Sign In

Sign in to your Euro-IX account.

Forgot your password?

Not sure if you have a login here?

If you represent and organisation that is in contact with Euro-IX then there is a good chance that you already have an account in the Member Area. If your e-mail address is registered in our database please recover your password here

If you need a new account, please register here

European Internet Exchange Association

Configuartion Samples

We'd like to thank AMS-IX for the information and samples provided below.

1. Introduction

Most Internet Exchanges operate as a shared Layer 2 (L2) Ethernet infrastructure. Large Ethernet LANs require that more or less everyone plays by the same set of rules. In other words, it can be quite sensitive to misbehaviour.

In order to improve the stability of the Exchange, we've defined a set of rules to which member's connection should follow.

Not everybody immediately grasps the subtleties of configuring equipment to adhere to the rules, so this document tries to fill in some blanks and provide examples and hints for the most common equipment.

Definintion of terms

In this document we refer to terms like "L2 device", "L2/L3 hybrid", etc. It may be worthwile to explain what we mean by them here.

L2 Device

A device that functions as a Layer 2 (Ethernet) Bridge (a.k.a. ‚ "switch", "bridge", "hub", etc).

L3 Device

A device that functions as a L3 (IP) router only. This means it does not bridge any Ethernet frames between its interfaces. Such a device is typically called a "router".

L2/L3 Hybrid

A device that functions both as a L2 bridge and a L3 router. This means it can both bridge Ethernet frames between its interfaces as  well as route IP traffic and participate in IP routing protocols. Foundry/Brocade, Force10 and Extreme are common examples of this type of device.

2. General 10GE Specifics

A photonic switch introduces less than 3 dB of attenuation between the patch panel and the Ethernet access switch. A switchover between the two topologies introduces a very short link flap (typically < 20 ms). In order to avoid BGP instability, you should configure your router to ignore such events

Most vendors implement specific commands to ensure BGP ignores such events (see "10GE specifics" in the respective vendor sections for Cisco, Force10. Foundry/Brocade and Juniper configurations). If your router platform does not support such a feature, we advise you to configure the equivalent of:

no bgp fast-external-fallover

to ignore link flaps and wait for the BGP hold timers to expire before resetting sessions.

3. General Configuration Recommendation

3.1. IPv4 ARP / IPv6 Neighbor Timeout

Each equipment vendor implements its own maximum ages for the IPv4 ARP and IPv6 neighbor caches. The values vary widely and in at least one case (Linux) it is not a constant.

Low ARP timeouts can lead to excessive ARP traffic, especially if the values are lower than the BGP KEEPALIVE interval timers. On the other hand, long timeouts can theoretically lead to longer downtime if you change equipment (since your peers still have the old MAC address in their ARP cache). With BGP this is unlikely to happen because your router will start re-establishing BGP sessions as soon as it is back up, causing its peers to update their ARP cache as well.

We recommend setting the ARP cache timeout to at least two hours, preferably four (240 minutes). See the sections on specific equipment vendors for examples.

3.2. Peering LAN Prefix

The IPv4 prefix for the AMS-IX peering LAN (80.249.208.0/21) is part of AS1200, and is not supposed to be globally routable. This means the following:

In short, you can take the view that the Peering LAN is a link-local address range and you may decide to not even redistribute it internally (but in that case you may want to set a static route for management access so you can troubleshoot peering, etc.).

3.3. BGP Routing

Please exchange only unicast routes over your BGP sessions in the ISP peering LAN. Exchanging multicast routes is useless since multicast traffic is not allowed on the (unicast) ISP peering LAN.

4. Allowed Traffic Types and Configurations

The Technical Specifications state the following:

This implies IEEE 802.3 compliance, not 802.2, so no LLC encapsulation!

4.1. Physical L2 Topology

The AMS-IX rules dictate that only one MAC address is allowed behind a port. This means that you have to be extremely careful when connecting a device that can act as a L2 device.

The reason for allowing only one MAC address is that we want no additional devices behind the AMS-IX ports. Extended L2 networks are not under the control of the AMS-IX, but instabilities in a L2 network behind the AMS-IX switches can and typically do have a negative impact on the whole exchange. Forwarding loops and spanning tree topology changes are good examples of this. By enforcing the one-MAC-address-per-port rule, we effectively prevent forwarding loops and STP traffic from intermediate L2 devices.

In short, an intermediate L2 device may only bridge frames from the member's router to the AMS-IX port (so we see only one MAC address) and should otherwise be completely invisible. No connected device should bridge frames from other devices onto the AMS-IX, or talk STP on its AMS-IX interface.

4.1.1. Connecting a L3 Device

The most preferred way of connecting to the IXP is directly through a L3 device.

This is your best chance of not leaking MAC addresses or STP traffic and it greatly increases the stability of the network.

4.1.2. Connecting Through a L2 Device

We neither recommend nor encourage connecting your router through a L2 device.

Tip  

On all intermediate L2 devices, consider using explicitly defined port-based VLANs for production ports. It forces you to understand your topology and reduces the chances of a nasty surprise further down the road. In particular, we strongly recommend using a dedicated VLAN for the path from your router to the AMS-IX.

4.1.3. Connecting a L2/L3 Hybrid

The L2/L3 hybrid switch/router requires careful configuration in order to prevent unwanted traffic from leaking onto the exchange.

Tip  

On a L2/L3 hybrid device, it is a good idea to put the AMS-IX connected interface (untagged) in a separate (non-default) port-based VLAN without spanning treeand with no other ports in it. This is the best way to ensure that no traffic from other ports will be bridged onto the AMS-IX port.

4.2. Commonly Seen Illegal Traffic and Setup

Any traffic other than the types mentioned in the previous section is deemed to be illegal traffic. In this section we will list some of the more common types of violations we see at the AMS-IX and give some arguments as to why it is considered unwanted.

4.2.1. Multiple MAC addresses

Since the AMS-IX operates on the principle of one router per port, there should be one MAC address visible behind each port. Some members connect through intermediate switches, or use a L2/L3 hybrid device. If these devices are not configured properly, they can cause forwarding loops, STP instabilites, and lots of unwanted traffic on the exchange. There is no excuse for these devices to leak traffic, and there is no necessity to talk STP on the link to the AMS-IX. Hence, by enforcing the one-MAC-address rule, we also enforce these issues. Beware that this rule is enforced automatically, so if you leak traffic from another MAC address, your legitimate traffic may be blocked (depending on which MAC address the switch sees first)

4.2.2. Spanning Tree (STP)

This point is closely related to the previous point. The device(s) connected to the AMS-IX port are not allowed to be visible as L2 bridges. This means that they should not speak STP (spanning tree) or any other (proprietary) L2 specific protocol.

4.2.3. Routing protocols: EIGRP, OSPF, RIP, IS-IS

The only routing protocol allowed on the AMS-IX is BGP. There is no valid reason for interior routing protocols to appear on the shared

medium. These protocols only cause unnecessary multicast and broadcast traffic.

4.2.4. (Cisco) Keepalive

By default Cisco routers and switches periodically test their (Fast) Ethernet links by sending out Loopback frames (ethertype 0x9000) addressed to themselves. Call it a "L2 self-ping" if you will. In a switched environment it can be used to test the functionality of the switch and/or keep the router's MAC address in the switch's address table.

In the AMS-IX environment, this is not useful since we use MAC timeouts that are larger than the typical BGP and/or ARP timeouts. In fact, the keepalives a may actually cause port security violations if they are being sent by an intermediate switch.

4.2.5. Discovery protocols: CDP, EDP

Various vendors (e.g. Extreme, Cisco) tend to ship their boxes as gregarious devices: by default they announce their existence out of all their interfaces and try to find family members. CDP (Cisco) and EDP (Extreme) are examples of this, but there are others.

The only reason for running discovery protocols is to support certain types of autoconfiguration. Autoconfiguration on an Internet Exchange is a very bad idea. Hence, there is absolutely no reason to run discovery protocols on your AMS-IX interface. Discovery protocols typically cause unwanted broadcast or multicast traffic.

4.2.6. Non-unicast IPv4: IGMP, DHCP, TFTP

On the ISP peering LAN, the only non-unicast traffic that is allowed is the ARP query.

Sometimes we see equipment trying to get a configuration through broadcast TFTP, or configure themselves through DHCP. We will leave it to the reader to consider why this is a bad idea.

Other equipment has IGMP turned on by default (or by accident). The Peering LAN is for unicast IP traffic only, so there is no point in configuring multicast on the AMS-IX interface.

4.2.7. Proxy ARP

Since traffic over the AMS-IX is exchanged based on BGP routes, there is no reason to answer ARP queries for any other IP address(es) than those that are configured on your AMS-IX interface.

Unfortunately, some vendors (e.g. Cisco) ship their products with proxy ARP enabled by default.

Proxy ARP is not only sloppy, it can lead to unwanted traffic on your network. Consider that if you have it enabled at the AMS-IX, it's likely to be enabled at other peering points, allowing parties on both sides to use you as a transit.

Proxy ARP is not allowed.

4.2.8. Non-unicast IPv6: IPv6 ND-RA

IPv6 router advertisements are not allowed: they generate a lot of unnecessary traffic, since IPv6 hosts on the AMS-IX are not autoconfigured and besides, you don't want to be the default router for the whole AMS-IX.

4.2.9. Miscellaneous non-IP: DEC MOP, etc.

Some vendors enable protocols other than IP by default. Cisco, for example ships certain versions of IOS with DEC MOP enabled by default. This is non-IP traffic and has no place on the AMS-IX.

5. Cisco Configuration Hints

Cisco's philosophy seems to be similar to that of some PC OS vendors: enable as many protocols and features as possible by default, so the device works out-of-the-box in most situations. Unfortunately, this means that a lot of unnecessary features are turned on that, while harmless in LAN or corporate environments, can cause undesired traffic on an Internet exchange.

Typical things that need to be disabled are: autoconfiguration protocols (DHCP, BOOTP, TFTP config download over the AMS-IX interface), CDP, DEC MOP, IP redirects, IP directed broadcasts, proxy ARP, IPv6 Router Advertisements, keepalive.

Intermediate switches or hybrid devices will also need to disable VTP, STP, etc.

5.1. Global Config

! Do not run a DHCP server/relay agent
no service dhcp

! Older IOS versions require this instead of the above.
no ip bootp server

! Do not download configs through TFTP
no service config

! Do not run CDP
no cdp run

5.2. Interface Config

! Don't do redirects -- if they don't know
! how to route properly, tough luck!
no ip redirects

! Don't run proxy ARP on your IX interface
no ip proxy-arp

! Don't run CDP on your IX interface
no cdp enable

! Directed broadcasts are evil.
no ip directed-broadcast

! Disable the DEC drek if you haven't done so globally yet.
no mop enable

! For (Fast)Ethernet: no auto-negotiation on your connection.
! no negotiation auto
! duplex half
duplex full

! L2 keepalives are useless on the IX
no keepalive

5.3. Layer 2 Config

It is difficult to give a complete guide for Cisco products, because of the many different types of devices and (IOS) software versions. When in doubt, consult your documentation.

5.3.1. 29xx and 35xx Series

If you use a Cisco Layer 2 device (such as the 2900 and 3500 series), you have to turn off VTP (VLAN Trunking Protocol), DTP (Dynamic Trunking Protocol), LLDP, and UDLD.

In global config mode:

vtp mode transparent
!
no spanning-tree vlan 1200

! If you don't need LLDP, disable globally
no lldp run

! If you don't need CDP, disable globally
no cdp run

!
vlan 1200
 name IX

!
interface /IfIdent/
 description Interface to IX
 switchport access vlan 1200
 switchport mode access
 switchport nonegotiate
 no keepalive
 speed nonegotiate
 no udld enable

 ! If CDP has not been disabled globally:
 no cdp enable

 ! If LLDP has not been disabled globally:
 no lldp receive
 no lldp transmit

 ! If you do not want to shut off STP:
 spanning-tree bpdufilter enable
end

5.3.2. 7600 Series

Members should be advised not to run 12.2(33)SRC on their Cisco 7600's with a sup720. This software release does not always send or forward replies to solicit requests, -even- if it's acting as a pure layer2 switch between a member router and the AMS-IX fabric.

To make a cisco 7600 switch 'silent' the following configuration seems to work:

no service dhcp
no ip bootp server
vtp mode transparent
spanning-tree mode pvst
spanning-tree extend system-id
no spanning-tree vlan XX
!
vlan XX
 name ix
exit
!
interface GigabitEthernet6/0/0
 description to-amsix switchport
 switchport access vlan XX
 switchport mode access
 switchport nonegotiate
 no mls qos trust
 no cdp enable
 spanning-tree bpdufilter enable
 exit
!

Vlan XX was also removed from the allow list on all dot1q trunk ports not related to the setup, in this case every dot1q trunk port in the chassis.

5.3.3. Catalyst 6500 Series

CatOS and IOS are different beasts, so for Catalyst switches, the following applies:

set vtp mode off
set port name /IfIdent/ My IX Port
set cdp disable /IfIdent/
set udld disable /IfIdent/
set trunk /IfIdent/ off dot1q
set spantree bpdu-filter /IfIdent/ enable
set vlan 1200 name My_IX_Vlan
set vlan 1200 /IfIdent/

If, for some reason, you cannot afford to turn off VTP globally, the only way to turn it off on individual ports seems to be by using l2pt

set port l2protocol-tunnel /IfIdent/ vtp enable

Depending on your CatOS platform, you may or may not be able to do this.

5.3.4. CRS (IOS-XR)

CDP, Proxy ARP, Directed Broadcast, Link Auto Negotiation, and ICMP redirects* are disabled by default in IOS-XR. ICMP redirect messages are disabled by default on the interface unless the Hot Standby Router Protocol (HSRP) is configured.

5.3.5. Other Devices

For other devices, some or all of the above may apply. Check your documentation for details.

5.4. Cisco Aggregated Links

5.4.1. Catalyst 6500 Series

Configure the port-channel as on, or should you want LACP, as active. Please do not not configure any forms of negotiate or desirable as the AMS-IX switches do not speak PAgP.

Load-balancing over four ports may result in an unequal distribution due to bug CSCsg80948.

interface GigabitEthernet1/1
 description AMS-IX Link 1
 no ip address
 no ip redirects
 no ip proxy-arp
 no keepalive
 no cdp enable
 channel-group 1 mode on
!
interface GigabitEthernet1/2
 description AMS-IX Link 2
 no ip address
 no ip redirects
 no ip proxy-arp
 no keepalive
 no cdp enable
 channel-group 1 mode on
!
interface Port-channel1
 description AMS-IX aggregated link
 ip address 80.249.20x.y 255.255.248.0
 no ip redirects
 no ip proxy-arp
 no keepalive
!

Here are examples of LACP configurations:    

Cisco IOS 65xx/76xx:

interface GigabitEthernet1/1
 description AMS-IX Link 1
 channel-group 10 mode active
!  (12.2(18)SXF2  or  (12.2(33)SRC) upwards)
 lacp rate fast  
!
interface GigabitEthernet1/2
 description AMS-IX Link 2
 channel-group 10 mode active
!
interface Port-channel10
 description AMS-IX aggregated link
 no switchport
 ip address 80.249.20x.y 255.255.248.0
!

Cisco IOS-XR:

interface Bundle-Ether 10
 description AMS-IX aggregated link
 ipv4 address 80.249.20x.y 255.255.248.0
!
interface GigabitEthernet 1/0/0/0
 description AMS-IX Link 1
 bundle-id 10 mode active
!  (3.2 upwards)
 lacp period short
!
interface GigabitEthernet 1/0/1/0
 description AMS-IX Link 2
 bundle-id 10 mode active
!

(don't forget to commit)

Cisco NX-OS:

feature lacp
!
interface ethernet 2/1
 description AMS-IX Link 1
 channel-group 10  mode active
 lacp rate fast
!
interface ethernet 2/2
 description AMS-IX Link 2
 channel-group 10 mode active
!
interface port-channel 10
 description AMS-IX aggregated link
 ip address 80.249.20x.y 255.255.248.0

5.4.2. GSR Series

Do not set a static MAC address on the Port-channel interface. This causes CEF inconsistencies and other assorted failures.

Link aggregation and IPv6 do not seem to play well together. Cisco advises against trying this.

Some changes will result in a different MAC address getting chosen for the aggregated link (likely such as reloading a linecard, if it contains the first port in the bundle). This will keep your ports dysfunctional due to port security on the IX switches.

Some restrictions apply to what features are supported on link bundles (e.g. sampled NetFlow only on ISE/Engine4+; no uRPF). Also not all line cards support link bundling, and if traffic towards AMS-IX comes in on such an interface you will experience suboptimal load-balancing. Please see the Cisco documentation  for more details.

Support for link bundling on Engine 5 linecards will come in 12.0(33)S.

Cisco Engineering have a special train called "Phase 3" (lb-eft-ph3) that is purported to also provide functionality such as MAC address accounting for Port-Channel interfaces. This seems to have been integrated into 12.0(32)S, but IPv6 does not seem to be supported yet.

Below follows a list of Cisco Bug IDs (ddts) related to link aggregation that you need to consider when choosing an appropriate IOS image

present in 12.0(26)S1; fixed in 12.0(26)S3, 12.0(27)S2, 12.0(28)S1, 12.0(30)S

Symptoms: Over 90% CPU usage by CEF Scanner on all linecards and %TFIB-7-SCANSABORTED errors occur when configuring a link bundle.Also, the router sends traffic to MAC addresses taken from its ARP table seemingly at random, instead of to the appropriate next-hop's MAC address.

present in post-CSCee27396; fixed in 12.0(26)S4, 12.0(27)S3, 12.0(28)S1, 12.0(30)S

Symptoms: When traffic passes through a router, the router blocks traffic for certain prefixes behind a port-channel link.

present in 12.0(25)S3, 12.0(26)S1, 12.0(27)S2, 12.0(28)S; fixed in 12.0(25)S4

Symptoms: An HSRP state change on any Engine2 interface causes a microcode bundle flap on all other Engine2 linecards, preventing load balancing to work due to vanilla microcode getting loaded.

present in 12.0(26)S3, 12.0(27)S2, 12.0(29)S

Symptoms: Router sends Ethernet frames with a source MAC address of beef.f00d.beef and destination MAC address f00d.beef.f00d (which is the pattern scribbled in unallocated memory in linecards), with what looks to be a legitimate payload of transit traffic. This is one of the symptoms of CSCee27396

present in 12.0(26)S5; fixed in 12.0(26)S5, 12.0(27)S

Symptoms: The BGP Router process flushes the BGP tables for each peer when you change one neighbor's description. This pegs the GRP CPU at 99% for quite a while.

present in 12.0(31)S; fixed in 12.0(31)S2 (CSCei53226) IOS (at least in the PRP code) places each individual public peer in its own update-group if remove-private-as is configured on a peer. Needless to say, this scales badly for a router connected to an Internet exchange. (Try "show ip bgp replication".) A collection of hearsay follows for recent IOS images for the GSR PRP regarding link aggregation. AMS-IX does not run any GSRs. Please take this information with appropriately-sized grains of salt.

You can check for incorrect next-hops by attaching to the linecard and executing show controllers rewrite and show adjacency internal and comparing the two rewrite strings for a certain peer's IPv4 address

(suffix the commands with | begin 80.249.20a.b). The first six bytes of the returned long hex string should be the peer's MAC address, and equal for all three occurrences.

! An example configuration follows:
!
interface Port-channel1
 description AMS-IX Aggregated Link
 ip address 80.249.20x.y 255.255.248.0
 no ip redirects
 no ip directed-broadcast
 no ip proxy-arp
 channel-group minimum active 1
 no channel-group bandwidth control-propagation
 hold-queue 150 in
!
interface GigabitEthernet1/2/1
 no keepalive
 no negotiation auto
 channel-group 1
 no cdp enable
!
interface GigabitEthernet1/2/2
 no keepalive
 no negotiation auto
 channel-group 1
 no cdp enable
!

Specifying a value is optional, but setting it to the amount of ports in an aggregated link multiplied by 75 is advised.

show interfaces Port-channel 1 will display keepalives enabled even though they are not; also, the BIA (burnt-in address, shown as 0000.0000.0000) can be ignored.

Please contact the IXP if you disable autonegotiation on Gigabit Ethernet ports as they may have to explicitly configure our switch for this.

5.4.3. CRS (IOS-XR)

interface Bundle-Ether1
 description Aggregated interface to AMS-IX Peering LAN
 ipv4 address 80.249.20x.y 255.255.248.0
 ipv6 nd suppress-ra
 ipv6 address 2001:07F8:1::A50a:bcde:1/64
 ipv6 enable
 bundle minimum-active links 1
!
interface TenGigE0/0/0/0
 description interface to AMS-IX Peering LAN #1
 bundle id 1 mode on
!
interface TenGigE0/0/0/1
 description interface to AMS-IX Peering LAN #2
 bundle id 1 mode on
!

5.5. Cisco 10GE Specifics

IOS supports no bgp fast-external-fallover and event dampening . The no bgp fast external-fallover tells the device to not act immediately on link flaps but wait for the BGP hold timers to expire before resetting sessions.

Newer versions of Cisco IOS even support ip bgp fast-external-fallover deny in a per-interface context.

Note that in practice we have found that the previously advised carrier-delay does not work as expected on Cisco equipment. We suggest you disable fast-external-fallover instead.

In IOS-XR, to disable BGP Fast External Failover globally, add bgp fast-external-failover disable to your global bgp configuration.

5.6. IPv6 Config

Responses on a ICMPv6 multicast listener queries result in bursts of ICMPv6 multicast listener reports. To prevent this configure no ipv6 mld router in interface context. Some other per-interface commands we recommend on a Cisco device:

! disable ICMPv6 multicast listener reports
no ipv6 mld router
! disable IPv6 multicast forwarding
no ipv6 mfib forwarding
! v6 ND-RA is unnecessary and undesired
ipv6 nd suppress-ra
! on IOS version 12.2(33)SRC it is the following syntax:
ipv6 nd ra suppress
! on even more later IOS/IOS-XE versions the "all" option is needed to also
! suppress responses to Router Solicitation messages besides periodic RAs:
ipv6 nd ra supress all
! disable PIM on a specified interface
no ipv6 pim
! disable MLD snooping on hybrid devices and intermediate layer-2 devices
no ipv6 mld snooping

5.7. MTU Config

On newer Cisco IOS/IOS-XR versions, the interface IP MTU is automatically set, based on the presence or absence of 802.1q tags. For more details, please consult this document.

6. Extreme Networks Configuration Hints

Caution   *Updating Firmware in an EAPS Environment*

When updating firmware in an Extreme Networks EAPS environment, be sure to temporarily disable your AMS-IX port(s). TFTP file transfers may cause EAPS instabilities resulting in bogus traffic. This is likely to trip the port security on the AMS-IX switches, which may result in 10 minutes downtime.

Most people who use Extreme equipment do not have problems with their AMS-IX connections, some do. We would appreciate feedback from people running Extreme equipment on how they configure their facing side.

6.1. L2 Configuration

The configuration fragment below shows how to configure an intermediate L2 switch, which is also part of an EAPS ring. Port 1 is connected to the IXP switch. Ports 2 and 3 are in the ring. The router is somewhere in that ring, in the "ixpname" VLAN.

create vlan "ring"
configure vlan "ring" tag 1200  # VLAN-ID=0x4b0  Global Tag 3
configure vlan "ring" qosprofile "QP8"
configure vlan "ring" add port 2 tagged
configure vlan "ring" add port 3 tagged
create vlan "ixpname"
configure vlan "ixpname" tag 1700  # VLAN-ID=0x6a4  Global Tag 9
configure vlan "ixpname" add port 1 untagged
configure vlan "ixpname" add port 2 tagged
configure vlan "ixpname" add port 3 tagged
configure port 1 auto off speed 1000 duplex full
configure port 2 auto off speed 1000 duplex full
configure port 3 auto off speed 1000 duplex full
disable edp port 1
disable igmp snooping
disable igmp snooping with-proxy
create eaps "ring-eaps"
configure eaps "ring-eaps" mode transit
configure eaps "ring-eaps" primary port 2
configure eaps "ring-eaps" secondary port 3
configure eaps "ring-eaps" add control vlan "ring"
configure eaps "ring-eaps" add protect vlan "ixpname"
enable eaps "ring-eaps"

6.2. L3 Configuration

The configuration fragment below shows the relevant configuration information for a L3-only device. As in the previous example, port 1 is connected to the IX and is configured in the "ixpname" VLAN (untagged).

# Config information for VLAN amsix.
create vlan "ixpname"
configure vlan "ixpname" tag 1200 
configure vlan "ixpname" protocol "IP"
configure vlan "ixpname" ipaddress 80.249.20/X/./Y/ 255.255.248.0
configure vlan "ixpname" add port 1 untagged
#
configure port 1 display-string "IXPNAME"
disable edp port 1
#
enable ipforwarding vlan "ixpname"
disable ipforwarding broadcast vlan "ixpname"
disable ipforwarding fast-direct-broadcast vlan "ixpname"
disable ipforwarding ignore-broadcast vlan "ixpname"
disable ipforwarding lpm-routing vlan "ixpname"
disable isq vlan "ixpname"
disable irdp vlan "ixpname"
disable icmp unreachable vlan "ixpname"
disable icmp redirects vlan "ixpname"
disable icmp port-unreachables vlan "ixpname"
disable icmp time-exceeded vlan "ixpname"
disable icmp parameter-problem vlan "ixpname"
disable icmp timestamp vlan "ixpname"
disable icmp address-mask vlan "ixpname"
disable subvlan-proxy-arp "ixpname"
configure ip-mtu 1500 vlan "ixpname"
#
# IP Route Configuration
#
configure iproute add blackhole default
disable icmpforwarding vlan "ixpname"
disable igmp vlan "ixpname"

7. Force10 Configuration Hints

There isn't much to configure on Force10 routers. The Network Operations Guide and various pages in the Team Cymru Document Collection provide useful information on Force10 router configuration and management.

Disable proxy ARP on your IXP interface

Force10(conf)#interface tengigabitethernet 0/0
Force10(conf-if-te-0/0)#no ip proxy-arp

 Disable IPv6 ND RAs

Force10(conf-if-te-0/0)#ipv6 nd suppress-ra

The default ARP timeout is 4 hours, but can be changed with this command

Force10(conf)#interface tengigabitethernet 0/0
Force10(conf-if-te-0/0)#arp timeout /minutes/

7.1. Force10 10GE Specifics

Force10 E-Series switch/routers support no bgp fast-external-fallover,BGP Graceful Restart, and a link debounce timer to maintain BGPstability during topology switchovers.

The recommended option is to use the /link debounce/ command to delaylink change notifications on the interface. The default for fiberinterfaces is 100 ms, which is a good value to use.

8. Foundry/Brocade Configuration Hints

The following fragment of configuration gives an idea of how to configure a Foundry (BigIron) device. Depending on the actual role of the device (router or switch between router and IXP) and the type of code loaded into the device you may need to mix and match a little here.

! Define a single-port VLAN for the AMS-IX port
vlan number name "IXPNAME" by port
no spanning-tree
untagged ethernet if
! Configure the IXP interface
interface ethernet if
 port-name "IXPNAME"
! Behave as a router.
 route-only
 no spanning-tree
! Don't do IPv6 ND-RA (Router Advertisements)
 ipv6 nd suppress-ra
! No weird discovery proto, please.
 no vlan-dynamic-discovery
! IP address
 ip address 80.249.20X.Y 255.255.248.0
! No redirects
 no ip redirect
 no ipv6 redirect
! IXP recommends 2 hour ARP timeouts
 ip arp-age 120
! For fast-ethernet: no autoconfig.
 speed-duplex 100-full

On a Foundry BigIron RX, software version < 2.4, we noticed together with a customer that his device had a very aggressive default setting for ICMPv6 ND queries for known MAC addresses. It retransmitted them every second. The retransmit interval can be altered in interface context as follows:

! Set the retransmit timer to 1 hour
 ipv6 nd ns-retransmit 3600

Note: This command should not be confused with 'ipv6 nd ns-interval', which applies to ND queries for unresolved MAC addresses.

8.1. Foundry/Brocade Aggregated Links

BigIron JetCore-based switches support link aggregation only on adjacent ports. The first port must be oddly numbered, and the other port must directly follow the first one. The same goes for any additional pairs of ports in an aggregated link.

Caution  *On BigIron 15000 switches you cannot build trunks with ports on blade 8, or spanning ports on both sides of slot 8* 

Create an aggregate on a Jet-Core based switch

trunk server ethernet slot/port to slot/port+1

BigIron RX or NetIron MLX/XMR switches don't have limits to port placement for aggregated links. Ports can be non-adjacent or even distributed over multiple blades. BigIron RX has a limit of 8 ports per aggregated link, NetIron MLX/XMR raise this to 16 in software 3.5.0, 32 in 3.8.0

Create an aggregate on a RX/MLX/XMR switch

trunk ethe slot/port to slot/port ethe otherslot/otherport to otherslot/otherport

As of RX software release 2.5.0 and MLX/XMR software release 3.9.0 the link aggregation syntax changed. The configuration now looks like:

! Create a LAG on a RX/MLX/XMR switch

lag "<NAME HERE>" static
 ports ethernet #/# ethernet #/# <and so on>
 primary-port #/#
 deploy
!

The primary-port is used as a single point of configuration.  All configuration changes to the primary-port are propagated to the other ports in the lag group.

The keyword "static" designates a standard aggregated link. For an LACP-enabled link, use:

! Create a dynamic LAG on a RX/MLX/XMR switch

lag "<NAME HERE>" dynamic
 ports ethernet #/# ethernet #/# <and so on>
 primary-port #/#
 lacp-timeout short
 deploy
!

We recommend setting the LACP timeout to "short" to reduce the service interruption time during photonic failovers.

8.2. Foundry/Brocade 10GE Specifics

Foundry/Brocade supports a feature called BGP Graceful Restart that, if all peers support it, will reduce the impact of prefix flaps but the CPU will still have to re-establish any flapped BGP session before the configured interval passes.

The command delay-link-event can make the router ignore short link flaps (for example, in the case of a photonic switch swap). We recommend setting this to 20 which equals to 1000 msecs.Consequently, the flap will be logged in syslog, but higher level protocols (BGP in this case) will be unaffected. We suggest to leave fast-external-fallover in its default state.

9. HP Configuration Hints

Recommendations we received for HP ProCurve devices:

spanning-tree ifname bpdu-filter spanning-tree ifname tcn-guard lldp admin-status ifname disable

10. Juniper Configuration Hints

For Juniper routers, there isn't much to disable. The Juniper Documents contain useful hints on how to set up your Juniper router.

10.1. Unicast BGP Configuration

Make sure to exchange only unicast routes in the unicast ISP peering LAN by explicitly adding the following statement to ,em>all neighbors, groups and prefix-limits:

set family inet unicast

Caution   *Be thorough with family inet unicast*    

If even one of the neighbors, groups or prefix-limits is defined with a family inet "any", you'll enable multicast and turn on MBGP.

Increasing interface hold-time (1200ms) to preserve BGP sessions during 10/100GE interface swapping 

AMS-IX connects 10/100GE members via photonic switch (GlimmerGlass), so we can redirect optic signal to our primary and backup switch in case of failure or for maintenance. The signal redirect take around 20ms, enough to trigger port state change advertisement within the router and therefore BGP sessions will be torn down as the result. Therefore, we recommend to configure a higher hold-time value on 10/100GE interface to preserve BGP sessions during interface swapping.  

hold-time up 1200 down 1200

10.2. IPv4 ARP Cache Timeout

Juniper's default ARP cache timeout is 20 minutes (by comparision: Cisco's default ARP cache timeout is 4 hours which fits AMS-IX's relatively static environment much better).

To reduce the amount of unnecessary broadcast traffic, we recommend setting the ARP cache timeout on Juniper routers to 4 hours. A recipe for this follows:

you@juniper# edit system arp
[edit system arp]
you@juniper# set aging-timer 240
[edit system arp]

 

Since Junos 9.4 the ARP cache timeout is also configurable on an interface level:

[edit system arp aging-timer interface interface-name] aging-timer-minutes;

and on more recent versions of Junos that syntax has changed to:

[edit system arp interface interface-name] aging-timer aging-timer-minutes;

10.3. Juniper Aggregated Link

10.3.1. M-Series

We have encountered no issues with aggregated links and JunOS (M40, M160, T320). JUNOS releases prior to 6.0 required VLAN tagging on aggregated interfaces. This limitation has since been removed. An example configuration follows:

niels@junix# show chassis
aggregated-devices {
  ethernet {
  device-count 1;
  }
}

[edit]

niels@junix# show interfaces ge-2/1/0
gigether-options {
  802.3ad ae0;
}

[edit]

niels@junix# show interfaces ge-3/1/0
gigether-options {
  802.3ad ae0;
}

[edit]

niels@junix# show interfaces ae0
description "AMS-IX";
unit 0 {
  family inet {
  filter {
  input AMSIX-in;
  output AMSIX-out;
  }
  address 80.249.20x.y/21;
  }
  family inet6 {
  address 2001:07F8:1::A50a:bcde:1/64;
  }
}

Additionally and optionally you can configure more granular load balancing:

---

routing-options {
  autonomous-system abcde;
  forwarding-table {
  export [ load-balance ];
  }
}
policy-options {
  policy-statement load-balance {
  then {
  load-balance per-packet;
  }
  }
}
forwarding-options {
  hash-key {
  family inet {
  layer-3;
  layer-4;
  }
  }
}

In case that is not granular enough, you can modify the hash-key algorithm with some undocumented options in JunOS 7.x and up:

hash-key {
  family inet {
  layer-3 {
  destination-address;
  protocol;
  source-address;
  }
  layer-4 {
  destination-port;
  source-port;
  type-of-service;
  }
  }
}

Also, you can set your aggregated min-links to a value that will cause the bundle to drop in the event that your links can no longer support the amount of traffic you plan on shoving down the pipe. Thus, 2-port aggregated link, pushing 1.2 Gbps sustained across, drop bundle if n == 1;

aggregated-ether-options {
  minimum-links 2;
  link-speed 1g;
}

In a situation with load-balancing over multiple IP interfaces (not AMS-IX), the final statement will make traceroute more confusing to novices as packets may seem to "bounce" between interfaces by also including TCP/UDP port numbers and ICMP checksums in the algorithm.

On an IP1 load-balance per-packet really means per-packet; on an IP2 it actually works per flow, which is preferable.

10.4. Juniper 10GE Specifics

The link flap introduced by the PXCs make that you have to damp interface transitions. JUNOS supports a configurable hold-time . A good value would be 1200 ms.

hold-time up 1200 down 1200

Aggregated interfaces require hold timers on all physical interfaces and on the logical aggregated interface. Respectivitly xe-0/1/0 and ae0 in the example below:

[edit]

arien@router# show interfaces xe-0/1/0
description "10GE LinkAgg #1";
hold-time up 1200 down 1200;
gigether-options {
   802.3ad ae0;
}

[edit]
arien@router# show interfaces ae0
description "Aggregated interface to AMS-IX Peering LAN";
hold-time up 1200 down 1200;
aggregated-ether-options {
   minimum-links 1;
   link-speed 10g;
}
unit 0 {
   description "Aggregated interface to AMS-IX Peering LAN";
   bandwidth 20g;
   family inet {
       address 80.249.20x.y/21;
   }
}

10.5. MTU Config

The configured MTU should be 1514 (this includes Ethernet headers but not the FCS), or 1518 when tagged.