Allowed Traffic Types on Unicast Peering LANs
To ensure smooth operation of the IIX infrastructure we impose a set of restrictions on what kind of traffic is allowed on the peering fabric. This page gives a summary of those restrictions. For more info, including hints on how to configure equipment, please see the IIX Configuration Guide.
1. Physical Connection
Interface settings
1Gbase and 10Gbase Ethernet interfaces attached to IIX ports must be explicitly configured with speed, duplex other configuration settings, i.e. they should not be auto-sensing.
2. MAC Layer
2.1 Ethernet framing
The IIX infrastructure is based on the Ethernet II (or “DIX Ethernet”) standard. This means that LLC/SNAP encapsulation (802.2) is not permitted. For more information on the differences, see the Ethernet FAQ, question 4.1.2.2 Ethernet types.
Frames forwarded to Some Exchange ports must have one of the following ethertypes:
- 0x0800 – IPv4
- 0x0806 – ARP
- 0x86dd – IPv6
2.3 One MAC address per connection
Frames forwarded to an individual IIX port shall all have the same source MAC address.
2.4 No proxy ARP
Use of proxy ARP on the router’s interface to the Exchange is not allowed.
2.5 Unicast only
Frames forwarded to IIX ports shall not be addressed to a multicast or broadcast MAC destination address except as follows:
- broadcast ARP packets
- multicast ICMPv6 Neighbour Discovery packets. Please note that this does not include Router Solicitation or Advertisement packets.
2.6 No link-local traffic
Traffic related to link-local protocols shall not be forwarded to IX ports. Link-local protocols include, but are not limited to, the following list:
- IRDP
- ICMP redirects
- IEEE 802 Spanning Tree
- Vendor proprietary protocols. These include, but are not limited to:
- Discovery protocols: CDP, EDP, LLDP etc.
- VLAN/trunking protocols: VTP, DTP
- Interior routing protocol broadcasts (e.g.OSPF, ISIS, IGRP, EIGRP)
- BOOTP/DHCP
- PIM-SM
- PIM-DM
- DVMRP
- ICMPv6 ND-RA
- UDLD
- L2 Keepalives
The following link-local protocols are exceptions and are allowed:
- ARP
- IPv6 ND
3. IP Layer
3.1 No directed broadcast
IP packets addressed to IIX peering LAN’s directed broadcast address shall not be automatically forwarded to IIX ports. 3.2 no-export of IIX peering LAN
IP address space assigned to IIX Peering LANs must not be advertised to other networks without explicit permission of IIX.
4. Application layer (TCP/IP model)
Using Application layer protocols to unleash malicious actions against other IIX customers over IIX infrastructure, is forbidden. IIX reserves the right to disable a customer’s port in case of complaints of attacks/abuse originating from such customers. The following list includes, but is not limited to:
- BGP hijacking
- DNS amplification/flood
- HTTP flood
- NTP amplification
- UDP flood
- ICMP flood
- Simple Service Discovery Protocol (SSDP)
5. Connecting using a Routed Port
Connecting to IIX using a routed port is the preferred design and below is the recommended port configuration (Cisco IOS). Member need to adapt this configuration to their respective platform when connecting to IIX fabric.
GigabitEthernet X/X/X
description Facing IIX Port
ip address <your_allocated_ipv4_address>
ipv6 address <your_allocated_ipv6_address>
no cdp enable
no mop enable
no ip mask-reply
no ip proxy-arp
no ip redirects
no ip directed-broadcast
no ip unreachables
no keepalive
no lldp transmit
no lldp receive
no udld enable
ipv6 nd ra suppress all
ipv6 nd prefix default no-advertise
6.Connecting via an Intermediate Switch
The intermediate switch connecting both the customer router and IIX MUST have a dedicated vlan with no other additional devices in that vlan. IIX only allow two MAC addresses per port. Below is the recommended switch port configuration facing IIX. If bpdufilter feature is not available in your platform, we recommend that member disable spanning-tree on the dedicated vlan.