These guidelines follow the connection agreement specifications which are defined within the Appendix. You should connect a layer-3 device directly to SwissIX, whenever possible. This reduces troubles for everyone introduced by layer-2 devices in between your router and the SwissIX infrastructure. Most problems we see come from STP and its variants, but also CDP and such protocols.
When layer-2 devices send packets towards the SwissIX infrastructure, you risk that the port security configured on your port disables the port because of to many MAC addresses.
We completely disallow STP packets. We also have strict traffic filters on each ingress port to only allow IPv4, IPv6 and ARP traffic. In cases the peer has a link aggregation group towards us (LAG) we also allow LLDP. All this traffic is tied to a fix configured mac address.
If there is no way to connect your layer-3 device directly to the SwissIX infrastructure make sure the transport is completely transparent and the devices in between are not visible at all from the SwissIX infrastructure.
If you have a 1G fibre connection towards SwissIX and the link does not come up on both sides please try disabling auto-negotiation on your side.
As mentioned above, we tie the ingress ACLs to your MAC address, so please contact us if you have changed the device on your end. You can also contact us in advance so we can install ACLs for both MAC addresses before you change the device.
First it is a good idea to disable some global protocol settings. Cisco is very talky by default:
Then the interface config should look something like this:
For IPv6 there are also some things to disable:
It is important to isolate the SwissIX port into its separate VLAN on Brocade devices. A route-only port is not 100% isolated from other ports in the same VLAN!
Then the actual interface config:
There are a lot of different switches out there, so it is very difficult for us to cover all config aspects. Even among the models of one vendor there are a wide variety of differences in the inner workings of these devices.
We can only give you some hints here of what we have found out over the years.
Disable all kinds of discovery protocols on the SwissIX ports/VLAN namely:
And most important disable Spanning Tree on the port and VLAN on which you transport the SwissIX traffic.
A config for a 2900/3500 series Cisco switch would look something like this:
If you have other equipment and like to share your config with us, pleae contact us, so we can have a look at it and share it on this page.