Understanding Security Policies in Transparent Mode

In transparent mode, security policies can be configured only between Layer 2 zones. When packets are forwarded through the bridge domain, the security policies are applied between security zones. A security policy for transparent mode is similar to a policy configured for Layer 3 zones, with the following exceptions:

• NAT is not supported.
• IPsec VPN is not supported.
• Junos-H323 ALGs and IDP are not supported.
• Application ANY is used.

Layer 2 forwarding does not permit any interzone traffic unless there is a policy explicitly configured on the device. By default, Layer 2 forwarding performs the following actions:

• Allows or denies traffic specified by the configured policy.
• Allows Address Resolution Protocol (ARP) and Layer 2 non-IP multicast and broadcast traffic. The device can receive and pass Layer 2 broadcast traffic for STP.
• Continues to block all non-IP and non-ARP unicast traffic.

This default behavior can be changed for bridge packet flow by using either J-Web or the CLI configuration editor:

• Configure the block-non-ip-all option to block all Layer 2 non-IP and non-ARP traffic, including multicast and broadcast traffic.
• Configure the bypass-non-ip-unicast option to allow all Layer 2 non-IP traffic to pass through the device.

Note: You cannot configure both options at the same time.

For more information about security policies, see Junos OS Security Configuration Guide.

Related Topics

• Configuring Security Policies for Transparent Mode
• Changing the Default Forwarding Behavior