This article provides a configuration example for the Layer 2 transparent mode on SRX platforms running Junos OS release 15.1X49.

 

A new Layer 2 feature has been introduced since Junos OS release 15.1X49. Due to this, there has been some modification in the Layer 2 configuration from Junos OS release 12.3X48 or earlier. Junos OS release 15.1X49 provides two kinds of Layer 2 mode: transparent mode and switching mode.

The Layer 2 mode is defined by using the following command:

set protocols l2-learning global-mode {transparent-bridge/switching}

Transparent mode is the default mode. For SRX Series devices, transparent mode provides full security services for Layer 2 bridging capabilities. For more detail, refer to the following link:

• Ethernet Switching and Layer 2 Transparent Mode Overview

This article describes how to configure transparent mode in devices running Junos OS release 15.1X49 based on the following topology:

For configuring transparent mode in devices running Junos OS release 12.3X48 or earlier, refer to KB21421 [SRX] Configuration Example - Transparent mode on SRX platforms.

 

Configuration

Note: System reboot is required after commit.

set system services ssh
set security policies from-zone Trust to-zone Untrust policy trust-untrust match source-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match application any
set security policies from-zone Trust to-zone Untrust policy trust-untrust then permit

set security policies from-zone Untrust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-http
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-https
set security policies from-zone Untrust to-zone DMZ policy trust-untrust then permit

set security policies from-zone Trust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match application any
set security policies from-zone Trust to-zone DMZ policy trust-untrust then permit

set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security zone MGMT interface ge-0/0/0.0
set security zones security-zone Untrust interfaces ge-0/0/1.0
set security zones security-zone DMZ interfaces ge-0/0/2.0
set security zones security-zone Trust interfaces ge-0/0/3.0

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-20
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10
set interfaces irb unit 20 family inet address 10.0.0.254/24

set protocols l2-learning global-mode transparent-bridge
set vlans vlan-10 vlan-id 10
set vlans vlan-20 vlan-id 20
set vlans vlan-20 l3-interface irb.20

Note: If the SRX device is connected to an L2 switch, the bpdu-vlan-flooding command would be needed. Refer to ethernet-switching for more details.

set security flow ethernet-switching bpdu-vlan-flooding

Verification

You can check the current Layer 2 mode with the command: show ethernet-switching global-information

root@SRX300>show ethernet-switching global-information
Global Configuration:

MAC aging interval    : 300
MAC learning          : Enabled
MAC statistics        : Disabled
MAC limit Count       : 16383
MAC limit hit         : Disabled
MAC packet action drop: Disabled
LE  aging time        : 1200
LE  VLAN aging time   : 1200
Global Mode           : Transparent bridge  <<<< current Layer 2 mode   

The show ethernet-switching table command is helpful to confirm the MAC address table:

root@SRX300> show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 3 entries, 3 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical                NH        RTR
    name                address             flags              interface              Index     ID
    vlan-100            00:50:56:85:59:d3   D             -   ge-0/0/2.0             0         0
    vlan-100            00:50:56:85:d4:88   D             -   ge-0/0/1.0             0         0
    vlan-100            00:50:56:85:e5:7b   D             -   ge-0/0/1.0             0         0

 

• 2020-04-23: Added bpdu-vlan-flooding command as a note in the Solution section

• 2020-03-02: Minor, non-technical edit

• 2018-04-13: Fixed typo in security policy name