Ethernet Switching
Ethernet Switching

best practice for unused ports

[ Edited ]
‎07-28-2019 08:25 PM

Hi all,

What is the disadvantage or risk about leaving some unused ports and aggregrate ethernet ports are open and not disabled.

In the CCNA course, trainer always strongly advised on shutdown the unused ports. How about in Junos EX switches product?

1-)Any traffic goes to unused ports unles plugging any cable to unused ports?

2-)Does EX switch has any machanisim to avoid unusual behaviour when unused port or ae are left open....

3-)what is the best practise for unused ports and ae(x)?

4-) If persisting in keeping open unused ports, what is worst scenerio?

 

Thanks

Ar

   

2 REPLIES 2
Ethernet Switching
Solution
Accepted by topic author Arix
‎07-29-2019 04:30 AM

Re: best practice for unused ports

‎07-29-2019 03:18 AM

There is really no difference at all between any vendor on the risks and best practices for unused ethernet switch ports.  The risks are the same and the recommendations are industry wide not vendor specific.

 

1-)Any traffic goes to unused ports unles plugging any cable to unused ports?

Not sure I get this but I think you are asking what happens on a admin up link down port.  No traffic will be sent there.

 

2-)Does EX switch has any machanisim to avoid unusual behaviour when unused port or ae are left open....

The behavior on admin up link down ports will depend on the configuration applied.  Should someone connect then they will have the access that is configured for the port.  

 

3-)what is the best practise for unused ports and ae(x)?

Admin down any ports not being actually used both virtual and physical.

 

4-) If persisting in keeping open unused ports, what is worst scenerio?

A malicious actor can plug into that port if they gain physical access and have the network access that is configured for that port as a staring point to an intrusion.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Ethernet Switching

Re: best practice for unused ports

‎08-16-2019 10:53 PM

We tend to use the following as our template to disable interfaces:

    /* --- EXAMPLE SPARE PORT --- */
    ge-0/0/0 {
        description "GE-0/0/0 SPARE";
        disable;
        unit 0 {
            disable;
            family inet {
                filter {
                    input DENY-ALL;
                }
            }
        }
    }

You can do this in bulk in a much more granular fashion than the Cisco 'interface range' command since you can use REGEX patterns. Here's an example that produces the output above, but on multiple interfaces:

	/* --- EXAMPLE PORT RANGE COMMAND --- */
	wildcard range set interfaces <INT>[<RANGE>] <COMMANDS>
	/* --- EXAMPLE PORT RANGE COMMAND for SPARE PORTS --- */
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] description "GE-1/_/_ SPARE"
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] disable
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] unit 0 disable
	wildcard range set interfaces ge-1/[0-3]/[0-3,5,7-9] unit 0 family inet filter input DENY-ALL

Lastly, here's the 'DENY-ALL' filter referenced above:

firewall {
    filter DENY-ALL {
        term 1 {
            then {
                syslog;
                discard;
            }
        }
    }
}

This seems to keep our IA Team happy and is a component of keeping our devices DISA STIG hardened. Hopefully you'll find it useful.