SRX240的透明模式

第1步：准备工作
如果是新机器无配置，可直接跳到第2步
如果配置较多，建议初始化配置load factory-default / commit命令可恢复到出厂缺省配置。
load factory-default
恢复出厂后,必须立刻设置ROOT帐号密码<默认密码至少6位数：字母加数字>
2.1.3 设置root用户口令
root# set system root-authentication plain-text-password
root# new password : root123   
root# retype new password: root123
commit
//srx所有命令生效，都需要commit提交，建议每个命令提交下

第2步：启用透明模式
***由于web界面不支持透明模式管理，需要用超级终端先调试成透明模式***
set bridge-domains bd1 domain-type bridge
set bridge-domains bd1 vlan-id 3
set interfaces irb unit 0 family inet address 10.34.208.199/24
set bridge-domains bd1 routing-interface irb.0
//bd1是任意指定的桥域名

第3步：接口启用透明模式
***要删掉所有接口的unit 0，srx240 为ge-0/0/0~ge-0/0/15***
delete interfaces ge-0/0/10 unit 0
delete interfaces ge-0/0/11 unit 0
***将接口加入透明桥
set interfaces ge-0/0/0 unit 0 description L2-Untrust
set interfaces ge-0/0/0 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/0 unit 0 family bridge vlan-id-list 3
set interfaces ge-0/0/1 unit 0 description L2-Untrust
set interfaces ge-0/0/1 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/1 unit 0 family bridge vlan-id-list 3
set interfaces ge-0/0/2 unit 0 description L2-Trust
set interfaces ge-0/0/2 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/2 unit 0 family bridge vlan-id-list 3
set interfaces ge-0/0/3 unit 0 description L2-Trust
set interfaces ge-0/0/3 unit 0 family bridge interface-mode trunk
set interfaces ge-0/0/3 unit 0 family bridge vlan-id-list 3
//有提示重启表示透明模式生效
root#quit
root> request system reboot
//重启命令，注意在>模式下输入

第三步：配置接口
delete security zones security-zone untrust interfaces ge0/0/0.0
delete security zones security-zone trust interfaces vlan.0
//把要加入L2-Zone的接口从默认zone里面删除，一个接口只能属于一个zone
set security zones security-zone L2-Trust host-inbound-traffic system-services all
set security zones security-zone L2-Trust host-inbound-traffic protocols all
set security zones security-zone L2-Untrust host-inbound-traffic system-services ping
set security zones security-zone L2-Untrust host-inbound-traffic system-services http
set security zones security-zone L2-Untrust host-inbound-traffic system-services telnet
set security zones security-zone L2-Untrust interfaces ge-0/0/0.0
set security zones security-zone L2-Untrust interfaces ge-0/0/1.0
set security zones security-zone L2-Trust interfaces ge-0/0/2.0
set security zones security-zone L2-Trust interfaces ge-0/0/3.0

第四步：
set system services web-management http interface irb.0
//irb可以web管理
通过http://10.34.208.199
***irb.0管理口的ip，一般默认设置密码root/root123
web可以访问后，以下步骤都可以在web界面配置

第五步：加访问策略
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL match source-address any
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL match destination-address any
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL match application any
set security policies from-zone L2-Trust to-zone L2-Untrust policy IN-OUT-PERMIT-ALL then permit
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL match source-address any
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL match destination-address any
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL match application any
set security policies from-zone L2-Untrust to-zone L2-Trust policy OUT-IN-PERMIT-ALL then permit

set routing-options static route 0.0.0.0/0 next-hop x.x.x.x
//默认路由