Understanding Layer 2 Forwarding Operations

In typical deployments, configure the PoE port of the SRX Series device as a Layer 2 port (family ethernet-switching) that is a VLAN trunk or access port. Configuring the port as a Layer 2 port enables spanning VLANs across access points.

All access points connected to a single SRX Series device and all the wired clients connected to the Layer 2 ports of the same SRX Series device form a single switching domain. This facilitates Layer 2 roaming of wireless clients between the access points connected to the same SRX Series device.

When clients connected to the same access point are on the same VLAN, the access point forwards traffic between the clients. A VLAN can span across access points and also between a wired LAN and a wireless LAN. When clients on the same VLAN are connected to different access points, the switching functions on the SRX Series device forwards traffic between the clients. When there are wireless clients connected to an access point and wired clients connected to a port on the SRX Series device on the same VLAN, the switching functions on the SRX Series device forward traffic between the clients.

Packets received from the access point on the Layer 2 port are regular Ethernet packets and are indistinguishable from Ethernet packets received on other Layer 2 ports connected to wired devices. The packets can be switched or routed through the VLAN Layer 3 interface. Firewall policies can be configured on VLAN Layer 3 interfaces to inspect traffic that is routed from wireless clients.

Related Topics

• Understanding Management VLAN Support
• Understanding Untagged VLAN Designation