Ethernet Switching
Ethernet Switching

EX 4600 Making port only transmit

2 weeks ago

Hi everyone,

Please consider the following example:

Traffic -g0/0/1- EXSW-ge0/0/2---IDS

Above we are port mirroring all traffic entering/exiting ge0/0/1 and sending output to ge0/0/2 where IDS is connected.

To avoid all traffic coming back from IDS into ge0/0/2 ( say NIC on IDS is faulty), we can do following:

 Apply a filter inbound on ge0/0/2 that denies all traffic.

In Cisco, we can simply configure the port ge0/0/2 to transmit only thus no filter is needed.

Do we have such funtionaility on EX 4600 SW where EX swicth ge-0/0/2 can only tranmsit.

Thanks and have a good night!!

 

 

 

 

6 REPLIES 6
Ethernet Switching

Re: EX 4600 Making port only transmit

2 weeks ago
Hello Sarah,

There is a "unidirectional" link-mode feature available for some MX platforms, however this isn't supported on EX4600.

Feature description:
https://www.juniper.net/documentation/en_US/junos/topics/concept/ethernet-unidirectional-flow-on-phy...
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-enabling-unid...

Support for this feature:
https://apps.juniper.net/feature-explorer/feature-info.html?fKey=3134&fn=Unidirectional%20link%20sup...

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.
Ethernet Switching
Solution
Accepted by topic author sarahr202
2 weeks ago

Re: EX 4600 Making port only transmit

2 weeks ago

Hi ,

 

In case of junos it does support unidirectional flow refer to the below link :

 

https://www.juniper.net/documentation/en_US/junos/topics/concept/ethernet-unidirectional-flow-on-phy...

But is it supported only in models 

  • 4–port 10–Gigabit Ethernet DPC on the MX960 router

  • 10–Gigabit Ethernet IQ2 PIC and 10–Gigabit Ethernet IQ2E PIC on the T Series router

As your using a EX4600 it does not support unidirectional flow 

 

To answer your question :

> Do we have such funtionaility on EX 4600 SW where EX swicth ge-0/0/2 can only tranmsit?

 

when a port is used as a destination port in port mirroring , 

the traffic from the source port is dumped on the destination port

the server connected on the destination port and the switch port there is no control traffic passed between them , there is only egress of traffic from the switch port to server 

there is no ingress traffic from the server to the switch 

hence no filter is required 

 

> incase the NIC card on the server goes down , the port on the switch side also goes down 

that will trigger a syslog message 

 

Ethernet Switching

Re: EX 4600 Making port only transmit

2 weeks ago

Hello Sharanya,

 

Thanks for chiming in.  Just note that in the question the situation or need where we might expect traffic back from server is mentioned i.e. "To avoid all traffic coming back from IDS into ge0/0/2 ( say NIC on IDS is faulty)".  Hence using a firewall filter is the right/possible way to avoid such traffic back from the server.

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

 

Ethernet Switching

Re: EX 4600 Making port only transmit

2 weeks ago

Hi Mriyaz ,

 

I agree with you firewall filter with discard should do it 

 

Regards 

Sharanya

Ethernet Switching

Re: EX 4600 Making port only transmit

2 weeks ago

Hello Sarah,

 

I agreed with Mriyaz as well, firewall filter should do the trick…I just want to bring this limitation to you, so you can be aware of it.

 

True egress mirroring is defined as mirroring the exact number of copies and the exact packet modifications that went out the egress switched port. Because the processor on QFX5xxx (including QFX5100, QFX5110, QFX5120, QFX5200, and QFX5210) and EX4600 (including EX4600 and EX4650) switches implements egress mirroring in the ingress pipeline, those switches do not provide accurate egress packet modifications, so egress mirrored traffic can carry incorrect VLAN tags that differ from the tags in the original traffic.

 

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too Smiley Very Happy

 

Warm regards,

Pablo Restrepo -

Ethernet Switching

Re: EX 4600 Making port only transmit

2 weeks ago

when a port is used as a destination port in port mirroring , 

the traffic from the source port is dumped on the destination port

the server connected on the destination port and the switch port there is no control traffic passed between them , there is only egress of traffic from the switch port to server 

there is no ingress traffic from the server to the switch 

hence no filter is required 

##########################################################

Yes,  normally, but if traffic is looped back, because of faulty NIC,  connected to destinaion port, filter can overcome such issue.

 

Appreciated !!

 

Have a good weekend!!