Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Layer 2 Interfaces on Security Devices

Understanding Layer 2 Interfaces on Security Devices

Layer 2 logical interfaces are created by defining one or more logical units on a physical interface with the family address type ethernet-switching. If a physical interface has a ethernet-switching family logical interface, it cannot have any other family type in its logical interfaces. A logical interface can be configured in one of the following modes:

  • Access mode—Interface accepts untagged packets, assigns the specified VLAN identifier to the packet, and forwards the packet within the VLAN that is configured with the matching VLAN identifier.

  • Trunk mode—Interface accepts any packet tagged with a VLAN identifier that matches a specified list of VLAN identifiers. Trunk mode interfaces are generally used to interconnect switches. To configure a VLAN identifier for untagged packets received on the physical interface, use the native-vlan-id option. If the native-vlan-id option is not configured, untagged packets are dropped.

Note:

Multiple trunk mode logical interfaces can be defined, as long as the VLAN identifiers of a trunk interface do not overlap with those of another trunk interface. The native-vlan-id must belong to a VLAN identifier list configured for a trunk interface.

Example: Configuring Layer 2 Logical Interfaces on Security Devices

This example shows how to configure a Layer 2 logical interface as a trunk port so that the incoming packets can be selectively redirected to a firewall or other security device.

Requirements

Before you begin, configure the VLANs. See Example: Configuring VLANs on Security Devices.

Overview

In this example, you configure logical interface ge-3/0/0.0 as a trunk port that carries traffic for packets tagged with VLAN identifiers 1 through 10; this interface is implicitly assigned to the previously configured VLANs vlan-a and vlan-b. Then you assign a VLAN ID of 10 to any untagged packets received on physical interface ge-3/0/0.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a Layer 2 logical interface as a trunk port:

  1. Configure the logical interface.

  2. Specify a VLAN ID for untagged packets.

  3. If you are done configuring the device, commit the configuration.

Verification

To verify the configuration is working properly, enter the show interfaces ge-3/0/0 and show interfaces ge-3/0/0.0 commands.

Understanding Mixed Mode (Transparent and Route Mode) on Security Devices

Mixed mode supports both transparent mode (Layer 2) and route mode (Layer 3); it is the default mode. You can configure both Layer 2 and Layer 3 interfaces simultaneously using separate security zones.

Note:

For the mixed mode configuration, you must reboot the device after you commit the changes. However, for SRX5000 line devices, reboot is not required.

SRX4100 and SRX4200 devices support logical system in both transparent and route mode

SRX4600 device supports logical system in route mode only

In mixed mode (Transparent and Route Mode):

  • There is no routing among IRB interfaces and between IRB interfaces and Layer 3 interfaces.

The device in Figure 1 looks like two separate devices. One device runs in Layer 2 transparent mode and the other device runs in Layer 3 routing mode. But both devices run independently. Packets cannot be transferred between the Layer 2 and Layer 3 interfaces, because there is no routing among IRB interfaces and between IRB interfaces and Layer 3 interfaces.

Figure 1: Architecture of Mixed Transparent and Route ModeArchitecture of Mixed Transparent and Route Mode

In mixed mode, the Ethernet physical interface can be either a Layer 2 interface or a Layer 3 interface, but the Ethernet physical interface cannot be both simultaneously. However, Layer 2 and Layer 3 families can exist on separate physical interfaces on the same device.

Table 1 lists the Ethernet physical interface types and supported family types.

Table 1: Ethernet Physical Interface and Supported Family Types

Ethernet Physical Interface Type

Supported Family Type

Layer 2 Interface

ethernet-switching

Layer 3 Interface

inet and inet6

Note:

Multiple routing instances are supported.

You can configure both the pseudointerface irb.x and the Layer 3 interface under the same default routing instance using either a default routing instance or a user-defined routing instance. See Figure 2.

Figure 2: Mixed Transparent and Route ModeMixed Transparent and Route Mode

Packets from the Layer 2 interface are switched within the same VLAN, or they connect to the host through the IRB interface. Packets cannot be routed to another IRB interface or a Layer 3 interface through their own IRB interface.

Packets from the Layer 3 interface are routed to another Layer 3 interface. Packets cannot be routed to a Layer 2 interface through an IRB interface.

Table 2 lists the security features that are supported in mixed mode and the features that are not supported in transparent mode for Layer 2 switching.

Table 2: Security Features Supported in Mixed Mode (Transparent and Route Mode)

Mode Type

Supported

Not Supported

Mixed mode

  • Application Layer Gateways (ALGs)

  • Firewall User Authentication (FWAUTH)

  • Intrusion Detection and Prevention (IDP)

  • Screen

  • AppSecure

  • Content Security

Route mode (Layer 3 interface)

  • Network Address Translation (NAT)

  • VPN

Transparent mode (Layer 2 interface)

  • Content Security

  • Network Address Translation (NAT)

  • VPN

Starting in Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, some conditions apply to mixed-mode operations. Note the conditions here:

  • On SRX300, SRX320, SRX340, SRX345, SRX380, SRX550, SRX550HM, and SRX1500 devices, you cannot configure Ethernet switching and virtual private LAN service (VPLS) using mixed mode (Layer 2 and Layer 3).

  • On SRX5400, SRX5600, and SRX5800 devices, you do not have to reboot the device when you configure VLAN.

Example: Improving Security Services by Configuring an SRX Series Firewall Using Mixed Mode (Transparent and Route Mode)

You can configure an SRX Series Firewall using both transparent mode (Layer 2) and route mode (Layer 3) simultaneously to simplify deployments and to improve security services.

This example shows how to pass the Layer 2 traffic from interface ge-0/0/1.0 to interface ge-0/0/0.0 and Layer 3 traffic from interface ge-0/0/2.0 to interface ge-0/0/3.0.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall

  • Four PCs

Before you begin:

Overview

In enterprises where different business groups have either Layer 2 or Layer 3 based security solutions, using a single mixed mode configuration simplifies their deployments. In a mixed mode configuration, you can also provide security services with integrated switching and routing.

In addition, you can configure an SRX Series Firewall in both standalone and chassis cluster mode using mixed mode.

In mixed mode (default mode), you can configure both Layer 2 and Layer 3 interfaces simultaneously using separate security zones.

Note:

For the mixed mode configuration, you must reboot the device after you commit the changes. However, for SRX5000 line devices, reboot is not required.

In this example, first you configure a Layer 2 family type called Ethernet switching to identify Layer 2 interfaces. You set the IP address 10.10.10.1/24 to IRB interface. Then you create zone L2 and add Layer 2 interfaces ge-0/0/1.0 and ge-0/0/0.0 to it.

Next you configure a Layer 3 family type inet to identify Layer 3 interfaces. You set the IP address 192.0.2.1/24 to interface ge-0/0/2.0 and the IP address 192.0.2.3/24 to interface ge-0/0/3. Then you create zone L3 and add Layer 3 interfaces ge-0/0/2.0 and ge-0/0/3.0 to it.

Topology

Figure 3 shows a mixed mode topology.

Figure 3: Mixed Mode TopologyMixed Mode Topology

Table 3 shows the parameters configured in this example.

Table 3: Layer 2 and Layer 3 Parameters

Parameter

Description

L2

Layer 2 zone.

ge-0/0/1.0 and ge-0/0/0.0

Layer 2 interfaces added to the Layer 2 zone.

L3

Layer 3 zone.

ge-0/0/2.0 and ge-0/0/3.0

Layer 3 interfaces added to the Layer 3 zone.

10.10.10.1/24

IP address for the IRB interface.

192.0.2.1/24 and 192.0.2.3/24

IP addresses for the Layer 3 interface.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Layer 2 and Layer 3 interfaces:

  1. Create a Layer 2 family type to configure Layer 2 interfaces.

  2. Configure Layer 2 interfaces to work under transparent-bridge mode.

  3. Configure an IP address for the IRB interface.

  4. Configure Layer 2 interfaces.

  5. Configure VLAN.

  6. Configure IP addresses for Layer 3 interfaces.

  7. Configure the policy to permit the traffic.

  8. Configure Layer 3 interfaces.

Results

From configuration mode, confirm your configuration by entering the show interfaces, show security policies, show vlans, and show security zones commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Layer 2 and Layer 3 Interfaces and Zones

Purpose

Verify that the Layer 2 and Layer 3 interfaces and Layer 2 and Layer 3 zones are created.

Action

From operational mode, enter the show security zones command.

Meaning

The output shows the Layer 2 (L2) and Layer 3 (L3) zone names and the number and names of Layer 2 and Layer 3 interfaces bound to the L2 and L3 zones.

Verifying the Layer 2 and Layer 3 Session

Purpose

Verify that the Layer 2 and Layer 3 sessions are established on the device.

Action

From operational mode, enter the show security flow session command.

Meaning

The output shows active sessions on the device and each session’s associated security policy.

  • Session ID 1—Number that identifies the Layer 2 session. Use this ID to get more information about the Layer 2 session such as policy name or number of packets in and out.

  • default-policy-logical-system-00/2—Default policy name that permitted the Layer 2 traffic.

  • In—Incoming flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and the source interface for this session is ge-0/0/0.0).

  • Out—Reverse flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and destination interface for this session is ge-0/0/1.0).

  • Session ID 2—Number that identifies the Layer 2 session. Use this ID to get more information about the Layer 2 session such as policy name or number of packets in and out.

  • default-policy-logical-system-00/2—Default policy name that permitted the Layer 2 traffic.

  • In—Incoming flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and the source interface for this session is ge-0/0/0.0,).

  • Out—Reverse flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and destination interface for this session is ge-0/0/1.0,).

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
12.3X48-D10
Starting in Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, some conditions apply to mixed-mode operations.