Allowed traffic on the platform
- Only one MAC address per member is allowed. This limits the risk of loop on the network.
- Only 3 Ethertypes are allowed:
- 0x0800 - IPv4
- 0x0806 - ARP
- 0x86dd - IPv6
ICMPv6 and ARP traffic are "rate-limited". "unknown-unicast"
traffic, which is broadcasted by the platform, is also "rate-limited"
A global filter is denying STP and bridging protocols. Link layer protocols and IPv6 Router Advertisement/Router Solicitation (RA/RS) are also filtered by the platform.
In order to guarantee the security of the exchange point, a set of rules has been defined. France-IX reserves the right to shutdown ports that violate these specifications :
- The MTU size should be 1500 bytes
- Non-unicast packets are not allowed except:
- ICMPv6 Neighbor Advertisement/Solicitation
- IPv4 multicast is not allowed
To ensure that these rules are observed:
- A quarantine VLAN is used before moving a port into production to check that these specifications are followed
- A monitoring tool alerts the technical team if a new ARP entry is detected. Proxy ARP configured on the member port is not allowed.
- Sniffer servers are installed in the core network to analyse broadcast traffic, and check that only legitimate traffic is forwarded on the platform.
Routes servers have been installed to facilitate the exchange of routes between members.
BGP communities are also available to allow routing filtering, for more details, please visit the RIPE website