Device Configuration


Independent of the implementation, the topology of an IXP or the number of pops the peering LAN should always act like a plain Layer2 ethernet network.
Typically, each peering device hosts a single peering LAN where all members are connected. Ports might be tagged or untagged; there is no difference if the device only hosts a public peering VLAN. However, some IXPs may want to offer configuration of "private VLANs" between members as a service; the relevant members should then have a tagged port (or a separate port) on the device.
Port configuration for things such as port speed and full duplex/half duplex should be agreed with the member, taking into account the devices that must be connected. Some devices may have trouble with auto-negotiation or, on the contrary, with forcing a particular configuration.
Theoretically, if the members were "well-behaved", no additional configuration would be necessary. However, misconfigurations can happen to anybody, so it is usually best to put some protection mechanisms in place on the peering switch, such as the following:
  • Block Spanning Tree on all peering ports
  • Only let the allowed ethertypes pass (typically IPv4, IPv6, ARP)
  • MAC locking
    This is a feature available in most recent models, whereby it is possible to allow only a certain number of MAC addresses through a port. The feature is usually configurable as "first arrival" (the source MAC of the first "n" packets are allowed, all others are denied) or "hardcoded" (the allowed MACs are explicitly configured in the device).
  • Storm control (broad/multicast)
    A broad/multicast storm (such as one caused by a layer 2 loop) might flood the peering LAN, so it should be taken care of. Devices may have different mechanisms of broad/multicast storm control: it might be possible to configure a "burst limit" for broad/multicast packets (e.g. the port is shut down if "n" broad/multicast packets come through the port in a certain amount of time), or to simply limit the number of broad/multicast packets per second allowed through the port (the exceeding packets are discarded).
  • Several IXPs make use of a so-called "Quarantine VLAN"
    When a new member joins the Exchange, their port is first assigned to the "Quarantine VLAN" where a "dummy" peering is set up. The VLAN is then sniffed for "bad" traffic (e.g. IGP protocols like OSPF and IS-IS, keep-alive frames, CDP, MOP, ...). The ISP is moved to the main peering VLAN only after all the problems detected on the Quarantine VLAN have been fixed. Please note that a Quarantine VLAN should not be seen as a replacement for monitoring the peering LAN itself as an ISP may introduce problematic traffic at a later date, e.g. after router upgrades.
  • Members will ask for a single IP address at an exchange point but they might have the need to transport more capacity as currently offered by hardware vendors. The result is that they aggregate multiple ports to a logical port. This is called trunking, bonding or forming a LAG. When done dynamically this is implemented by LACP (Link Aggregation Control Protocol). LACP allows a network device to negotiate an automatic bundling of links by sending LACP packets to the opposite device.