vSRX
vSRX

Does vSRX(15.1x49-D100) support Transparent Mode?

[ Edited ]
‎11-12-2018 06:16 PM

I have a vSRX  and trying to configure transparent mode on it, but for some reason the commands are not being accepted. I checked the feature explorer and it is supported

Layer 2 Transparent Mode
Support is available for Layer 2 transparent mode deployments. In transparent mode, the vSRX instance filters packets that traverse the instance without modifying any of the source or destination information in the IP packet headers. Transparent mode is useful for protecting servers that mainly receive traffic from untrusted sources because there is no need to reconfigure the IP settings of routers or protected servers.

I am trying to apply following config

ge-0/0/1 {
    unit 0 {
        family bridge {
            interface-mode access;
            vlan-id 10;
        }
    }
}
ge-0/0/2 {
    unit 0 {
        family bridge {
            interface-mode access;
            vlan-id 20;
        }
    }
}
bridge-domains {
    L2-VLAN-10 {
        domain-type bridge;
        vlan-id 10;
    }
    L2-VLAN-20 {
        domain-type bridge;
        vlan-id 20;
    }
}

Am I missing something?

Any help is greatly appriciated!

 

[UPDATE 1]

I set the l2-learning global-mode to trasparent-mode and rebooted the device. After it came back I checked the mode and is still shows as Not set.

[edit]
root# show protocols                
l2-learning {
    global-mode transparent-bridge;
}
root# run show ethernet-switching global-information 
Global Configuration:

MAC aging interval    : 0           
MAC learning          : Enabled     
MAC statistics        : Disabled    
MAC limit Count       : 0           
MAC limit hit         : Disabled    
MAC packet action drop: Disabled    
LE  aging time        : 1200        
LE  VLAN aging time   : 1200        
Global Mode           : Not set

 

6 REPLIES 6
Highlighted
vSRX
Solution
Accepted by topic author armartirosyan
‎11-14-2018 05:34 PM

Re: Does vSRX(15.1x49-D100) support Transparent Mode?

[ Edited ]
‎11-14-2018 05:32 PM

On vSRX firewalls the transparent mode configuration is bit different than on a physical devices. Below is the configuration I used to achieve the transparent mode

system {
    root-authentication {
        encrypted-password "$5$LPCKp87x$3lzyhFqUXSFKDgl0WatlmvwDNDSEsX1IAlD901dxHn6"; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any any;
            authorization info;
        }
        file interactive-commands {     
            interactive-commands any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    log {
        mode stream;
        report;
    }
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }                           
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;             
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        global {
            policy L2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {                  
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
        }
        security-zone untrust {
            screen untrust-screen;
        }
        security-zone L2-Trust {
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }                               
        security-zone L2-Untrust {
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        vlan-tagging;
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
            }                           
        }
    }
    ge-0/0/1 {
        vlan-tagging;
        unit 0 {
            family ethernet-switching {
                interface-mode trunk;
                vlan {
                    members all;
                }
            }
        }
    }
    fxp0 {
        unit 0;
    }
}
vlans {
    vlan-10 {
        vlan-id 10;
    }
    vlan-20 {
        vlan-id 20;                     
    }
    vlan-30 {
        vlan-id 30;
    }
}

After rebooting the global mode of ethernet-switching changed to transparent bridge 

 

root> show ethernet-switching global-information 
Global Configuration:

MAC aging interval    : 300         
MAC learning          : Enabled     
MAC statistics        : Disabled    
MAC limit Count       : 65535       
MAC limit hit         : Disabled    
MAC packet action drop: Disabled    
LE  aging time        : 1200        
LE  VLAN aging time   : 1200        
Global Mode           : Transparent bridge

 

vSRX

Re: Does vSRX(15.1x49-D100) support Transparent Mode?

‎07-02-2019 07:56 AM

Hi 

Could you please let me know how was the visrtual switch or portgroup configured in this case.

We have a similar requirement and need to deploy transparent mode vSRX on VMware ESXi.

What settings will be required on the portgroups that both vSRX interfaces will be connected to? Will those be required to pass tagged vlans? Any idea?

 

Thanks

vSRX

Re: Does vSRX(15.1x49-D100) support Transparent Mode?

‎07-02-2019 09:46 AM

Hi Bluedash,

 

Under Portgroup configuration on VMware Esxi you may :-

1. Specify a specific vlan to be allowed or

2. To allow multiple vlans define vlan id as 4095

 
vSwitch does not require any specifc config.
Just take care about the following configuration to be set correctly as accept/reject

Promiscuous mode,

MAC address changes

Forged transmits

 

Regards,

Rahul

Regards,
Rahul
vSRX

Re: Does vSRX(15.1x49-D100) support Transparent Mode?

‎07-02-2019 09:50 AM

Hi Armartirosyan,

 

Just wanted to correct your statememnt that the vSRX is configured differntly as compared to physical SRX.

In 15.x version SRX as a whole has an introduction of 2 L2 modes (transparent/switching).

Hence, we had the said configuration changes you mentioned.

 

Reference:- https://kb.juniper.net/InfoCenter/index?page=content&id=KB31147

 

** Adding this post for Fyi to future reader of this post.

 

Regards,

Rahul

 

Regards,
Rahul
vSRX

Re: Does vSRX(15.1x49-D100) support Transparent Mode?

‎07-13-2019 03:46 AM

Thanks Rahul for your response. I am still unable to achieve the desired configuration and result.

Attached is the logical topology that I am trying to achieve and need help on the same. Is there a KB or an example configuration to achieve the desired design.

 

vsrx-transparent.PNG

 

Thanks again for your valuable assistance.

vSRX

Re: Does vSRX(15.1x49-D100) support Transparent Mode?

‎07-15-2019 05:08 AM

Hi Bluedash,

 

This should be working.

On the SRX, do you learn the mac of either side VM and gateway?

 

show ethernet-switching table

 

-Rahul

 

 

Regards,
Rahul