Hi,
We do not need any functional zone at all to be able to manage an SRX in Transparent mode.
Here's a sample configuration of two irb interfaces (one in each bridge domain ) - which shows that irb interfaces are neither associated with security zones or functional zones ,but still able to manage them (using ssh , which can be verified with the session table output) .
we can not associate irb interfaces to zones , we have to associate the surrounding layer 2 interfaces with security zones ,and if we want to filter the traffic we can control them using host-inbound on those zones.
another option is using firewall filters to restrict self traffic to specific services only ( because of firewall fitler default reject/deny action ). This is similar to applying a firewall filter on loopback interface(lo0) in routed mode(L3) to control the self traffic to routing engine.
[edit]
root@TransparentSRX# show |display set | no-more
set version 11.2R1.10
set system host-name TransparentSRX
set system root-authentication encrypted-password "$1$v2HsmYX7$Cq1vDTT4ELUCimzloSIHI1"
set system services ftp
set system services ssh
set system services telnet
set system services web-management http
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 30
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 40
set interfaces ge-0/0/0 unit 0 family bridge vlan-rewrite translate 10 30
set interfaces ge-0/0/0 unit 0 family bridge vlan-rewrite translate 20 40
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 30
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 40
set interfaces ge-0/0/1 unit 0 family bridge vlan-rewrite translate 10 30
set interfaces ge-0/0/1 unit 0 family bridge vlan-rewrite translate 20 40
set interfaces ge-0/0/2 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/2 unit 0 family bridge vlan-id-list 30
set interfaces ge-0/0/2 unit 0 family bridge vlan-id-list 40
set interfaces irb unit 0 family inet filter input irbservice
set interfaces irb unit 0 family inet address 192.168.1.100/24
set interfaces irb unit 1 family inet address 192.168.2.100/24
set security policies from-zone seg-1 to-zone seg-2 policy 1to2 match source-address 192.168.1.0/24
set security policies from-zone seg-1 to-zone seg-2 policy 1to2 match destination-address 192.168.2.0/24
set security policies from-zone seg-1 to-zone seg-2 policy 1to2 match destination-address 192.168.1.0/24
set security policies from-zone seg-1 to-zone seg-2 policy 1to2 match application any
set security policies from-zone seg-1 to-zone seg-2 policy 1to2 then permit
set security policies from-zone seg-2 to-zone seg-1 policy 2to1 match source-address 192.168.2.0/24
set security policies from-zone seg-2 to-zone seg-1 policy 2to1 match source-address 192.168.1.0/24
set security policies from-zone seg-2 to-zone seg-1 policy 2to1 match destination-address 192.168.1.0/24
set security policies from-zone seg-2 to-zone seg-1 policy 2to1 match destination-address 192.168.2.0/24
set security policies from-zone seg-2 to-zone seg-1 policy 2to1 match application any
set security policies from-zone seg-2 to-zone seg-1 policy 2to1 then permit
set security policies from-zone seg-1 to-zone seg-3 policy 1to3 match source-address 192.168.1.0/24
set security policies from-zone seg-1 to-zone seg-3 policy 1to3 match destination-address 192.168.2.0/24
set security policies from-zone seg-1 to-zone seg-3 policy 1to3 match application any
set security policies from-zone seg-1 to-zone seg-3 policy 1to3 then permit
set security policies from-zone seg-3 to-zone seg-1 policy 3to1 match source-address 192.168.1.0/24
set security policies from-zone seg-3 to-zone seg-1 policy 3to1 match destination-address 192.168.2.0/24
set security policies from-zone seg-3 to-zone seg-1 policy 3to1 match application any
set security policies from-zone seg-3 to-zone seg-1 policy 3to1 then permit
set security policies from-zone seg-2 to-zone seg-3 policy 2to3 match source-address 192.168.1.0/24
set security policies from-zone seg-2 to-zone seg-3 policy 2to3 match destination-address 192.168.2.0/24
set security policies from-zone seg-2 to-zone seg-3 policy 2to3 match application any
set security policies from-zone seg-2 to-zone seg-3 policy 2to3 then permit
set security zones security-zone seg-1 address-book address 192.168.1.0/24 192.168.1.0/24
set security zones security-zone seg-1 address-book address 192.168.2.0/24 192.168.2.0/24
set security zones security-zone seg-1 host-inbound-traffic system-services ping
set security zones security-zone seg-1 host-inbound-traffic system-services ssh
set security zones security-zone seg-1 host-inbound-traffic system-services ftp
set security zones security-zone seg-1 host-inbound-traffic system-services telnet
set security zones security-zone seg-1 host-inbound-traffic system-services http
set security zones security-zone seg-1 interfaces ge-0/0/0.0
set security zones security-zone seg-2 address-book address 192.168.2.0/24 192.168.2.0/24
set security zones security-zone seg-2 address-book address 192.168.1.0/24 192.168.1.0/24
set security zones security-zone seg-2 host-inbound-traffic system-services ssh
set security zones security-zone seg-2 host-inbound-traffic system-services ping
set security zones security-zone seg-2 host-inbound-traffic system-services ftp
set security zones security-zone seg-2 interfaces ge-0/0/1.0
set security zones security-zone seg-3 address-book address 192.168.1.0/24 192.168.1.0/24
set security zones security-zone seg-3 address-book address 192.168.2.0/24 192.168.2.0/24
set security zones security-zone seg-3 host-inbound-traffic system-services ping
set security zones security-zone seg-3 interfaces ge-0/0/2.0
set firewall filter irbservice term 1 from protocol icmp
set firewall filter irbservice term 1 from icmp-type echo-request
set firewall filter irbservice term 1 then accept
set firewall filter irbservice term 2 from protocol tcp
set firewall filter irbservice term 2 from destination-port ftp
set firewall filter irbservice term 2 then accept
set firewall filter irbservice term 3 from protocol tcp
set firewall filter irbservice term 3 from destination-port telnet
set firewall filter irbservice term 3 then accept
set firewall filter irbservice term 4 from protocol tcp
set firewall filter irbservice term 4 from destination-port 22
set firewall filter irbservice term 4 then accept
set bridge-domains domain10 domain-type bridge
set bridge-domains domain10 vlan-id 30
set bridge-domains domain10 routing-interface irb.0
set bridge-domains domain20 domain-type bridge
set bridge-domains domain20 vlan-id 40
set bridge-domains domain20 routing-interface irb.1
[edit]
root@TransparentSRX# run show security flow session
Session ID: 3751, Policy name: 1to2/4, Timeout: 56, Valid
In: 192.168.1.1/137 --> 192.168.1.255/137;udp, If: ge-0/0/0.0, Pkts: 78, Bytes: 7488
Out: 192.168.1.255/137 --> 192.168.1.1/137;udp, If: ge-0/0/1.0, Pkts: 0, Bytes: 0
Session ID: 3909, Policy name: self-traffic-policy/1, Timeout: 1774, Valid
In: 192.168.1.1/49256 --> 192.168.1.100/22;tcp, If: ge-0/0/0.0, Pkts: 13, Bytes: 1940
Out: 192.168.1.100/22 --> 192.168.1.1/49256;tcp, If: .local..0, Pkts: 9, Bytes: 3049
Session ID: 3914, Policy name: self-traffic-policy/1, Timeout: 1792, Valid
In: 192.168.2.1/61112 --> 192.168.2.100/22;tcp, If: ge-0/0/0.0, Pkts: 11, Bytes: 1704
Out: 192.168.2.100/22 --> 192.168.2.1/61112;tcp, If: .local..0, Pkts: 9, Bytes: 2937
Total sessions: 3