Equipment Configuration - Best Current Practice

Principal Guidelines

These guidelines follow the connection agreement specifications which are defined within the Appendix. You should connect a layer-3 device directly to SwissIX, whenever possible. This reduces troubles for everyone introduced by layer-2 devices in between your router and the SwissIX infrastructure. Most problems we see come from STP and its variants, but also CDP and such protocols.

When layer-2 devices send packets towards the SwissIX infrastructure, you risk that the port security configured on your port disables the port because of to many MAC addresses.

We completely disallow STP packets. We also have strict traffic filters on each ingress port to only allow IPv4, IPv6 and ARP traffic. In cases the peer has a link aggregation group towards us (LAG) we also allow LLDP. All this traffic is tied to a fix configured mac address.

If there is no way to connect your layer-3 device directly to the SwissIX infrastructure make sure the transport is completely transparent and the devices in between are not visible at all from the SwissIX infrastructure.

Special note for 1G fibre connections

If you have a 1G fibre connection towards SwissIX and the link does not come up on both sides please try disabling auto-negotiation on your side.

Equipment change

As mentioned above, we tie the ingress ACLs to your MAC address, so please contact us if you have changed the device on your end. You can also contact us in advance so we can install ACLs for both MAC addresses before you change the device.

Device Configuration Examples


Cisco IOS

First it is a good idea to disable some global protocol settings. Cisco is very talky by default:

no cdp run
no service dhcp
no ip bootp server
no service config


Then the interface config should look something like this:

interface TypeEthernetX
  no ip redirects
  no ip proxy-arp
  no cdp enable
  no ip directed-broadcast
  no mop enable
  no keepalive
  ip address 91.206.a.b
  ipv6 address 2001:7f8:24::XXXX/64


For IPv6 there are also some things to disable:

no ipv6 mld router
no ipv6 mfib forwarding 
ipv6 nd suppress-ra 
! on IOS version 12.2(33)SRC it is the following syntax:
ipv6 nd ra suppress

! on even more later IOS/IOS-XE versions the "all" option is needed to also 
! suppress responses to Router Solicitation messages besides periodic RAs:
ipv6 nd ra supress all 
no ipv6 pim
no ipv6 mld snooping

Brocade Ironware

It is important to isolate the SwissIX port into its separate VLAN on Brocade devices. A route-only port is not 100% isolated from other ports in the same VLAN!

vlan number name "SwissIX" by port
no spanning-tree
untagged ethernet X/Y

Then the actual interface config:

interface ethernet X/Y
 port-name "SwissIX"
 no spanning-tree
 ipv6 nd suppress-ra
 no vlan-dynamic-discovery
 ip address  91.206.a.b
 ipv6 address 2001:7f8:24::XXXX/64
 no ip redirect
 no ipv6 redirect
 ip arp-age 120

Switch Configuration Hints

There are a lot of different switches out there, so it is very difficult for us to cover all config aspects. Even among the models of one vendor there are a wide variety of differences in the inner workings of these devices.

We can only give you some hints here of what we have found out over the years.

Disable all kinds of discovery protocols on the SwissIX ports/VLAN namely:

  • LLDP
  • VTP

And most important disable Spanning Tree on the port and VLAN on which you transport the SwissIX traffic.

A config for a 2900/3500 series Cisco switch would look something like this:

vtp mode transparent
no spanning-tree vlan 100
! If you don't need LLDP, disable globally
no lldp run
! If you don't need CDP, disable globally
no cdp run
vlan 100
 name SwissIX
interface TypeEthernetX
 description Interface to SwissIX
 switchport access vlan 100
 switchport mode access
 switchport nonegotiate
 no keepalive
 speed nonegotiate
 no udld enable
 no cdp enable
 no lldp receive
 no lldp transmit
 spanning-tree bpdufilter enable

If you have other equipment and like to share your config with us, pleae contact us, so we can have a look at it and share it on this page.