Understanding Security Policies in Transparent Mode
In transparent mode, security policies can be configured only between Layer 2 zones. When packets are forwarded through the VLAN, the security policies are applied between security zones. A security policy for transparent mode is similar to a policy configured for Layer 3 zones, with the following exceptions:
NAT is not supported.
IPsec VPN is not supported.
Application ANY is not supported.
Layer 2 forwarding does not permit any interzone traffic unless there is a policy explicitly configured on the device. By default, Layer 2 forwarding performs the following actions:
Allows or denies traffic specified by the configured policy.
Allows Address Resolution Protocol (ARP) and Layer 2 non-IP multicast and broadcast traffic.
Continues to block all non-IP and non-ARP unicast traffic.
This default behavior can be changed for Ethernet switching packet flow by using either J-Web or the CLI configuration editor:
Configure the block-non-ip-all option to block all Layer 2 non-IP and non-ARP traffic, including multicast and broadcast traffic.
Configure the bypass-non-ip-unicast option to allow all Layer 2 non-IP traffic to pass through the device.
You cannot configure both options at the same time.
Starting in Junos OS Release 12.3X48-D10 and Junos OS Release 17.3R1, you can create a separate security zone in mixed mode (the default mode) for Layer 2 and Layer 3 interfaces. However, there is no routing among IRB interfaces and between IRB interfaces and Layer 3 interfaces. Hence, you cannot configure security policies between Layer 2 and Layer 3 zones. You can only configure security policies between the Layer 2 zones or between Layer 3 zones.