Friday, 30 November 2012

SRX Transparent Mode

Transparent Mode is listed as a topic on the JNCIE-SEC exam blueprint. It is also supported on all SRX platforms as of Junos 11.1. The idea behind transparent mode is that the device does not do any routing of transit traffic, only bridging (switching). Some components operate the same between transparent mode and normal routed mode. Others are different or not supported altogether.  The following will step through some key topics related to transparent mode. Following these topics a basic configuration exercise will be demonstrated.

Bridge Domain
A bridge domain is a grouping of L2 interfaces in the same broadcast domain (very similar to VLAN). It is possible to configure a bridge domain with multiple VLANs using the `list`statement, however keep in mind the subsystem still creates a bridge domain for each VLAN. This method allows for a more manageable configuration is some scenarios.

Integrated Routing & Bridging Interface (IRB)
Integrated routing and bridging interfaces are used by the router to send/receive traffic. They are NOT used to forward or route any transit traffic. They may be needed to manage the device or for such things as firewall user authentication and to stream logs from the data plane. IRB interfaces cannot be configured on bridge domains which contain multiple VLAN-ids. They are also not configured under any L2 security zone.

L2 Security Zones
Layer 2 security zones are very similar to regular (routed) security zones. The main difference is that they contain logical Layer 2 interfaces instead of routed layer 3 interfaces.

L2 Security Policies
Layer 2 security policies are also similar to regular (routed) security policies. Due to the nature of Transparent Mode some features are not supported such as;
1. NAT
2. IPSec VPN
3. IDP

Forwarding Table
Just as a router would have a routing table a switch (or SRX in transparent mode) has a forwarding table. The default learning mode for an SRX in transparent mode is the same method a switch uses to build its forwarding table. The SRX device will monitor traffic and learn source MAC addresses sent on a port. If the device needs to forward a frame and does not have an entry in the forwarding table it will flood the frame out all L2 interfaces in that broadcast domain except the port it was received on. Address resolution protocol (ARP) can also be used to learn MAC addresses. This option is not on by default and needs to be configured. It provides a slightly more secure option as the ARP frame is flooded not the transit traffic frame.

Configuring Transparent Mode
The diagram below visually outlines this exercise. The SRX240 in the diagram below is configured in transparent mode, it will be segmenting the subnet. Devices connected from the top of the subnet will be in the L2 security zone of 'LAN-L2-Untrust' and devices connected from the bottom of the subnet will be in the L2 security zone of 'LAN-L2-Trused'. Multiple subnets and VLANs could be used on a single device in transparent mode, however this example will use one.

1. Configure Bridge Domain
In this step the bridge domain is created and a VLAN is assigned. The screenshot below outlines the configuration for the bridge domain.

2. Configure Interface ge-0/0/0 (Access Port)
This step outlines the procedure to configure an access port. The device connected to this port would not need to tag frames with a VLAN-id. The act of configuring VLAN-id 192 will place this logical interface in the bridge domain created in step #1. The screenshot below outlines the commands.

3. Configure Interface ae0 (Trunk Port)
This step outlines the procedure to configure a trunked port. In this case the trunked port is configured on interface ae0 as these ports are in a Link Aggregation Group. The configuration done on interface ae0 would be the same procedure to configure a standalone port as a trunked port. The screenshot below outlines the commands.

4. Configure Security Zones
In this step L2 security zones are configured. They are configured in the same fashion as regular security zones. The screenshot below outlines the commands.

5. Configure Security Policies
Security policies are also configured in the same manner as regular security policies. Just remember to keep in mind what options are not supported (they are listed near the beginning of the post). In this example I have created a rule permitting all traffic in both directions. It is important to remember that even though these are called Layer 2 security policies we can still match traffic by IP and application (layer3&4). Address book entries and custom applications can still apply here.

6. Configure IRB Interface
In this step the IRB interface is created. It is also important to note that this interface is not added into any security zones. You might ask, how access could be controlled via host-inbound-traffic if it is not a member of any zone? How it works is that host-inbound-traffic is still applied to the IRB interface, however it is applied from the source zone of the traffic destine for the IRB interface. If I am attempting to ping the IRB interface and I am coming from the source zone of L2-LAN-Untrust ping will need to be defined under host-inbound-traffic for this zone. The screenshot below outlines the commands to configure the IRB interface.

7. Change MAC Learning Process (Optional)
This is an optional step to change the method of MAC learning. By default the SRX will learn MAC addresses similar to a switch (flood MAC if destination is unknown). This option changes the learning to use ARP requests. ARP requests are still flooded, however the ARP frame is less sensitive that potential data that might be flooded in the event the SRX does not know its destination.

7. Reboot SRX
This is required step when configuring interfaces in transparent mode (using the bridge statement). The output below uses the command 'commit check' to demonstrate the warning message that will appear. If the device is later reconfigured to be back in normal (routed) mode another reboot will be required. 

Verify Transparent Mode
1. Show Bridge Domain
The command 'show bridge domain' outlines the configured bridge domains along with logical interface members. 

2. Show MAC Table
The command 'show bridge mac-table' displays all of the learned MAC addresses. The output also confirms on what interface they were learned and the method that they were learned.

3. Show Global MAC Count
The command 'show l2-learning global-mac-count' displays the number of MAC addresses learning globally. Each SRX model has limits on the number of MAC addresses that can be learned, this command can be used to confirm the number of MAC addresses learned is within safe limits.

Configure VLAN Rewriting
In this quick exercise I will configure and demonstrate the VLAN rewriting feature that is present in transparent mode. The diagram below outlines the basic topology for this exercise. It is almost exactly the same as the previous exercise with one minor difference. The switch near the bottom of the diagram does not have VLAN 192 configured, instead it is using VLAN 1192. The VLAN rewriting feature can be used to 'translate' VLAN 1192 to VLAN 192 on the transparent SRX interface of ae0 (ge-0/0/1 and ge-0/0/2).

1. Configure VLAN Rewriting
The screenshot below outlines the existing configuration on interface ae0. Then the command to configure VLAN rewriting is executed. Then the modified configuration is show again. Basically we have configured interface ae0 to expect frames with a VLAN-id of 1192 and then translate them to VLAN-id 192. Keep in mind this is done in both directions.

Verify VLAN Rewriting
The command 'show bridge rewrite statistics interface ae0' displays the rewriting configuration along with egress and ingress packet counters. The screenshot below confirms that frames are being translated.

This post demonstrates the flexibility of the SRX product. Although transparent mode might not be a common option it is good to understand the capabilities of the SRX as a scenario might arise where this type of deployment is needed. If anyone has comments or suggestions regarding transparent mode please leave comments.

1 comment: