Basic Protection For the IX and You
The safest way to connect to an IX is with a router, and we prefer you connect to us with a router. However we do recognize many switches can perform most all of the routing functions that most enterprises need from a router these days. We just ask if you are connecting with a switch that you make your switch’s port facing IX-Denver as router like as possible; for example 1 MAC address, L3 terminated p2p connection, no loops, no spanning-tree, no discovery protocols, but mostly a p2p broadcast domain between the IX fabric and your port. If you implement these basic best practices then our other basic protections listed below will likely be invisible to you and your network.
Current Implemented IX-Denver Fabric Protections:
- BUM (Broadcast, Multicast, Unknown Unicast) traffic is rate limited to 5mbits for all interface speeds.
- 1 MAC address is permitted per port, MAC addresses are statically filtered by IX-Denver.
- No BPDUs are accepted on any port – If IX-Denver receives a BPDU from your router this will result in a link-down for 5 minutes.
- The switch fabric forwards ARP, IPv4, IPv6
- The route server(s) accept ARP, ICMP, ICMP6 and TCP/179
- A small dedicated queue is available for bgp network control traffic, this traffic must be sourced from your IX /24 or /64 IP.
- We implement IETF BCP 214 “BGP Session Culling” during all maintenance activity.