Port security at AMS-IX

Network Loops

The greatest danger to any Ethernet network consists of loops. Unless countermeasures are taken, a loop will instantly bring down any network. Broadcasts are looped back to the network, creating duplicates and loading the CPUs of all connected equipment, or in the worst case creating self-sustaining broadcast storms as broadcasts are fed back on another port and sent out on the first port again.

Mitigation

Several mitigation strategies exist that can be deployed to detect network loops. The most well-known one is probably Spanning Tree (STP, IEEE802.1d). With this protocol, STP BPDUs are repeatedly multicasted out all ports, and links are disabled if the BPDUs are received back on the same or another port.

The main disadvantage of STP is that it is impossible to create an administrative boundary between two interconnected networks. In the case of AMS-IX this meant that whenever a customer connected his or her router via a layer-2 device that had STP enabled (or if later something changed in the customer's network), the whole platform would go through an STP topology change, sometimes even electing a new root bridge, with all the associated instabilities.

Port Security

AMS-IX uses a different technology to combat network loops: Layer 2 access control lists. This feature limits the MAC addresses that can be learned behind a port, and drops frames with any other source MAC address than the original configured one(s).

Implementation

The AMS-IX Connection Agreement allows for connecting one router to a port sold to a member/customer. The MAC address, configured when the customer networks routing equipment has proven to have been suitably configured for connecting to the AMS-IX switching fabric and is taken out of quarantine status, stays locked on the port; no frames with different source MAC addresses are allowed to enter the platform.

Since the implementation of L2 ACLs (and before that port security in February 2003) it has protected the switching fabric from several potentially crippling network loops.

MAC Address Changes

If you swap routers or change interfaces or otherwise expect a change in MAC address, please be advised that you can change or even temporarily add a second MAC address via our web portal. We recommend you preferably do that a few hours in advance, so the L2 ACLs can be updated. Should you need any assistance or in an emergency, you can always contact the AMS-IX NOC by email or telephone for immediate resolution.

Port Flap Dampening

In addition to port L2 ACLs, AMS-IX also implements port flap dampening on all customer facing interfaces. If a port transitions from an Up to a Down state and back more than three times in five seconds, the port is disabled. After ten seconds it is automatically re-enabled.