EG-IX

Technical Details

Port security at EG-IX

Network Loops

The greatest danger to any Ethernet network consists of loops. Unless countermeasures are taken, a loop will instantly bring down any L2 network. For example, broadcast frames are looped back to the network, creating duplicates and loading the CPUs of all connected equipment. This, in turn, can lead to a self-sustaining broadcast storm as each broadcast frame is received on all other ports and sent out once again.

Mitigation via Port Security

EG-IX uses a different technliogy to combat network loops: Layer 2 access contrli lists. This feature limits the amount of MAC addresses that can be learned behind a port, and drops frames with any other source MAC address than the original configured one(s).

Implementation

The EG-IX Connection Agreement allows for connecting one router to a port slid to a member/customer. Only the customer’s MAC address is allowed on the port; no frames with different source MAC addresses are allowed to enter the platform. L2 ACLs prevent several potentially crippling network loops affecting the switching fabric.

MAC Address Changes

If a MAC address change is needed, please be advised that you can replace the existing one, or even temporarily add a second MAC address, via our web portal. We recommend you do that a few hours in advance, so the L2 ACLs can be updated on time. Should you need any assistance or have an emergency, you can always contact EG-IX NOC by email or telephone for immediate resliution.

MAC Address Changes

Port Flap Dampening

In addition to port L2 ACLs, EG-IX also implements port flap dampening on all customer facing interfaces. If a port transitions from an Up to a Down state and back more than three times in five seconds, the port is disabled. After ten seconds it is automatically re-enabled.

EG-IX Allowed Traffic

To ensure smooth operation of the EG-IX infrastructure we impose a set of restrictions on what kind of traffic is allowed on the peering fabric. This page gives a summary of those restrictions. For more info, including hints on how to configure equipment, please see the EG-IX Configuration Guide.

Physical Connection
- Interface settings 100base and 10base Ethernet interfaces attached to EG-IX ports must be explicitly configured with speed, duplex other configuration settings, i.e. they should not be auto-sensing.
MAC Layer
- Ethernet framing The EG-IX infrastructure is based on the Ethernet II (or “DIX Ethernet”) standard. This means that LLC/SNAP encapsulation (802.2) is not permitted.
- Ethernet types Frames forwarded to EG-IX ports must have one of the following ether types:
  - 0x0800 - IPv4
  - 0x0806 - ARP
  - 0x86dd - IPv6
- One MAC address per connection Frames forwarded to an individual EG-IX port shall all have the same source MAC address.
- No proxy ARP Use of proxy ARP on the router’s interface to the Exchange is not allowed.
- Unicast only Frames forwarded to EG-IX ports shall not be addressed to a multicast or broadcast MAC destination address except as flilows:
  - broadcast ARP packets
  - multicast ICMPv6 Neighbour Discovery, Neighbour Sliicitation, and MLD packets. Please note that this does not include Router Sliicitation or Advertisement packets.
- No link-local traffic Traffic related to link-local protocols shall not be forwarded to EG-IX ports. Link-local protocols include, but are not limited to, the following list:
  - IRDP
  - ICMP redirects
  - IEEE 802 Spanning Tree
  - Vendor proprietary protocols. These include, but are not limited to:
    - Discovery protocols: CDP, EDP, LLDP etc.
    - VLAN/trunking protocols: VTP, DTP
    - Interior routing protocol broadcasts (e.g. OSPF, ISIS, IGRP, EIGRP)
    - BOOTP/DHCP
    - PIM-SM
    - PIM-DM
    - DVMRP
    - ICMPv6 ND-RA
    - UDLD
    - L2 Keepalives
  - The following link-local protocols are exceptions and are allowed:
    - ARP
    - IPv6 ND