SRX Transparent Mode Example
1,198 views
Skip to first unread message
dark_15
Aug 4, 2012, 3:00:34 PM8/4/12
to jncie-s...@googlegroups.com
It may be a good idea to post a config snippet on Transparent Mode in the SRXs, as it is now supported in 11.1; I also found you can run IDP services in this mode on branch series. Also in order to access the IRB management interface you will need to set host-inbound-traffic system-services to allow your management traffic, pending which side of the SRX you are on. This config below allows IRB access via ping and SSH from the trust and untrust sides of the SRX.
*** DON'T FORGET TO REBOOT WHEN SWITCHING FROM L3 TO L2, AND VICE-VERSA! ***
Config Snippet:
interfaces {
fe-0/0/0 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 100;
}
}
}
fe-0/0/1 {
unit 0 {
family bridge {
interface-mode access;
vlan-id 100;
}
}
}
irb {
unit 0 {
family inet {
address 172.16.100.4/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.100.254;
}
}
security {
policies {
from-zone trust to-zone untrust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
}
}
}
}
from-zone untrust to-zone trust {
policy allow-any {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
}
}
}
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
fe-0/0/0.0;
}
}
security-zone trust {
host-inbound-traffic {
system-services {
ping;
ssh;
}
}
interfaces {
fe-0/0/1.0;
}
}
}
}
bridge-domains {
transparent {
domain-type bridge;
vlan-id 100;
routing-interface irb.0;
}
}
C K
Aug 4, 2012, 11:46:00 PM8/4/12
to jncie-s...@googlegroups.com
This doesn't allow ping/ssh access to IRB. You will need to create a firewall filter allowing ping/ssh and set that as input filter on the IRB. You have allowed ping/ssh into fe-0/0/1 and fe0/0/0
--
You received this message because you are subscribed to the Google Groups "JNCIE-SEC Preparation" group.
To post to this group, send email to jncie-s...@googlegroups.com.
To unsubscribe from this group, send email to jncie-sec-pre...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/jncie-sec-prep/-/PAAJZTDnBwwJ.
For more options, visit https://groups.google.com/groups/opt_out.
dark_15
Aug 5, 2012, 11:24:27 AM8/5/12
to jncie-s...@googlegroups.com
Really? I was able to get this ping across without any firewall filter; you do have to make sure you have your vlans set correctly. Please refer to this KB article for more information: KB21421
C K
Aug 5, 2012, 10:03:22 PM8/5/12
to jncie-s...@googlegroups.com
Apologies! You are correct - the firewall, as always, gives granular control of what goes in, but the host inbound traffic must be enabled if pings/ssh required. Thanx - will help next week!!
On Mon, Aug 6, 2012 at 1:24 AM, dark_15 <cha...@centracomm.biz> wrote:
Really? I was able to get this ping across without any firewall filter; you do have to make sure you have your vlans set correctly. Please refer to this KB article for more information: KB21421
--
You received this message because you are subscribed to the Google Groups "JNCIE-SEC Preparation" group.
To post to this group, send email to jncie-s...@googlegroups.com.
To unsubscribe from this group, send email to jncie-sec-pre...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msg/jncie-sec-prep/-/Q0w3kE7sczoJ.
webish
Jan 26, 2013, 8:52:20 AM1/26/13
to jncie-s...@googlegroups.com
Hi,
How can I test that the configuration "transparent mode" works fine? Do I just need to create ping/traffic from one zone to the other?
I would also wish to know how to test the working of irb interface.
How can I test that the configuration "transparent mode" works fine? Do I just need to create ping/traffic from one zone to the other?
I would also wish to know how to test the working of irb interface.
Reply all
Reply to author
Forward
0 new messages