Juniper SRX透明模式配置

[SRX] Configuration Example - Transparent mode on SRX platforms

[KB21421] Show KB Properties

SUMMARY:

This article provides information about support extended for the Layer 2 transparent mode on SRX platforms.

PROBLEM OR GOAL:

From Junos OS Release 11.1 onwards, Layer 2 transparent mode support is available on all SRX platforms.

This feature is now supported on SRX100, SRX110,SRX210, SRX220, SRX240, SRX550, and SRX650 devices; in addition to existing support on SRX1400, SRX3400, SRX3600, SRX5600, and SRX5800 devices.

SRX series devices provide Layer 2 transparent mode, which provides security policies that are enforced on the packets before switching functions are enforced. An SRX Series device operates in the Layer 2 transparent mode when all physical bridging domains on the device are partitioned into logical bridging domains.

Note: Refer to the Junos Release Notes for features that are not supported in the Layer 2 transparent mode.

SOLUTION:

To deploy the transparent mode on SRX, bridge-domain and interface family

bridge must be configured.

Configuration example:

interfaces { ge-0/0/0 { unit 0 {

family bridge {

interface-mode access; vlan-id 10; } } }

ge-0/0/7 { unit 0 {

family bridge { interface-mode access; vlan-id 10;

} } }

irb {

unit 0 {

family inet {

address 172.27.186.63/24; } } } }

routing-options { static {

route 0.0.0.0/0 next-hop 172.27.186.1; } }

security {

policies {

from-zone trust to-zone untrust { policy 1 { match {

source-address any;

destination-address any; application any; }

then {

permit; log {

session-init; session-close; } } } } }

log {

mode stream;

format sd-syslog;

source-address 172.27.186.63; stream test { host {

172.27.186.57; } }

}

zones {

security-zone untrust { interfaces {

ge-0/0/0.0 { host-inbound-traffic { system-services { dhcp; tftp; all; } } } } }

security-zone trust {

host-inbound-traffic { system-services { all; } }

interfaces { ge-0/0/7.0; } } } }

bridge-domains { test {

domain-type bridge; vlan-id 10;

routing-interface irb.0; } }

Note: As all the physical interfaces will be configured as L2 interfaces, no L3 IP address can be configured on the physical interface. When the traffic log mode is stream, the log will be sent directly from the forwarding plane. The IRB interface must be configured as the routing interface to implement this feature.

If you are configuring out-of-band management, use the following settings for bridge domains:

bridge-domains { test {

domain-type bridge; vlan-id 10;

} oob {

domain-type bridge; vlan-id 30

routing-interface irb.0 } }

You will also need to use the command set security flow bridge bpdu-vlan-flooding if

the SRX is connected to an L2 switch.

Note: After you commit the change, you must reboot the device:

root# commit

warning: Interfaces are changed from route mode to transparent mode. Please reboot the device or all nodes in the HA cluster! commit complete