[SRX] Example - Configure Transparent mode on Junos 15.1X49 SRX platform

  [KB31147] Show Article Properties


Summary:

This article provides a configuration example for the Layer 2 transparent mode on Junos 15.1X49 SRX platforms.

Symptoms:
New Layer 2 feature has been introduced since Junos 15.1X49. Due to this, there has been some modification in Layer 2 configuration from Junos 12.3X48 or earlier releases. Junos 15.1X49 provides two kinds of Layer 2 mode: transparent mode and switching mode.

Layer 2 mode is defined using the command:

   set protocols l2-learning global-mode {transparent-bridge/switching}

Transparent mode is the default mode. For SRX Series devices, transparent mode provides full security services for Layer 2 bridging capabilities.  For more detail, please refer to the following link:

This article will describe how to configure transparent mode in Junos 15.1X49 based on the following topology.





For transparent mode in Junos 12.3X48 or earlier releases, please refer to KB21421 [SRX] Configuration Example - Transparent mode on SRX platforms.
Solution:

Configuration

Note: System reboot is required after commit.

set system services ssh
set security policies from-zone Trust to-zone Untrust policy trust-untrust match source-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone Untrust policy trust-untrust match application any
set security policies from-zone Trust to-zone Untrust policy trust-untrust then permit

set security policies from-zone Untrust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-http
set security policies from-zone Untrust to-zone DMZ policy trust-untrust match application junos-https
set security policies from-zone Untrust to-zone DMZ policy trust-untrust then permit

set security policies from-zone Trust to-zone DMZ policy trust-untrust match source-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match destination-address any
set security policies from-zone Trust to-zone DMZ policy trust-untrust match application any
set security policies from-zone Trust to-zone DMZ policy trust-untrust then permit

set security zones security-zone MGMT host-inbound-traffic system-services all
set security zones security zone MGMT interface ge-0/0/0.0
set security zones security-zone Untrust interfaces ge-0/0/1.0
set security zones security-zone DMZ interfaces ge-0/0/2.0
set security zones security-zone Trust interfaces ge-0/0/3.0

set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members vlan-20
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members vlan-10
set interfaces ge-0/0/3 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/3 unit 0 family ethernet-switching vlan members vlan-10
set interfaces irb unit 20 family inet address 10.0.0.254/24

set protocols l2-learning global-mode transparent-bridge
set vlans vlan-10 vlan-id 10
set vlans vlan-20 vlan-id 20
set vlans vlan-20 l3-interface irb.20

Verification

You can check current Layer 2 mode with the command: show ethernet-switching global-information

root@SRX300>show ethernet-switching global-information
Global Configuration:

MAC aging interval    : 300
MAC learning          : Enabled
MAC statistics        : Disabled
MAC limit Count       : 16383
MAC limit hit         : Disabled
MAC packet action drop: Disabled
LE  aging time        : 1200
LE  VLAN aging time   : 1200
Global Mode           : Transparent bridge  <<<< current Layer 2 mode   

The show ethernet-switching table command is helpful to confirm MAC address table:

root@SRX300> show ethernet-switching table

MAC flags (S - static MAC, D - dynamic MAC, L - locally learned, P - Persistent static, C - Control MAC
           SE - statistics enabled, NM - non configured MAC, R - remote PE MAC, O - ovsdb MAC)


Ethernet switching table : 3 entries, 3 learned
Routing instance : default-switch
    Vlan                MAC                 MAC         Age    Logical                NH        RTR
    name                address             flags              interface              Index     ID
    vlan-100            00:50:56:85:59:d3   D             -   ge-0/0/2.0             0         0
    vlan-100            00:50:56:85:d4:88   D             -   ge-0/0/1.0             0         0
    vlan-100            00:50:56:85:e5:7b   D             -   ge-0/0/1.0             0         0
Modification History:
04/13/2018 fixed typo in security policy name
Related Links: