Equipment Configuration - Best Current Practice

Principal Guidelines

These guidelines follow the connection agreement specifications which are defined within the Appendix. You should connect a layer-3 device directly to SwissIX, whenever possible. This reduces troubles for everyone introduced by layer-2 devices in between your router and the SwissIX infrastructure. Most problems we see come from STP and its variants, but also CDP and such protocols.

When layer-2 devices send packets towards the SwissIX infrastructure, you risk that the port security configured on your port disables the port because of to many MAC addresses.

We completely disallow STP packets. We also have strict traffic filters on each ingress port to only allow IPv4, IPv6 and ARP traffic. In cases the peer has a link aggregation group towards us (LAG) we also allow LLDP. All this traffic is tied to a fix configured mac address.

If there is no way to connect your layer-3 device directly to the SwissIX infrastructure make sure the transport is completely transparent and the devices in between are not visible at all from the SwissIX infrastructure.

Special note for 1G fibre connections

If you have a 1G fibre connection towards SwissIX and the link does not come up on both sides please try disabling auto-negotiation on your side.

Equipment change

As mentioned above, we tie the ingress ACLs to your MAC address, so please contact us if you have changed the device on your end. You can also contact us in advance so we can install ACLs for both MAC addresses before you change the device.

Device Configuration Examples

Cisco IOS

First it is a good idea to disable some global protocol settings. Cisco is very talky by default:

no cdp run no service dhcp no ip bootp server no service config

Then the interface config should look something like this:

interface TypeEthernetX no ip redirects no ip proxy-arp no cdp enable no ip directed-broadcast no mop enable no keepalive ip address 91.206.a.b ipv6 address 2001:7f8:24::XXXX/64

For IPv6 there are also some things to disable:

no ipv6 mld router no ipv6 mfib forwarding ipv6 nd suppress-ra ! on IOS version 12.2(33)SRC it is the following syntax: ipv6 nd ra suppress ! on even more later IOS/IOS-XE versions the "all" option is needed to also ! suppress responses to Router Solicitation messages besides periodic RAs: ipv6 nd ra supress all no ipv6 pim no ipv6 mld snooping

Brocade Ironware

It is important to isolate the SwissIX port into its separate VLAN on Brocade devices. A route-only port is not 100% isolated from other ports in the same VLAN!

vlan number name "SwissIX" by port no spanning-tree untagged ethernet X/Y

Then the actual interface config:

interface ethernet X/Y port-name "SwissIX" route-only no spanning-tree ipv6 nd suppress-ra no vlan-dynamic-discovery ip address 91.206.a.b ipv6 address 2001:7f8:24::XXXX/64 no ip redirect no ipv6 redirect ip arp-age 120

Switch Configuration Hints

There are a lot of different switches out there, so it is very difficult for us to cover all config aspects. Even among the models of one vendor there are a wide variety of differences in the inner workings of these devices.

We can only give you some hints here of what we have found out over the years.

Disable all kinds of discovery protocols on the SwissIX ports/VLAN namely:

  • LLDP
  • VTP

And most important disable Spanning Tree on the port and VLAN on which you transport the SwissIX traffic.

A config for a 2900/3500 series Cisco switch would look something like this:

vtp mode transparent ! no spanning-tree vlan 100 ! If you don't need LLDP, disable globally no lldp run ! If you don't need CDP, disable globally no cdp run ! vlan 100 name SwissIX ! interface TypeEthernetX description Interface to SwissIX switchport access vlan 100 switchport mode access switchport nonegotiate no keepalive speed nonegotiate no udld enable no cdp enable no lldp receive no lldp transmit spanning-tree bpdufilter enable end

If you have other equipment and like to share your config with us, pleae contact us, so we can have a look at it and share it on this page.