Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  best practice for unused ports

     
    Posted 07-28-2019 20:26

    Hi all,

    What is the disadvantage or risk about leaving some unused ports and aggregrate ethernet ports are open and not disabled.

    In the CCNA course, trainer always strongly advised on shutdown the unused ports. How about in Junos EX switches product?

    1-)Any traffic goes to unused ports unles plugging any cable to unused ports?

    2-)Does EX switch has any machanisim to avoid unusual behaviour when unused port or ae are left open....

    3-)what is the best practise for unused ports and ae(x)?

    4-) If persisting in keeping open unused ports, what is worst scenerio?

     

    Thanks

    Ar

       



  • 2.  RE: best practice for unused ports
    Best Answer

    Posted 07-29-2019 03:19

    There is really no difference at all between any vendor on the risks and best practices for unused ethernet switch ports.  The risks are the same and the recommendations are industry wide not vendor specific.

     

    1-)Any traffic goes to unused ports unles plugging any cable to unused ports?

    Not sure I get this but I think you are asking what happens on a admin up link down port.  No traffic will be sent there.

     

    2-)Does EX switch has any machanisim to avoid unusual behaviour when unused port or ae are left open....

    The behavior on admin up link down ports will depend on the configuration applied.  Should someone connect then they will have the access that is configured for the port.  

     

    3-)what is the best practise for unused ports and ae(x)?

    Admin down any ports not being actually used both virtual and physical.

     

    4-) If persisting in keeping open unused ports, what is worst scenerio?

    A malicious actor can plug into that port if they gain physical access and have the network access that is configured for that port as a staring point to an intrusion.

     



  • 3.  RE: best practice for unused ports

    Posted 08-16-2019 22:54

    We tend to use the following as our template to disable interfaces:

        /* --- EXAMPLE SPARE PORT --- */
    ge-0/0/0 {
        description "GE-0/0/0 SPARE";
        disable;
        unit 0 {
            disable;
            family inet {
                filter {
                    input DENY-ALL;
                }
            }
        }
    }

    You can do this in bulk in a much more granular fashion than the Cisco 'interface range' command since you can use REGEX patterns. Here's an example that produces the output above, but on multiple interfaces:

    	/* --- EXAMPLE PORT RANGE COMMAND --- */
	wildcard range set interfaces <INT>[<RANGE>] <COMMANDS>
	/* --- EXAMPLE PORT RANGE COMMAND for SPARE PORTS --- */
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] description "GE-1/_/_ SPARE"
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] disable
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] unit 0 disable
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] unit 0 family inet filter input DENY-ALL

    Lastly, here's the 'DENY-ALL' filter referenced above:

    firewall {
    filter DENY-ALL {
        term 1 {
            then {
                syslog;
                discard;
            }
        }
    }
}

    This seems to keep our IA Team happy and is a component of keeping our devices DISA STIG hardened. Hopefully you'll find it useful.