X49 provides two kinds of Layer 2 mode: transparent mode and switching mode.
The Layer 2 mode is defined by using the following command:
set protocols l2-learning global-mode {transparent-bridge/switching}
Transparent mode is the default mode. For SRX Series devices, transparent mode provides full security services for Layer 2 bridging capabilities. For more detail, refer to the following link:
This article describes how to configure transparent mode in devices running Junos OS release 15.1X49 based on the following topology:

For configuring transparent mode in devices running Junos OS release 12.3X48 or earlier, refer to KB21421 [SRX] Configuration Example - Transparent mode on SRX platforms.
Configuration
Note: System reboot is required after commit.
set system services ssh
set security policies from-zone Trust to-zone Untrust policy trust-untrust match source-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match application any
set security policies from-zone Trust to-zone Untrust policy trust-untrust then permit
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-http
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-https
set security policies from-zone Untrust to-zone DMZ policy trust-untrust then permit
set security policies from-zone Trust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match application any
set security policies from-zone Trust to-zone DMZ policy trust-untrust then permit
set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security zone MGMT interface ge-0/0/0.0
set security zones security-zone Untrust interfaces ge-0/0/1.0
set security zones security-zone DMZ interfaces ge-0/0/2.0
set security zones security-zone Trust interfaces ge-0/0/3.0
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-20
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10
set interfaces irb unit 20 family inet address 10.0.0.254/24
set protocols l2-learning global-mode transparent-bridge
set vlans vlan-10 vlan-id 10
set vlans vlan-20 vlan-id 20
set vlans vlan-20 l3-interface irb.20
Note: If the SRX device is connected to an L2 switch, the bpdu-vlan-flooding
command would be needed. Refer to ethernet-switching for more details.
set security flow ethernet-switching bpdu-vlan-flooding
Verification
You can check the current Layer 2 mode with the command: show ethernet-switching global-information
root@SRX300>show ethernet-switching global-information
Global Configuration:
MAC aging interval : 300
MAC learning : Enabled
MAC statistics : Disabled
MAC limit Count : 16383
MAC limit hit : Disabled
MAC packet action drop: Disabled
LE aging time : 1200
LE VLAN aging time : 1200
Global Mode : Transparent bridge <<<< current Layer 2 mode
The show ethernet-switching table
command is helpful to confirm the MAC address table:
root@SRX300> show ethernet-switching table
MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)
Ethernet switching table : 3 entries, 3 learned
Routing instance : default-switch
Vlan MAC MAC Age Logical NH RTR
name address flags interface Index ID
vlan-100 00:50:56:85:59:d3 D - ge-0/0/2.0 0 0
vlan-100 00:50:56:85:d4:88 D - ge-0/0/1.0 0 0
vlan-100 00:50:56:85:e5:7b D - ge-0/0/1.0 0 0