Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Ethernet Switching User Guide Configuring Layer 2 Interfaces on Security Devices

Ethernet Switching User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Ethernet Switching User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Layer 2 Interfaces on Security Devices

date_range 20-Dec-24
arrow_backward
arrow_forward

Understanding Layer 2 Interfaces on Security Devices

Layer 2 logical interfaces are created by defining one or more logical units on a physical interface with the family address type ethernet-switching. If a physical interface has a ethernet-switching family logical interface, it cannot have any other family type in its logical interfaces. A logical interface can be configured in one of the following modes:

  • Access mode—Interface accepts untagged packets, assigns the specified VLAN identifier to the packet, and forwards the packet within the VLAN that is configured with the matching VLAN identifier.

  • Trunk mode—Interface accepts any packet tagged with a VLAN identifier that matches a specified list of VLAN identifiers. Trunk mode interfaces are generally used to interconnect switches. To configure a VLAN identifier for untagged packets received on the physical interface, use the native-vlan-id option. If the native-vlan-id option is not configured, untagged packets are dropped.

Note:

Multiple trunk mode logical interfaces can be defined, as long as the VLAN identifiers of a trunk interface do not overlap with those of another trunk interface. The native-vlan-id must belong to a VLAN identifier list configured for a trunk interface.

See Also

Example: Configuring Layer 2 Logical Interfaces on Security Devices

This example shows how to configure a Layer 2 logical interface as a trunk port so that the incoming packets can be selectively redirected to a firewall or other security device.

Requirements

Before you begin, configure the VLANs. See Example: Configuring VLANs on Security Devices.

Overview

In this example, you configure logical interface ge-3/0/0.0 as a trunk port that carries traffic for packets tagged with VLAN identifiers 1 through 10; this interface is implicitly assigned to the previously configured VLANs vlan-a and vlan-b. Then you assign a VLAN ID of 10 to any untagged packets received on physical interface ge-3/0/0.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces ge-3/0/0 unit 0 family ethernet-switching interface-mode trunk vlan members 1–10 
set interfaces ge-3/0/0 vlan-tagging native-vlan-id 10

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure a Layer 2 logical interface as a trunk port:

  1. Configure the logical interface.

    content_copy zoom_out_map
    [edit interfaces ge-3/0/0]
user@host# set unit 0 family ethernet-switching interface-mode trunk vlan members 1–10

  2. Specify a VLAN ID for untagged packets.

    content_copy zoom_out_map
    [edit interfaces ge-3/0/0]
user@host# set vlan-tagging native-vlan-id 10

  3. If you are done configuring the device, commit the configuration.

    content_copy zoom_out_map
    [edit]
user@host# commit

Verification

To verify the configuration is working properly, enter the show interfaces ge-3/0/0 and show interfaces ge-3/0/0.0 commands.

See Also

Understanding Mixed Mode (Transparent and Route Mode) on Security Devices

Mixed mode supports both transparent mode (Layer 2) and route mode (Layer 3); it is the default mode. You can configure both Layer 2 and Layer 3 interfaces simultaneously using separate security zones.

Note:

For the mixed mode configuration, you must reboot the device after you commit the changes. However, for SRX5000 line devices, reboot is not required.

SRX4100 and SRX4200 devices support logical system in both transparent and route mode

SRX4600 device supports logical system in route mode only

In mixed mode (Transparent and Route Mode):

  • There is no routing among IRB interfaces and between IRB interfaces and Layer 3 interfaces.

The device in Figure 1 looks like two separate devices. One device runs in Layer 2 transparent mode and the other device runs in Layer 3 routing mode. But both devices run independently. Packets cannot be transferred between the Layer 2 and Layer 3 interfaces, because there is no routing among IRB interfaces and between IRB interfaces and Layer 3 interfaces.

Figure 1: Architecture of Mixed Transparent and Route ModeArchitecture of Mixed Transparent and Route Mode

In mixed mode, the Ethernet physical interface can be either a Layer 2 interface or a Layer 3 interface, but the Ethernet physical interface cannot be both simultaneously. However, Layer 2 and Layer 3 families can exist on separate physical interfaces on the same device.

Table 1 lists the Ethernet physical interface types and supported family types.

Table 1: Ethernet Physical Interface and Supported Family Types

Ethernet Physical Interface Type

Supported Family Type

Layer 2 Interface

ethernet-switching

Layer 3 Interface

inet and inet6

Note:

Multiple routing instances are supported.

You can configure both the pseudointerface irb.x and the Layer 3 interface under the same default routing instance using either a default routing instance or a user-defined routing instance. See Figure 2.

Figure 2: Mixed Transparent and Route ModeMixed Transparent and Route Mode

Packets from the Layer 2 interface are switched within the same VLAN, or they connect to the host through the IRB interface. Packets cannot be routed to another IRB interface or a Layer 3 interface through their own IRB interface.

Packets from the Layer 3 interface are routed to another Layer 3 interface. Packets cannot be routed to a Layer 2 interface through an IRB interface.

Table 2 lists the security features that are supported in mixed mode and the features that are not supported in transparent mode for Layer 2 switching.

Table 2: Security Features Supported in Mixed Mode (Transparent and Route Mode)

Mode Type

Supported

Not Supported

Mixed mode

  • Application Layer Gateways (ALGs)

  • Firewall User Authentication (FWAUTH)

  • Intrusion Detection and Prevention (IDP)

  • Screen

  • AppSecure

  • Content Security

Route mode (Layer 3 interface)

  • Network Address Translation (NAT)

  • VPN

Transparent mode (Layer 2 interface)

  • Content Security

  • Network Address Translation (NAT)

  • VPN

Starting in Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, some conditions apply to mixed-mode operations. Note the conditions here:

  • On SRX300, SRX320, SRX340, SRX345, SRX380, SRX550, SRX550HM, and SRX1500 devices, you cannot configure Ethernet switching and virtual private LAN service (VPLS) using mixed mode (Layer 2 and Layer 3).

  • On SRX5400, SRX5600, and SRX5800 devices, you do not have to reboot the device when you configure VLAN.

See Also

Example: Improving Security Services by Configuring an SRX Series Firewall Using Mixed Mode (Transparent and Route Mode)

You can configure an SRX Series Firewall using both transparent mode (Layer 2) and route mode (Layer 3) simultaneously to simplify deployments and to improve security services.

This example shows how to pass the Layer 2 traffic from interface ge-0/0/1.0 to interface ge-0/0/0.0 and Layer 3 traffic from interface ge-0/0/2.0 to interface ge-0/0/3.0.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall

  • Four PCs

Before you begin:

Overview

In enterprises where different business groups have either Layer 2 or Layer 3 based security solutions, using a single mixed mode configuration simplifies their deployments. In a mixed mode configuration, you can also provide security services with integrated switching and routing.

In addition, you can configure an SRX Series Firewall in both standalone and chassis cluster mode using mixed mode.

In mixed mode (default mode), you can configure both Layer 2 and Layer 3 interfaces simultaneously using separate security zones.

Note:

For the mixed mode configuration, you must reboot the device after you commit the changes. However, for SRX5000 line devices, reboot is not required.

In this example, first you configure a Layer 2 family type called Ethernet switching to identify Layer 2 interfaces. You set the IP address 10.10.10.1/24 to IRB interface. Then you create zone L2 and add Layer 2 interfaces ge-0/0/1.0 and ge-0/0/0.0 to it.

Next you configure a Layer 3 family type inet to identify Layer 3 interfaces. You set the IP address 192.0.2.1/24 to interface ge-0/0/2.0 and the IP address 192.0.2.3/24 to interface ge-0/0/3. Then you create zone L3 and add Layer 3 interfaces ge-0/0/2.0 and ge-0/0/3.0 to it.

Topology

Figure 3 shows a mixed mode topology.

Figure 3: Mixed Mode TopologyMixed Mode Topology

Table 3 shows the parameters configured in this example.

Table 3: Layer 2 and Layer 3 Parameters

Parameter

Description

L2

Layer 2 zone.

ge-0/0/1.0 and ge-0/0/0.0

Layer 2 interfaces added to the Layer 2 zone.

L3

Layer 3 zone.

ge-0/0/2.0 and ge-0/0/3.0

Layer 3 interfaces added to the Layer 3 zone.

10.10.10.1/24

IP address for the IRB interface.

192.0.2.1/24 and 192.0.2.3/24

IP addresses for the Layer 3 interface.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces ge-0/0/0 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/0 unit 0 family ethernet-switching vlan members 10
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members 10
set protocols l2-learning global-mode transparent-bridge
set interfaces irb unit 10 family inet address 10.10.10.1/24
set security zones security-zone L2 interfaces ge-0/0/1.0
set security zones security-zone L2 interfaces ge-0/0/0.0
set vlans vlan-10 vlan-id 10 
set vlans vlan-10 l3-interface irb.10 
set interfaces ge-0/0/2 unit 0 family inet address 192.0.2.1/24
set interfaces ge-0/0/3 unit 0 family inet address 192.0.2.3/24
set security policies default-policy permit-all
set security zones security-zone L2 host-inbound-traffic system-services any-service
set security zones security-zone L2 host-inbound-traffic protocols all
set security zones security-zone L3 host-inbound-traffic system-services any-service
set security zones security-zone L3 host-inbound-traffic protocols all
set security zones security-zone L3 interfaces ge-0/0/2.0
set security zones security-zone L3 interfaces ge-0/0/3.0
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure Layer 2 and Layer 3 interfaces:

  1. Create a Layer 2 family type to configure Layer 2 interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set ge-0/0/0 unit 0 family ethernet-switching interface-mode access
user@host# set ge-0/0/0 unit 0 family ethernet-switching vlan members 10
user@host# set ge-0/0/1 unit 0 family ethernet-switching interface-mode access
user@host# set ge-0/0/1 unit 0 family ethernet-switching vlan members 10

  2. Configure Layer 2 interfaces to work under transparent-bridge mode.

    content_copy zoom_out_map
    [edit protocols]
user@host# set l2-learning global-mode transparent-bridge

  3. Configure an IP address for the IRB interface.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set irb unit 10 family inet address 10.10.10.1/24

  4. Configure Layer 2 interfaces.

    content_copy zoom_out_map
    [edit security zones security-zone L2 interfaces]
user@host# set ge-0/0/1.0
user@host#  set ge-0/0/0.0

  5. Configure VLAN.

    content_copy zoom_out_map
    [edit vlans vlan-10]
user@host# set vlan-id 10
user@host# set l3-interface irb.10

  6. Configure IP addresses for Layer 3 interfaces.

    content_copy zoom_out_map
    [edit interfaces]
user@host# set ge-0/0/2 unit 0 family inet address 192.0.2.1/24
user@host# set ge-0/0/3 unit 0 family inet address 192.0.2.3/24

  7. Configure the policy to permit the traffic.

    content_copy zoom_out_map
    [edit security policies]
user@host# set default-policy permit-all

  8. Configure Layer 3 interfaces.

    content_copy zoom_out_map
    [edit security zones security-zone]
user@host# set L2 host-inbound-traffic system-services any-service
user@host# set L2 host-inbound-traffic protocols all
user@host# set L3 host-inbound-traffic system-services any-service
user@host# set L3 host-inbound-traffic protocols all
user@host# set L3 interfaces ge-0/0/2.0
user@host# set L3 interfaces ge-0/0/3.0
Results

From configuration mode, confirm your configuration by entering the show interfaces, show security policies, show vlans, and show security zones commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

content_copy zoom_out_map
[edit]
user@host# show interfaces
    ge-0/0/0 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members 10;
                }
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family ethernet-switching {
                interface-mode access;
                vlan {
                    members 10;
                }
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.0.2.1/24;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {
            family inet {
                address 192.0.2.3/24;
            }
        }
    }
    irb {
        unit 10 {
            family inet {
                address 10.10.10.1/24;
            }
        }
    }
[edit]
user@host#  show security policies
default-policy {
    permit-all;
}
[edit]
user@host# show vlans
    vlan-10 {
        vlan-id 10;
        l3-interface irb.10;
    }
[edit]
user@host#  show security zones
    security-zone L2 {
        host-inbound-traffic {
            system-services {
                any-service;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/1.0;
            ge-0/0/0.0;
        }
    }
    security-zone L3 {
        host-inbound-traffic {
            system-services {
                any-service;
            }
            protocols {
                all;
            }
        }
        interfaces {
            ge-0/0/2.0;
            ge-0/0/3.0;
        }
    }

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying the Layer 2 and Layer 3 Interfaces and Zones

Purpose

Verify that the Layer 2 and Layer 3 interfaces and Layer 2 and Layer 3 zones are created.

Action

From operational mode, enter the show security zones command.

content_copy zoom_out_map
user@host> show security zones
 Security zone: HOST
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:

Security zone: L2
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 2
  Interfaces:
    ge-0/0/0.0
    ge-0/0/1.0

Security zone: L3
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 2
  Interfaces:
    ge-0/0/2.0
    ge-0/0/3.0

Security zone: junos-host
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 0
  Interfaces:
Meaning

The output shows the Layer 2 (L2) and Layer 3 (L3) zone names and the number and names of Layer 2 and Layer 3 interfaces bound to the L2 and L3 zones.

Verifying the Layer 2 and Layer 3 Session

Purpose

Verify that the Layer 2 and Layer 3 sessions are established on the device.

Action

From operational mode, enter the show security flow session command.

content_copy zoom_out_map
user@host> show security flow session 
Session ID: 1, Policy name: default-policy-logical-system-00/2, Timeout: 58, Valid
  In: 10.102.70.75/54395 --> 228.102.70.76/9876;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1209, Bytes: 1695018,
  Out: 228.102.70.76/9876 --> 10.102.70.75/54395;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,

Session ID: 2, Policy name: default-policy-logical-system-00/2, Timeout: 58, Valid
  In: 10.102.70.19/23364 --> 228.102.70.20/23364;udp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 401, Bytes: 141152,
  Out: 228.102.70.20/23364 --> 10.102.70.19/23364;udp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
Meaning

The output shows active sessions on the device and each session’s associated security policy.

  • Session ID 1—Number that identifies the Layer 2 session. Use this ID to get more information about the Layer 2 session such as policy name or number of packets in and out.

  • default-policy-logical-system-00/2—Default policy name that permitted the Layer 2 traffic.

  • In—Incoming flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and the source interface for this session is ge-0/0/0.0).

  • Out—Reverse flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and destination interface for this session is ge-0/0/1.0).

  • Session ID 2—Number that identifies the Layer 2 session. Use this ID to get more information about the Layer 2 session such as policy name or number of packets in and out.

  • default-policy-logical-system-00/2—Default policy name that permitted the Layer 2 traffic.

  • In—Incoming flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and the source interface for this session is ge-0/0/0.0,).

  • Out—Reverse flow (source and destination Layer 2 IP addresses with their respective source and destination port numbers, session is ICMP, and destination interface for this session is ge-0/0/1.0,).

See Also

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
12.3X48-D10
Starting in Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, some conditions apply to mixed-mode operations.
arrow_backward PREVIOUS Proxy ARP
NEXT arrow_forward Security Zones and Security Policies on Security Devices
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top