SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 50
Registered: ‎03-11-2017
0 Kudos
Accepted Solution

SRX in transparent mode

1-SRX in transparent mode work by assign interfaces with the same Vlan-ID in a bridge domain and enforce security services between them,  is my understanding regarding the concept of transparent mode correct ???

2- is it possible to make 2 different bridge domains on the same SRX communicate with each other ???

Distinguished Expert
Posts: 4,791
Registered: ‎03-30-2009

Re: SRX in transparent mode

1-SRX in transparent mode work by assign interfaces with the same Vlan-ID in a bridge domain and enforce security services between them,  is my understanding regarding the concept of transparent mode correct ???

 

No, in transparent mode all interfaces are in the same broadcast domain and are invisible to switches and other devices having no mac address.  The device mgmt address must also be in the same broadcast domain as all the traffic through the device. 

 

Transparent mode is used to insert a firewall into an existing infrastructure as a "bump in the wire" meaning no layer 2 or 3 configuration changes are needed on the devices between which the SRX is inserted.  This is most often used to insert a firewall in front of a single device on an existing network.

 

2- is it possible to make 2 different bridge domains on the same SRX communicate with each other ???

 

I don't understand what this would look like.  If you need to bridge devices on two different bridge domains why would you not simply remove one and place all the interfaces into the other?

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 50
Registered: ‎03-11-2017
0 Kudos

Re: SRX in transparent mode

[ Edited ]

Oh,

So in transparent mode SRX interfaces will be without mac-address ??

But i got confused because in the jncip material it is said that you can create one or more bridge domain and you can create  multiple vlans and assign multiple vlans in a single bridge domain.....

Super Contributor
Posts: 110
Registered: ‎01-19-2015

Re: SRX in transparent mode

Hi Ahmed,

 

 

Yes, SRX in transparent mode is basically a L2 switch with limited security funtionalites and hence it does not shows its interfaces with mac-address.

 

Yes, you can create one or brdige domain on the SRX in transparent mode but all the bridge domains will be independent of each other or to be precise isolated from each other. Traffic from one doamin will not cross over to the other domain.

 

Even if you assign multiple vlans on a single bridge domain, a bridge domain is created for each vlan. Please refer the below document-

http://www.juniper.net/documentation/en_US/junos12.1x47/topics/concept/security-bridge-domain-unders...

 

Hope this Helps Smiley Happy

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

Contributor
Posts: 50
Registered: ‎03-11-2017
0 Kudos

Re: SRX in transparent mode

ahaaa, so is the best practice for the transparent mode is to create a single vlan for the internal devices which i want to enforce security between them  and assign the vlan-id in a bridge domain 

Highlighted
Super Contributor
Posts: 110
Registered: ‎01-19-2015

Re: SRX in transparent mode

Hi Ahmed,

 

Absolutely Correct..!!

 

Thanks,
Pulkit Bhandari
Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

Distinguished Expert
Posts: 4,791
Registered: ‎03-30-2009

Re: SRX in transparent mode

Not exactly, when you engage transparent mode there are NO VLANs.  This is below layer 2 mode.

 

Think of the SRX as a dumb hub at this point where you can assign the different interfaces to zones and then write security policies between ports in the same subnet.  The traffic is seen not due to layer 2 or layer 3 but because the physical path must cross the SRX.

 

Bridge domains connect multiple interfaces into a layer 2 bridge and is able to bridge different VLAN ids.  This allows different VLANs to come in from the network and place them into the same broadcast domain at the SRX.  Or it can simple allow multiple interfaces on the SRX to layer 2 bridge and speak to each other.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 50
Registered: ‎03-11-2017
0 Kudos

Re: SRX in transparent mode

spuluka, you made me more confused .....

 

Bridge domains connect multiple interfaces into a layer 2 bridge and is able to bridge different VLAN ids.  This allows different VLANs to come in from the network and place them into the same broadcast domain at the SRX.  Or it can simple allow multiple interfaces on the SRX to layer 2 bridge and speak to each other.

 

*It suppose that each vlan will be in a separete Bridge-domain and each bridge domain is isolated from other bridge-domains,

,,so how to make multiple Vlans in the same broadcast,,, 

it seem i have a miss-understanding of the concept of bridge-domain itself Smiley Sad 

 

Distinguished Expert
Posts: 4,791
Registered: ‎03-30-2009

Re: SRX in transparent mode

,,so how to make multiple Vlans in the same broadcast,,, 
it seem i have a miss-understanding of the concept of bridge-domain itself 

VLAN id is not necessarily the same thing as subnet.  Different VLAN ids can contain the same ip subnet in diferrent switches or devices on the network.

 

When the same subnet reaches the Junos device on different VLAN id you can use the bridge domain to put those different id into the same broadcast domain so they can see each other.

 

This is commonly used on large enterprise or service provider networks where services transport VLANs from multiple remote sites to a core location.  then the bridge domain can connect these disparate ids into the common broadcast domain via the bridge domain.

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 50
Registered: ‎03-11-2017
0 Kudos

Re: SRX in transparent mode

Dear Spuluka, 

 

would you please provide me with a material to study the bridge-domain because you have provided me with a new information

Distinguished Expert
Posts: 4,791
Registered: ‎03-30-2009
0 Kudos

Re: SRX in transparent mode

Here is the documentation.

 

https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/layer-2-services-bridge-...

 

You create a bridge domain that can act as a switch to connect multiple vlans on a trunk port into the same layer 2 domain.

 

And example would be you have a l2circuit at multiple remote sites as a management vlan for equipment.  

The other side the the circuit lands on the trunk port.  

Each site needs a unique interface unit and vlan tag to share the port.

But all are the same management vlan so you create the bridge group to tie them together.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home