Configuring Unidirectional Single-Fiber Communication

During network management and maintenance, the administrator may need to send traffic from users to a specified server for analysis and processing. If a server can receive and send packets, there is a possibility that the server forwards user traffic to other devices, causing a security risk. The unidirectional single-fiber communication function can address this issue. A single fiber means that two optical modules are connected by only one fiber, and unidirectional communication means that packets can be sent in only one direction. With this function, a switch can only send but cannot receive packets, and an analysis server can only receive but cannot send packets. The data security on the analysis server is ensured.

An optical module provides a TX end and an RX end. Generally, two optical modules are connected by two fibers. The TX and RX ends of one module are respectively connected to the RX and TX ends of another module. A device transmits and receives packets through two independent fibers. If the unidirectional single-fiber communication function is disabled, two devices cannot communicate with each other through a single fiber. After this function is configured, the devices can use only one fiber to communicate with each other.

As shown in Figure 1, SwitchA is connected to the upper-layer traffic distribution device through XGE0/0/1. The traffic sent from the traffic distribution device enters SwitchA through XGE0/0/1. SwitchA transmits packets through XGE0/0/2, and the analysis server receives packets through the optical interface. After the unidirectional single-fiber function is configured on XGE0/0/2, you only need to connect the TX end of the optical module on XGE0/0/2 to the RX end of the optical module on the analysis server through one fiber. Then SwitchA can transmit packets to the analysis server through a single fiber, and the analysis server can receive packets through the single fiber. In addition, the TX end of the optical module on the analysis server is not connected, so the analysis server cannot transmit packets, ensuring data security on the server.

Figure 1 Networking diagram of unidirectional single-fiber communication

S5720-HI does not support unidirectional single-fiber communication.

An XGE optical interface supports the single-fiber enable command only when it has no optical module installed or has an XGE optical module installed, and no license is required. Particularly, XGE optical interfaces on the S5720-EI, S6720-EI, and S6720S-EI also support the single-fiber enable command after GE optical modules are installed, and no license is required.

A 25GE optical interface supports the single-fiber enable command only when it has no optical module installed or has a GE/XGE/25GE optical module installed.

40GE optical interfaces support unidirectional single-fiber communication only when no optical module is installed or 40GE optical modules are installed.

100GE optical interfaces support unidirectional single-fiber communication only when no optical module is installed or 40GE/100GE optical modules are installed.

When enabling unidirectional single-fiber communication on an interface, make sure that the remote interface also works in non-auto-negotiation mode and uses the same rate as that of the local interface.

An optical interface does not support this function after it connects to a cable.