SRX

Hi,

does the srx support security zones and policies on Layer2 ethernet switching?

i got two sec zones, untrust and trust, and two Interfaces ge-0/0/0.0 and ge-0/0/15.0 family ethernet-switching, both in default vlan.

untrust

 > interface ge-0/0/0.0

trust

 > interface ge-0/0/15.0

and no policy from-zone untrust to-zone trust. (so everything from 0 to 15 should be denied by default). 

but i can still access a pc connected to ge-0/0/15 from a pc connected to ge-0/0/0 (ping, rdp...).

do i miss something?

thx in advance,

chris

You shouldnt have these 2 interfaces in the default vlan if one is in trust and the other in untrust.

Is this the setup you wish? 

"You shouldnt have these 2 interfaces in the default vlan if one is in trust and the other in untrust."

got an explanation?;) 

i know i could assign the interfaces into different vlans, then route from one vlan to another.

i would just like to know if(or why not) the above is possible, would make sense to me because junos wants you to assign interfaces to zones, not vlans or Layer3-interfaces specifically, but apparently it isnt.

You could assign the interfaces into different vlans and add the vlans to seperate security zones, then your policies will work.  Or rather the default-deny policy will be working.

Both your interfaces are in the same vlan, therefore they will be able to communicate directly with each other.  VLANs frames whose origin and destination are in the same VLAN are forwarded only within the local VLAN. Frames that are not destined for the local VLAN are the only ones forwarded to other broadcast domains.