View Only
last person joined: 11 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX in transparent mode

  • 1.  SRX in transparent mode

    Posted 05-15-2017 12:00

    1-SRX in transparent mode work by assign interfaces with the same Vlan-ID in a bridge domain and enforce security services between them,  is my understanding regarding the concept of transparent mode correct ???

    2- is it possible to make 2 different bridge domains on the same SRX communicate with each other ???


  • 2.  RE: SRX in transparent mode

    Posted 05-15-2017 15:47

    1-SRX in transparent mode work by assign interfaces with the same Vlan-ID in a bridge domain and enforce security services between them,  is my understanding regarding the concept of transparent mode correct ???


    No, in transparent mode all interfaces are in the same broadcast domain and are invisible to switches and other devices having no mac address.  The device mgmt address must also be in the same broadcast domain as all the traffic through the device. 


    Transparent mode is used to insert a firewall into an existing infrastructure as a "bump in the wire" meaning no layer 2 or 3 configuration changes are needed on the devices between which the SRX is inserted.  This is most often used to insert a firewall in front of a single device on an existing network.


    2- is it possible to make 2 different bridge domains on the same SRX communicate with each other ???


    I don't understand what this would look like.  If you need to bridge devices on two different bridge domains why would you not simply remove one and place all the interfaces into the other?



  • 3.  RE: SRX in transparent mode

    Posted 05-15-2017 16:25


    So in transparent mode SRX interfaces will be without mac-address ??

    But i got confused because in the jncip material it is said that you can create one or more bridge domain and you can create  multiple vlans and assign multiple vlans in a single bridge domain.....

  • 4.  RE: SRX in transparent mode
    Best Answer

    Posted 05-15-2017 22:06

    Hi Ahmed,



    Yes, SRX in transparent mode is basically a L2 switch with limited security funtionalites and hence it does not shows its interfaces with mac-address.


    Yes, you can create one or brdige domain on the SRX in transparent mode but all the bridge domains will be independent of each other or to be precise isolated from each other. Traffic from one doamin will not cross over to the other domain.


    Even if you assign multiple vlans on a single bridge domain, a bridge domain is created for each vlan. Please refer the below document-


    Hope this Helps 🙂


    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

  • 5.  RE: SRX in transparent mode

    Posted 05-15-2017 22:19

    ahaaa, so is the best practice for the transparent mode is to create a single vlan for the internal devices which i want to enforce security between them  and assign the vlan-id in a bridge domain 

  • 6.  RE: SRX in transparent mode

    Posted 05-16-2017 00:20

    Hi Ahmed,


    Absolutely Correct..!!


    Pulkit Bhandari
    Please mark my response as Solution Accepted if it Helps, Kudos are Appreciated too. Smiley Happy

  • 7.  RE: SRX in transparent mode

    Posted 05-16-2017 02:36

    Not exactly, when you engage transparent mode there are NO VLANs.  This is below layer 2 mode.


    Think of the SRX as a dumb hub at this point where you can assign the different interfaces to zones and then write security policies between ports in the same subnet.  The traffic is seen not due to layer 2 or layer 3 but because the physical path must cross the SRX.


    Bridge domains connect multiple interfaces into a layer 2 bridge and is able to bridge different VLAN ids.  This allows different VLANs to come in from the network and place them into the same broadcast domain at the SRX.  Or it can simple allow multiple interfaces on the SRX to layer 2 bridge and speak to each other.

  • 8.  RE: SRX in transparent mode

    Posted 05-17-2017 10:27

    spuluka, you made me more confused .....


    Bridge domains connect multiple interfaces into a layer 2 bridge and is able to bridge different VLAN ids.  This allows different VLANs to come in from the network and place them into the same broadcast domain at the SRX.  Or it can simple allow multiple interfaces on the SRX to layer 2 bridge and speak to each other.


    *It suppose that each vlan will be in a separete Bridge-domain and each bridge domain is isolated from other bridge-domains,

    ,,so how to make multiple Vlans in the same broadcast,,, 

    it seem i have a miss-understanding of the concept of bridge-domain itself 😞 


  • 9.  RE: SRX in transparent mode

    Posted 05-20-2017 05:42
    ,,so how to make multiple Vlans in the same broadcast,,, 
    it seem i have a miss-understanding of the concept of bridge-domain itself 

    VLAN id is not necessarily the same thing as subnet.  Different VLAN ids can contain the same ip subnet in diferrent switches or devices on the network.


    When the same subnet reaches the Junos device on different VLAN id you can use the bridge domain to put those different id into the same broadcast domain so they can see each other.


    This is commonly used on large enterprise or service provider networks where services transport VLANs from multiple remote sites to a core location.  then the bridge domain can connect these disparate ids into the common broadcast domain via the bridge domain.



  • 10.  RE: SRX in transparent mode

    Posted 05-21-2017 04:02

    Dear Spuluka, 


    would you please provide me with a material to study the bridge-domain because you have provided me with a new information

  • 11.  RE: SRX in transparent mode

    Posted 05-27-2017 03:44

    Here is the documentation.



    You create a bridge domain that can act as a switch to connect multiple vlans on a trunk port into the same layer 2 domain.


    And example would be you have a l2circuit at multiple remote sites as a management vlan for equipment.  

    The other side the the circuit lands on the trunk port.  

    Each site needs a unique interface unit and vlan tag to share the port.

    But all are the same management vlan so you create the bridge group to tie them together.