Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Configure Transparent mode on Junos OS 15.1X49 SRX platform

0

1

Article ID: KB31147 KB Last Updated: 23 Apr 2020Version: 6.0
Summary:

This article provides a configuration example for the Layer 2 transparent mode on SRX platforms running Junos OS release 15.1X49.

 

Symptoms:

A new Layer 2 feature has been introduced since Junos OS release 15.1X49. Due to this, there has been some modification in the Layer 2 configuration from Junos OS release 12.3X48 or earlier. Junos OS release 15.1X49 provides two kinds of Layer 2 mode: transparent mode and switching mode.

The Layer 2 mode is defined by using the following command:

set protocols l2-learning global-mode {transparent-bridge/switching}

Transparent mode is the default mode. For SRX Series devices, transparent mode provides full security services for Layer 2 bridging capabilities. For more detail, refer to the following link:

This article describes how to configure transparent mode in devices running Junos OS release 15.1X49 based on the following topology:

For configuring transparent mode in devices running Junos OS release 12.3X48 or earlier, refer to KB21421 [SRX] Configuration Example - Transparent mode on SRX platforms.

 

Solution:

Configuration

Note: System reboot is required after commit.

set system services ssh
set security policies from-zone Trust to-zone Untrust policy trust-untrust match source-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match application any
set security policies from-zone Trust to-zone Untrust policy trust-untrust then permit

set security policies from-zone Untrust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-http
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-https
set security policies from-zone Untrust to-zone DMZ policy trust-untrust then permit

set security policies from-zone Trust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match application any
set security policies from-zone Trust to-zone DMZ policy trust-untrust then permit

set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security zone MGMT interface ge-0/0/0.0
set security zones security-zone Untrust interfaces ge-0/0/1.0
set security zones security-zone DMZ interfaces ge-0/0/2.0
set security zones security-zone Trust interfaces ge-0/0/3.0

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-20
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10
set interfaces irb unit 20 family inet address 10.0.0.254/24

set protocols l2-learning global-mode transparent-bridge
set vlans vlan-10 vlan-id 10
set vlans vlan-20 vlan-id 20
set vlans vlan-20 l3-interface irb.20

Note: If the SRX device is connected to an L2 switch, the bpdu-vlan-flooding command would be needed. Refer to ethernet-switching for more details.

set security flow ethernet-switching bpdu-vlan-flooding

Verification

You can check the current Layer 2 mode with the command: show ethernet-switching global-information

root@SRX300>show ethernet-switching global-information
Global Configuration:

MAC aging interval    : 300
MAC learning          : Enabled
MAC statistics        : Disabled
MAC limit Count       : 16383
MAC limit hit         : Disabled
MAC packet action drop: Disabled
LE  aging time        : 1200
LE  VLAN aging time   : 1200
Global Mode           : Transparent bridge  <<<< current Layer 2 mode   

The show ethernet-switching table command is helpful to confirm the MAC address table:

root@SRX300> show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 3 entries, 3 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical                NH        RTR
    name                address             flags              interface              Index     ID
    vlan-100            00:50:56:85:59:d3   D             -   ge-0/0/2.0             0         0
    vlan-100            00:50:56:85:d4:88   D             -   ge-0/0/1.0             0         0
    vlan-100            00:50:56:85:e5:7b   D             -   ge-0/0/1.0             0         0

 

Modification History:
  • 2020-04-23: Added bpdu-vlan-flooding command as a note in the Solution section

  • 2020-03-02: Minor, non-technical edit

  • 2018-04-13: Fixed typo in security policy name

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search