Hong Kong

LOCATION
Hong Kong

  • Platform
  • Services
  • Technical
  • About
Current
14.83 Gb/s
Peak
76.89 Gb/s

More

Link aggregation

Link aggregation allows for the bundling of two or more links into one virtual channel. Link aggregation is also known as EtherChannel, Port Channel, Port aggregation or trunking, depending on the vendor involved. The IEEE 802.3ad or LACP specifications is applicable.

Link aggregation

Link aggregation allows for the bundling of two or more links into one virtual channel. Link aggregation is also known as EtherChannel, Port Channel, Port aggregation or trunking, depending on the vendor involved. The IEEE 802.3ad or LACP specifications is applicable.

Pricing and Availability

AMS-IX currently offers link aggregation on any 1G/10G/100G physical connection. Aggregating links acquired from different partners or resellers, however, is not supported. The port prices for aggregated links are identical to the normal port prices.

Due to technical limitations of the switches used by AMS-IX it may be necessary to relocate your existing port. If this turns out to be the case, AMS-IX will inform you and advise you of any additional steps necessary for this process.

AMS-IX can deliver aggregated links at all co-locations. Although a strict reading of the spec forbids it, we can offer aggregated links over different media types of the same speed.

Pricing and Availability

AMS-IX currently offers link aggregation on any 1G/10G/100G physical connection. Aggregating links acquired from different partners or resellers, however, is not supported. The port prices for aggregated links are identical to the normal port prices.

Due to technical limitations of the switches used by AMS-IX it may be necessary to relocate your existing port. If this turns out to be the case, AMS-IX will inform you and advise you of any additional steps necessary for this process.

AMS-IX can deliver aggregated links at all co-locations. Although a strict reading of the spec forbids it, we can offer aggregated links over different media types of the same speed.

Load-Balancing Algorithm for the NetIron MLX and SLX platforms

The load-balancing algorithms used in our NetIron MLX switches uses a modulo operation, leading to the best distribution over links with the entropy available in source and destination IPv4 or IPv6 address, TCP or UDP source and destination port number, as applicable.

Load-Balancing Algorithm for the NetIron MLX and SLX platforms

The load-balancing algorithms used in our NetIron MLX switches uses a modulo operation, leading to the best distribution over links with the entropy available in source and destination IPv4 or IPv6 address, TCP or UDP source and destination port number, as applicable.

LACP & AMS-IX Topology

LACP is supported at AMS-IX for all connection types. When used with 10Gbit/s and 100Gbit/s links (where available) use of LACP does introduce an inconvenient side effect. After a topology failover ports with LACP enabled will stay in blocking mode until the first LACP frame is received. Because this may take several tens of second (depending on vendor implementation) this can cause BGP sessions to flap.

When enabling LACP we advise to configure the LACP timeout to short, to limit the maximum failover time to 3 seconds.

LACP & AMS-IX Topology

LACP is supported at AMS-IX for all connection types. When used with 10Gbit/s and 100Gbit/s links (where available) use of LACP does introduce an inconvenient side effect. After a topology failover ports with LACP enabled will stay in blocking mode until the first LACP frame is received. Because this may take several tens of second (depending on vendor implementation) this can cause BGP sessions to flap.

When enabling LACP we advise to configure the LACP timeout to short, to limit the maximum failover time to 3 seconds.

Configuration Hints

We have collected information about link aggregation for several router platforms in our configuration guide.

Configuration Hints

We have collected information about link aggregation for several router platforms in our configuration guide.

Quarantine VLAN

AMS-IX has implemented a feature called “Quarantine VLAN” whereby all new ports are placed in a separate VPLS instance, which is used for testing purposes. before the customer connection is moved to the production environment.

Quarantine VLAN

AMS-IX has implemented a feature called “Quarantine VLAN” whereby all new ports are placed in a separate VPLS instance, which is used for testing purposes. before the customer connection is moved to the production environment.

What is a Quarantine VLAN?

A quarantine VLAN is a VPLS instance on the AMS-IX switch containing the following:

  • (new) customer ports
  • AMS-IX monitoring system

The monitoring system sniffs all broadcast, multicast and unknown unicast in the quarantine VLAN.

Q: What is a Quarantine VLAN?

A quarantine VLAN is a VPLS instance on the AMS-IX switch containing the following:

  • (New) customer ports
  • AMS-IX monitoring system

The monitoring system sniffs all broadcast, multicast and unknown unicast in the quarantine VLAN.

Why have Quarantine VLANs?

AMS-IX defines a fairly strict set of allowed traffic types on the peering LANs. Not all routers (and intermediate L2 devices) adhere to these guidelines; they typically have various protocols turned on by default such as CDP, EDP, STP, DEC MOP, etc., or they present more than one MAC address to the platform. These misbehaving/misconfigured devices potentially endanger the stability of the peers and/or switching platform. Hence, we cannot allow them on the peering LANs.Rather than act reactively once a customer port is in production, we prefer to detect and fix these issues beforehand. Therefore, we introduced the concept of a quarantine VLAN. Once a customers router is connected and the port is up, we can quickly see if it adheres to the rules. If not, the violating traffic does not harm the rest of the platform.

Q: Why have Quarantine VLANs?

AMS-IX defines a fairly strict set of allowed traffic types on the peering LANs. Not all routers (and intermediate L2 devices) adhere to these guidelines; they typically have various protocols turned on by default such as CDP, EDP, STP, DEC MOP, etc., or they present more than one MAC address to the platform. These misbehaving/misconfigured devices potentially endanger the stability of the peers and/or switching platform. Hence, we cannot allow them on the peering LANs.

Rather than act reactively once a customer port is in production, we prefer to detect and fix these issues beforehand. Therefore, we introduced the concept of a quarantine VLAN. Once a customers router is connected and the port is up, we can quickly see if it adheres to the rules. If not, the violating traffic does not harm the rest of the platform.

Q: When do you use Quarantine VLANs?

New ports are always put into a quarantine VLAN first. This also is the case for upgrades, downgrades and relocations.

In addition to the above, existing customer ports may be moved into quarantine VLAN if they violate the allowed traffic types. Please note that this is only done in extreme cases.

When do you use Quarantine VLANs?

New ports are always put into a quarantine VLAN first. This also is the case for upgrades, downgrades and relocations.

In addition to the above, existing customer ports may be moved into quarantine VLAN if they violate the allowed traffic types. Please note that this is only done in extreme cases.

Q: How do I get out of a Quarantine VLAN?

If your port is moved into Quarantine the AMS-IX NOC will notify you for this. If the reason is because you are sending illegal traffic, your configuration should be updated accordingly. Once you are confident the port adheres to the rules please contact the AMS-IX NOC and request the port be put back in production. The NOC will check the port's behaviour again. If all is fine, the port will be moved (back) into production. If not, we will notify you with details of the problem.

How do I get out of a Quarantine VLAN?

If your port is moved into Quarantine the AMS-IX NOC will notify you for this. If the reason is because you are sending illegal traffic, your configuration should be updated accordingly. Once you are confident the port adheres to the rules please contact the AMS-IX NOC and request the port be put back in production. The NOC will check the port's behaviour again. If all is fine, the port will be moved (back) into production. If not, we will notify you with details of the problem.

sFlow at AMS-IX

To analyse and optimise high speed networks, an efficient monitoring system is required. AMS-IX uses sFlow for its traffic analysis.

sFlow at AMS-IX

To analyse and optimise high speed networks, an efficient monitoring system is required. AMS-IX uses sFlow for its traffic analysis.

Introduction

sFlow is a standard to capture traffic data in switched or routed networks. It uses a sampling technology to collect statistics from the device and is for that reason applicable to gigabit speeds or higher. Due to it being an open standard, described in RFC 3176, it is implemented on a wide range of devices, like the AMS-IX Brocade/Extreme switches.

The sFlow agent (Brocade/Extreme switch) supports two forms of operation:

  • time-based sampling of counters
  • packet-based sampling of ethernet frames

The counter samples provide exactly the same information AMS-IX uses for its traffic statistics now, therefore the sFlow implementation at AMS-IX makes use of the packet-based samples (called flowsamples) to provide additional analysis of the exchanged traffic.

Introduction

sFlow is a standard to capture traffic data in switched or routed networks. It uses a sampling technology to collect statistics from the device and is for that reason applicable to gigabit speeds or higher. Due to it being an open standard, described in RFC 3176, it is implemented on a wide range of devices, like the AMS-IX Brocade/Extreme switches.

The sFlow agent (Brocade/Extreme switch) supports two forms of operation:

  • time-based sampling of counters
  • packet-based sampling of ethernet frames

The counter samples provide exactly the same information AMS-IX uses for its traffic statistics now, therefore the sFlow implementation at AMS-IX makes use of the packet-based samples (called flowsamples) to provide additional analysis of the exchanged traffic.

Packet Based Sampling

Based on a defined sampling rate, one out of N frames from the incoming traffic for each interface gets sampled and sent to a central server which is statistically analyzing the traffic. If we see one packet out of N, we assume that all the N-1 packets we haven't seen are the same type and size.

Packet Based Sampling

Based on a defined sampling rate, one out of N frames from the incoming traffic for each interface gets sampled and sent to a central server which is statistically analyzing the traffic. If we see one packet out of N, we assume that all the N-1 packets we haven't seen are the same type and size.

Note: this type of sampling does not provide 100% accurate results.

Note: this type of sampling does not provide 100% accurate results.

Without sampling technology, packet analysis on a network with a throughput like AMS-IX would not be possible. For more detailed information about the accuracy of packed based sampling see the documents on the official sFlow website.

Without sampling technology, packet analysis on a network with a throughput like AMS-IX would not be possible. For more detailed information about the accuracy of packed based sampling see the documents on the official sFlow website.

Software

The sFlow samples on the server get analysed by software developed at AMS-IX. The software package is written in PERL and based on the sFlow decoding module Net::sFlow.

Software

The sFlow samples on the server get analysed by software developed at AMS-IX. The software package is written in PERL and based on the sFlow decoding module Net::sFlow.

Note: While the sFlow packet format supports sampling of IP and TCP/UDP flows, our software only looks at Layer-2 (Ethernet) fields. We neither process nor store flow information from higher layer protocols.

Note: While the sFlow packet format supports sampling of IP and TCP/UDP flows, our software only looks at Layer-2 (Ethernet) fields. We neither process nor store flow information from higher layer protocols.

IPv6 Numbering Scheme

Here is some detailed information about IPv6 Numbering Scheme at AMS-IX.

IPv6 Numbering Scheme

Here is some detailed information about IPv6 Numbering Scheme at AMS-IX.

ISP LAN

The IPv6 set-up on the AMS-IX ISP peering LAN is as follows:

  • The prefix in use is: 2001:7f8:1::/64
  • The prefix is sourced from AS1200.
  • The prefix is tagged with the no-export community and should not be announced outside of your AS.

The suffix (‘allocation’) scheme for 16 bits ASNs is as follows:

A50 x:xxxx:n

The suffix (‘allocation’) scheme for 32 bits ASNs is as follows:

A500 :xx:xxxx:n

Here, "x:xxxx" or “xx:xxxx” is your (zero-padded) AS number in decimals and “n” is a serial number depending on the number of interfaces you are using for IPv6 peerings (starting from 1 for the first interface, 2 for the second interface and so on).

Examples:

AMS-IX uses AS1200 (zero-padded: 001200), so its IPv6 peering addresses are:

2001:7f8:1::A500:1200:1/64
2001:7f8:1::A500:1200:2/64

A member with a 16-bit ASN of 64523 would use:

2001:7f8:1::A506:4523:1/64
2001:7f8:1::A506:4523:2/64
...

A member with a 32-bit ASN of 195000 would use:

2001:7f8:1::A500:19:5000:1/64
2001:7f8:1::A500:19:5000:2/64
...

ISP LAN

The IPv6 set-up on the AMS-IX ISP peering LAN is as follows:

  • The prefix in use is: 2001:df0:296::/64
  • The prefix is sourced from AS58516.
  • The prefix is tagged with the no-export community and should not be announced outside of your AS.

The suffix (‘allocation’) scheme for 16 bits ASNs is as follows:

A50 x:xxxx:n

The suffix (‘allocation’) scheme for 32 bits ASNs is as follows:

A500 :xx:xxxx:n

Here, "x:xxxx" or “xx:xxxx” is your (zero-padded) AS number in decimals and “n” is a serial number depending on the number of interfaces you are using for IPv6 peerings (starting from 1 for the first interface, 2 for the second interface and so on).

Examples:

AMS-IX uses AS58516 (zero-padded; 058516 ), so its IPv6 peering address is:

2001:df0:296::A505:8516:1

A member with a 16-bit ASN of 64523 would use:

2001:df0:296::A506:4523:1/64

2001:df0:296::A506:4523:2/64

...

A member with a 32-bit ASN of 195000 would use:

2001:df0:296::A500:19:5000:1/64
2001:df0:296::A500:19:5000:2/64
...

GRX LAN

The IPv6 set-up on the AMS-IX GRX peering LAN is as follows:

  • The prefix in use is: 2001:7f8:86:1::/64
  • The prefix is sourced from AS64523.
  • The prefix is tagged with the no-export community and should not be announced outside of your AS.

The suffix (‘allocation’) scheme for 16 bits ASNs is as follows:

A50 x:xxxx:n

The suffix (‘allocation’) scheme for 32 bits ASNs is as follows:

A500 :xx:xxxx:n

Here, "x:xxxx" or “xx:xxxx” is your (zero-padded) AS number in decimals and “n” is a serial number depending on the number of interfaces you are using for IPv6 peerings (starting from 1 for the first interface, 2 for the second interface and so on).

Examples:

AMS-IX uses AS1200 (zero-padded: 001200), so its IPv6 peering addresses are:

2001:7f8:86:1::A500:1200:1/64
2001:7f8:86:1::A500:1200:2/64

A member with a 16-bit ASN of 64523 would use:

2001:7f8:86:1::A506:4523:1/64
2001:7f8:86:1::A506:4523:2/64
...

A member with a 32-bit ASN of 195000 would use:

2001:7f8:86:1:A500:19:5000:1/64
2001:7f8:86:1:A500:19:5000:2/64
...

-

IPv6 Peerings

If you want to implement IPv6 peerings on the AMS-IX:

  • Please login to my.ams-ix.net, navigate to your connections, click the "Show" button next to the connection you wish to enable IPv6 for, and under the IPv6 Router section press the "Request new IPv6 Router” button. An IPv6 address will be assigned to you following the IPv6 numbering scheme (see above). Once the IPv6 address is assigned you configure your router interface(s) accordingly.
  • Invite peers. The AMS-IX Members List also lists which members use IPv6.

IPv6 Peerings

If you want to implement IPv6 peerings on the AMS-IX:

  • Please login to my.ams-ix.net, navigate to your connections, click the "Show" button next to the connection you wish to enable IPv6 for, and under the IPv6 Router section press the "Request new IPv6 Router” button. An IPv6 address will be assigned to you following the IPv6 numbering scheme (see above). Once the IPv6 address is assigned you configure your router interface(s) accordingly.
  • Invite peers. The AMS-IX Members List also lists which members use IPv6.

AS1200 peering

AS1200 is AMS-IX's administrative LAN. Peering is, of course, not mandatory but we highly recommend setting up redundant BGP peering sessions for the following reasons:

  • Event Correlation
    AMS-IX NOC can handle troubleshooting requests more efficiently as long as it has a reference point. Having redundant BGP sessions established to routers situated in separate colocations that we directly administer can be a significant aid.
  • We are one of AMS-IX's peers!
    Peering with AS1200 means that traffic can be exchanged directly between our administrative LAN and you, eliminating the need to be routed via third parties. Advertising no prefixes at all is acceptable.

AS58516 peering

AS58516 is AMS-IX's administrative LAN. Peering is, of course, not mandatory but we highly recommend setting up redundant BGP peering sessions for the following reasons:

  • Event Correlation
    AMS-IX NOC can handle troubleshooting requests more efficiently as long as it has a reference point. Having redundant BGP sessions established to routers situated in separate colocations that we directly administer can be a significant aid.
  • We are one of AMS-IX's peers!
    Peering with AS58516 means that traffic can be exchanged directly between our administrative LAN and you, eliminating the need to be routed via third parties. Advertising no prefixes at all is acceptable.

Router details

rtr-eun-01.ams-ix.netrtr-glo-02.ams-ix.net
ASN
12001200
IPv4
80.249.208.180.249.209.1
IPv62001:7f8:1::A500:1200:12001:7f8:1::A500:1200:2
PlatformCiscoCisco


Router details

wan-itm-01.ams-ix.hk
ASN
58516
IPv4
103.247.139.1
IPv62001:df0:296::A505:8516:1
PlatformJuniper

Relevant IRR objects for peers that hold BGP sessions with AS1200 border routers:

  • AS1200:AS-AMS-IX-PEERS (List of networks peering directly with AS1200)

Relevant IRR objects for peers that hold BGP sessions with AS1200 border routers:

  • AS1200:AS-AMS-IX-PEERS (List of networks peering directly with AS1200)

Peering configuration guide

This section describes the necessary steps to set up a peering with the AMS-IX ASN (AS1200). Also shown is a sample Cisco router configuration.

In case of questions, please contact AMS-IX NOC.


1. Add the peer

In the "router bgp xxx" configuration section of your router that is attached to the AMS-IX shared medium you should add two peers: the AS1200 routers at AMS-IX.

neighbor 80.249.208.1 remote-as 1200
neighbor 80.249.208.1 version 4
neighbor 80.249.208.1 filter-list 31 in
neighbor 80.249.208.1 filter-list 32 out
neighbor 80.249.208.1 next-hop-self
neighbor 80.249.209.1 remote-as 1200
neighbor 80.249.209.1 version 4
neighbor 80.249.209.1 filter-list 31 in
neighbor 80.249.209.1 filter-list 32 out
neighbor 80.249.209.1 next-hop-self

Adjust the numbers of the AS path filter-lists according to your own preferences.

Optional:
Configure the peer-group
You only need to do this if you use peer-groups based on peer location. Where possible, AMS-IX peering routers are located at different co-locations.

neighbor 80.249.208.1 peer-group IPV4-PEERS-A
neighbor 80.249.209.1 peer-group IPV4-PEERS-B

2. Add the access-lists

Make sure the AS path filter-lists are set up such that you only permit routes with the AMS-IX Autonomous System Number from AS1200 and that you announce any routes you care to share to the AMS-IX router.

ip as-path access-list 31 permit ^(1200_)+$


ip as-path access-list 32 permit ^my-AS$
ip as-path access-list 32 permit my-Customer-1$
ip as-path access-list 32 permit my-Customer-2$
...

Please make sure you use the same numbers of AS path filter-lists in Steps 1 & 2.

3. Request the peering

After you have configured your end of the peering, the AMS-IX side needs to be configured.

We are offering the ability to request this peering service via my.ams-ix.net portal.
Please login to my.ams-ix.net, navigate to your connections, click the "Show" button next to the connection you wish to enable the peering for, and under the IPv4 and/or IPv6 Router section press the "Enable AMS-IX peering" button.
Please note that the sessions will be configured and activated within one hour. You will be notified when the peering is up.

In case of a problem, please contact AMS-IX NOC to state the issue that you are facing. Please include the following details in your e-mail message:

• Company name
• IP address of router at AMS-IX
• ASN that the router at AMS-IX resides in


4. Update your aut-num: object in the RIPE database

Your peering with AS1200 should be registered in the Internet Routing Registry at the RIPE NCC, just like all your other peerings. You can use the template below. Please adjust the cost in the “import” clause according to your own needs and put the correct AS set(s) in the “export” clause

import: from AS1200
action pref=100;
accept AS1200
export: to AS1200
announce MY-AS-SET

Peering configuration guide

This section describes the necessary steps to set up a peering with the AMS-IX ASN (AS58516). Also shown is a sample Cisco router configuration.

In case of questions, please contact AMS-IX NOC.


1. Add the peer

In the "router bgp xxx" configuration section of your router that is attached to the AMS-IX shared medium you should add two peers: the AS58516 routers at AMS-IX.

neighbor 103.247.139.1 remote-as 58516
neighbor 103.247.139.1 version 4
neighbor 103.247.139.1 filter-list 31 in
neighbor 103.247.139.1 filter-list 32 out
neighbor 103.247.139.1 next-hop-self

Adjust the numbers of the AS path filter-lists according to your own preferences.

Optional:
Configure the peer-group
You only need to do this if you use peer-groups based on peer location. Where possible, AMS-IX peering routers are located at different co-locations.

neighbor 103.247.139.1 peer-group IPV4-PEERS-A

2. Add the access-lists

Make sure the AS path filter-lists are set up such that you only permit routes with the AMS-IX Autonomous System Number from AS58516 and that you announce any routes you care to share to the AMS-IX router.

ip as-path access-list 31 permit ^(58516_)+$


ip as-path access-list 32 permit ^my-AS$
ip as-path access-list 32 permit my-Customer-1$
ip as-path access-list 32 permit my-Customer-2$
...

Please make sure you use the same numbers of AS path filter-lists in Steps 1 & 2.

3. Request the peering

After you have configured your end of the peering, the AMS-IX side needs to be configured.

We are offering the ability to request this peering service via my.ams-ix.net portal.

Please login to my.ams-ix.net, navigate to your connections, click the "Show" button next to the connection you wish to enable the peering for, and under the IPv4 and/or IPv6 Router section press the "Enable AMS-IX peering" button.

Please note that the sessions will be configured and activated within one hour. You will be notified when the peering is up.

In case of a problem, please contact AMS-IX NOC to state the issue that you are facing. Please include the following details in your e-mail message:

• Company name
• IP address of router at AMS-IX
• ASN that the router at AMS-IX resides in


4: Update your aut-num: object in the RIPE database

Your peering with AS58516 should be registered in the Internet Routing Registry at the RIPE NCC, just like all your other peerings. You can use the template below. Please adjust the cost in the “import” clause according to your own needs and put the correct AS set(s) in the “export” clause

import: from AS58516
action pref=100;
accept AS58516
export: to AS58516
announce MY-AS-SET

Note:

The above is only an example. In general, you want to configure outgoing access list to only announce your (and your customer's) routes. If you plan on sending us a full routing table, please let us know in advance. We will use best routes for transit.Also, please do not announce AS58516 advertisements to non-customers without our explicit approval.

Note:

The above is only an example. In general, you want to configure outgoing access list to only announce your (and your customer's) routes. If you plan on sending us a full routing table, please let us know in advance. We will use best routes for transit.Also, please do not announce AS1200 advertisements to non-customers without our explicit approval.

Controlling ARP Traffic on AMS-IX platform

Controlling ARP Traffic on AMS-IX platform.

Controlling ARP Traffic on AMS-IX platform

Controlling ARP Traffic on AMS-IX platform.

1. ARP (Address Resolution Protocol)

ARP (Address Resolution Protocol) is the Layer-2 protocol used by AMS-IX member's router to associate IPv4 address with the MAC address of peers interfaces. Learn more about ARP here.

1. ARP (Address Resolution Protocol)

ARP (Address Resolution Protocol) is the Layer-2 protocol used by AMS-IX member's router to associate IPv4 address with the MAC address of peers interfaces. Learn more about ARP here.

2. Problems caused by too much ARP traffic

On Ethernet networks, the Address Resolution Protocol (ARP) is used to find the MAC-address for a given IPv4 address. ARP uses Ethertype 0x0806 together with Ethernet broadcasting. A node will broadcast an ARP Request packet to ask for the MAC address of an unknown IPv4 address. The node using the requested IP address replies (using regular unicast) with an ARP Reply packet, which includes its MAC address. In order to work, it is important that all nodes using IPv4 listen for ARP packets and reply to them if necessary.

The nodes therefore need to process all Ethernet broadcast messages with Ethertype 0x0806. For each ARP packet, they must decide whether or not to reply. Processing ARP packets can take a lot of processing power. Because all ARP packets need to be examined in order for ARP to work, processing ARP packets may take precedence over other activities, depending on the Operating System. As such, when there is a lot of ARP traffic, routers may be unable to do other processing tasks like maintaining BGP sessions.

This problem was noticed on AMS-IX when the ISP peering LAN was renumbered to new IPv4 addresses. Members in the new IPv4 range were trying to reach members in the old IPv4range and vice versa. Larger amounts of ARP packets than usual crossed the network, consuming all available processing power on some customer routers, not leaving enough resources to process BGP in a timely manner, resulting in lost BGP sessions. Also, routers trying to re-establish old BGP sessions started sending ARP packets, resulting in an ARP storm that caused even more problems on customer equipment.

2. Problems caused by too much ARP traffic

On Ethernet networks, the Address Resolution Protocol (ARP) is used to find the MAC-address for a given IPv4 address. ARP uses Ethertype 0x0806 together with Ethernet broadcasting. A node will broadcast an ARP Request packet to ask for the MAC address of an unknown IPv4 address. The node using the requested IP address replies (using regular unicast) with an ARP Reply packet, which includes its MAC address. In order to work, it is important that all nodes using IPv4 listen for ARP packets and reply to them if necessary.

The nodes therefore need to process all Ethernet broadcast messages with Ethertype 0x0806. For each ARP packet, they must decide whether or not to reply. Processing ARP packets can take a lot of processing power. Because all ARP packets need to be examined in order for ARP to work, processing ARP packets may take precedence over other activities, depending on the Operating System. As such, when there is a lot of ARP traffic, routers may be unable to do other processing tasks like maintaining BGP sessions.

This problem was noticed on AMS-IX when the ISP peering LAN was renumbered to new IPv4 addresses. Members in the new IPv4 range were trying to reach members in the old IPv4range and vice versa. Larger amounts of ARP packets than usual crossed the network, consuming all available processing power on some customer routers, not leaving enough resources to process BGP in a timely manner, resulting in lost BGP sessions. Also, routers trying to re-establish old BGP sessions started sending ARP packets, resulting in an ARP storm that caused even more problems on customer equipment.

3. ARP Sponge – the AMS-IX solution

To help routers survive heavy ARP traffic, AMS-IX tries to keep the amount of ARP traffic to a minimum. For this purpose, AMS-IX developed a daemon, written in Perl, called ARP Sponge. The ARP Sponge daemon listens on the ISP peering LAN for ARP traffic. When the number of ARP Requests for a certain IP address exceeds a threshold, the ARP Sponge sends out an ARP Reply for that IP address using its own MAC address. From that moment, the IP address is sponged: all traffic to that node is sent to the ARP Sponge. This prevents ARP storms because it keeps the amount of ARP traffic limited.

When the interface of a sponged IP address comes up again, it generally sends out a gratuitous ARP request packet. This is an ARP packet with both source and destination IP address set to the IP address of the node sending the packet. It is used mostly in case the MAC-address changed, so that other nodes can update their ARP caches. When the ARP Sponge receives any traffic from a sponged IP address (including but not limited to gratuitous ARP requests, ARP requests for other nodes, BGP peering initiations, etc.), it ceases sponging the IP address, thus no longer sending out ARP replies for that IP address.

Current AMS-IX ARP Sponge MAC address is : 00:25:90:0a:0a:bd

3. ARP Sponge – the AMS-IX solution

To help routers survive heavy ARP traffic, AMS-IX tries to keep the amount of ARP traffic to a minimum. For this purpose, AMS-IX developed a daemon, written in Perl, called ARP Sponge. The ARP Sponge daemon listens on the ISP peering LAN for ARP traffic. When the number of ARP Requests for a certain IP address exceeds a threshold, the ARP Sponge sends out an ARP Reply for that IP address using its own MAC address. From that moment, the IP address is sponged: all traffic to that node is sent to the ARP Sponge. This prevents ARP storms because it keeps the amount of ARP traffic limited.

When the interface of a sponged IP address comes up again, it generally sends out a gratuitous ARP request packet. This is an ARP packet with both source and destination IP address set to the IP address of the node sending the packet. It is used mostly in case the MAC-address changed, so that other nodes can update their ARP caches. When the ARP Sponge receives any traffic from a sponged IP address (including but not limited to gratuitous ARP requests, ARP requests for other nodes, BGP peering initiations, etc.), it ceases sponging the IP address, thus no longer sending out ARP replies for that IP address.

Current AMS-IX ARP Sponge MAC address is : c6:17:44:26:e8:87

4. Common Issue with IPv4 addresses after being sponged by ARP Sponge

* Unable to exchange traffic with AMS-IX peers when IPv4 address comes up after being inactive for a period of time

If a IPv4 is sponged, it means that in the members ARP tables, the ARP entry for this IP is registered with the ARP sponge MAC address. After the IPv4 is again reachable again and being "un-sponged", the ARP table of peers might not be updated fast enough with the customer’s MAC address, result in traffic from these peers toward the recovered IP still being forward to the sponged MAC address.

For instance, if the IP 80.249.208.1 of member A with MAC address AAAA.AAAA.AAA is sponged with the sponged MAC address EEEE.EEEE.EEEE, then member B ARP entry for the address will be 80.249.208.1 - EEEE.EEEE.EEE. After the member A recovers, it send traffics toward member B, but member B ARP entry is not yet updated with the original address AAAA.AAAA.AAAA, then traffic will be ended up sending to EEEE.EEEE.EEEE, until member B updates the ARP entry.

This issue should be automatically resolved after a certain period of time, after the daemon stop replying to ARP reply for this IP and let the un-sponged IP and peers update ARP entries themselves.

The issue is more noticeable with members that only have peering sessions with the AMS-IX route-servers. If members do not have peering sessions with route-servers, BGP sessions with peers must be brought up one-by-one and ARP entries are sure to be updated through the BGP initialisation process. Subsequently, traffic will be properly forwarded and received from each peers. However, if the newly "un-sponged" member only has peering sessions with route-servers, and after recovery establishes BGP sessions and receives AMS-IX peers prefixes from there, there could be a case that traffic is forwarded to the next hop IP of peers that still have the spoofed ARP entries.

Therefore, AMS-IX NOC recommend members that have their IPv4 address being unreachable for prolonged period of time (so it is certainly sponged), to temporary shutdown peering with route-servers and send gratuitous ARP request to update peer's ARP tables.

4. Common Issue with IPv4 addresses after being sponged by ARP Sponge

* Unable to exchange traffic with AMS-IX peers when IPv4 address comes up after being inactive for a period of time

If a IPv4 is sponged, it means that in the members ARP tables, the ARP entry for this IP is registered with the ARP sponge MAC address. After the IPv4 is again reachable again and being "un-sponged", the ARP table of peers might not be updated fast enough with the customer’s MAC address, result in traffic from these peers toward the recovered IP still being forward to the sponged MAC address.

For instance, if the IP 80.249.208.1 of member A with MAC address AAAA.AAAA.AAA is sponged with the sponged MAC address EEEE.EEEE.EEEE, then member B ARP entry for the address will be 80.249.208.1 - EEEE.EEEE.EEE. After the member A recovers, it send traffics toward member B, but member B ARP entry is not yet updated with the original address AAAA.AAAA.AAAA, then traffic will be ended up sending to EEEE.EEEE.EEEE, until member B updates the ARP entry.

This issue should be automatically resolved after a certain period of time, after the daemon stop replying to ARP reply for this IP and let the un-sponged IP and peers update ARP entries themselves.

The issue is more noticeable with members that only have peering sessions with the AMS-IX route-servers. If members do not have peering sessions with route-servers, BGP sessions with peers must be brought up one-by-one and ARP entries are sure to be updated through the BGP initialisation process. Subsequently, traffic will be properly forwarded and received from each peers. However, if the newly "un-sponged" member only has peering sessions with route-servers, and after recovery establishes BGP sessions and receives AMS-IX peers prefixes from there, there could be a case that traffic is forwarded to the next hop IP of peers that still have the spoofed ARP entries.

Therefore, AMS-IX NOC recommend members that have their IPv4 address being unreachable for prolonged period of time (so it is certainly sponged), to temporary shutdown peering with route-servers and send gratuitous ARP request to update peer's ARP tables.

Acknowledgement

The ARP sponge explanation section is an excerpt from the report of Marco Wessel and Niels Sijm from Universiteit van Amsterdam in 2009, after they did the research about effect of IPv4 and IPv6 address solution on AMS-IX platform and the ARP sponge during their course for Master in System and Network Engineering.

Acknowledgement

The ARP sponge explanation section is an excerpt from the report of Marco Wessel and Niels Sijm from Universiteit van Amsterdam in 2009, after they did the research about effect of IPv4 and IPv6 address solution on AMS-IX platform and the ARP sponge during their course for Master in System and Network Engineering.

Subscribe to our newsletter

Got a question?