vSRX

  • 1.  Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 11-12-2018 18:16

    I have a vSRX  and trying to configure transparent mode on it, but for some reason the commands are not being accepted. I checked the feature explorer and it is supported

    Layer 2 Transparent Mode
    Support is available for Layer 2 transparent mode deployments. In transparent mode, the vSRX instance filters packets that traverse the instance without modifying any of the source or destination information in the IP packet headers. Transparent mode is useful for protecting servers that mainly receive traffic from untrusted sources because there is no need to reconfigure the IP settings of routers or protected servers.

    I am trying to apply following config

    ge-0/0/1 {
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 10;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family bridge {
                interface-mode access;
                vlan-id 20;
            }
        }
    }
    bridge-domains {
        L2-VLAN-10 {
            domain-type bridge;
            vlan-id 10;
        }
        L2-VLAN-20 {
            domain-type bridge;
            vlan-id 20;
        }
    }

    Am I missing something?

    Any help is greatly appriciated!

     

    [UPDATE 1]

    I set the l2-learning global-mode to trasparent-mode and rebooted the device. After it came back I checked the mode and is still shows as Not set.

    [edit]
    root# show protocols                
    l2-learning {
        global-mode transparent-bridge;
    }
    root# run show ethernet-switching global-information 
    Global Configuration:
    
    MAC aging interval    : 0           
    MAC learning          : Enabled     
    MAC statistics        : Disabled    
    MAC limit Count       : 0           
    MAC limit hit         : Disabled    
    MAC packet action drop: Disabled    
    LE  aging time        : 1200        
    LE  VLAN aging time   : 1200        
    Global Mode           : Not set

     


    #vSRX
    #bridge
    #vsrx-ng
    #Transparent


  • 2.  RE: Does vSRX(15.1x49-D100) support Transparent Mode?
    Best Answer

    Posted 11-14-2018 17:32

    On vSRX firewalls the transparent mode configuration is bit different than on a physical devices. Below is the configuration I used to achieve the transparent mode

    system {
        root-authentication {
            encrypted-password "$5$LPCKp87x$3lzyhFqUXSFKDgl0WatlmvwDNDSEsX1IAlD901dxHn6"; ## SECRET-DATA
        }
        services {
            ssh;
            web-management {
                http {
                    interface fxp0.0;
                }
            }
        }
        syslog {
            user * {
                any emergency;
            }
            file messages {
                any any;
                authorization info;
            }
            file interactive-commands {     
                interactive-commands any;
            }
        }
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        log {
            mode stream;
            report;
        }
        screen {
            ids-option untrust-screen {
                icmp {
                    ping-death;
                }
                ip {
                    source-route-option;
                    tear-drop;
                }                           
                tcp {
                    syn-flood {
                        alarm-threshold 1024;
                        attack-threshold 200;
                        source-threshold 1024;
                        destination-threshold 2048;
                        queue-size 2000; ## Warning: 'queue-size' is deprecated
                        timeout 20;
                    }
                    land;
                }
            }
        }
        policies {
            from-zone trust to-zone trust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;             
                    }
                }
            }
            from-zone trust to-zone untrust {
                policy default-permit {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            global {
                policy L2 {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {                  
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                tcp-rst;
            }
            security-zone untrust {
                screen untrust-screen;
            }
            security-zone L2-Trust {
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                }
            }                               
            security-zone L2-Untrust {
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                all;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            vlan-tagging;
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                }                           
            }
        }
        ge-0/0/1 {
            vlan-tagging;
            unit 0 {
                family ethernet-switching {
                    interface-mode trunk;
                    vlan {
                        members all;
                    }
                }
            }
        }
        fxp0 {
            unit 0;
        }
    }
    vlans {
        vlan-10 {
            vlan-id 10;
        }
        vlan-20 {
            vlan-id 20;                     
        }
        vlan-30 {
            vlan-id 30;
        }
    }

    After rebooting the global mode of ethernet-switching changed to transparent bridge 

     

    root> show ethernet-switching global-information 
    Global Configuration:
    
    MAC aging interval    : 300         
    MAC learning          : Enabled     
    MAC statistics        : Disabled    
    MAC limit Count       : 65535       
    MAC limit hit         : Disabled    
    MAC packet action drop: Disabled    
    LE  aging time        : 1200        
    LE  VLAN aging time   : 1200        
    Global Mode           : Transparent bridge
    

     



  • 3.  RE: Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 07-02-2019 07:57

    Hi 

    Could you please let me know how was the visrtual switch or portgroup configured in this case.

    We have a similar requirement and need to deploy transparent mode vSRX on VMware ESXi.

    What settings will be required on the portgroups that both vSRX interfaces will be connected to? Will those be required to pass tagged vlans? Any idea?

     

    Thanks



  • 4.  RE: Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 07-02-2019 09:47

    Hi Bluedash,

     

    Under Portgroup configuration on VMware Esxi you may :-

    1. Specify a specific vlan to be allowed or

    2. To allow multiple vlans define vlan id as 4095

     
    vSwitch does not require any specifc config.
    Just take care about the following configuration to be set correctly as accept/reject

    Promiscuous mode,

    MAC address changes

    Forged transmits

     

    Regards,

    Rahul



  • 5.  RE: Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 07-02-2019 09:51

    Hi Armartirosyan,

     

    Just wanted to correct your statememnt that the vSRX is configured differntly as compared to physical SRX.

    In 15.x version SRX as a whole has an introduction of 2 L2 modes (transparent/switching).

    Hence, we had the said configuration changes you mentioned.

     

    Reference:- https://kb.juniper.net/InfoCenter/index?page=content&id=KB31147

     

    ** Adding this post for Fyi to future reader of this post.

     

    Regards,

    Rahul

     



  • 6.  RE: Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 07-13-2019 03:47

    Thanks Rahul for your response. I am still unable to achieve the desired configuration and result.

    Attached is the logical topology that I am trying to achieve and need help on the same. Is there a KB or an example configuration to achieve the desired design.

     

    vsrx-transparent.PNG

     

    Thanks again for your valuable assistance.



  • 7.  RE: Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 07-15-2019 05:09

    Hi Bluedash,

     

    This should be working.

    On the SRX, do you learn the mac of either side VM and gateway?

     

    show ethernet-switching table

     

    -Rahul

     

     



  • 8.  Re: Does vSRX(15.1x49-D100) support Transparent Mode?

    Posted 10-04-2020 08:42

    Hi,

     

    Were you able to get this to work?  If so, could you share details?

     

    -Segz