Port Security at AMS-IX

Network Loops

The greatest danger to any Ethernet network consists of loops. Unless countermeasures are taken, a loop will instantly bring down any network. Broadcasts are looped back to the network, creating duplicates and loading the CPUs of all connected equipment, or in the worst case creating self-sustaining broadcast storms as broadcasts are fed back on another port and sent out on the first port again.

L2 ACLs

AMS-IX uses Layer 2 access control lists to combat network loops. This feature limits the MAC addresses that can be learned behind a port, and drops frames with any other source MAC address than the original configured one(s).

Implementation

The AMS-IX Connection Agreement allows for connecting one router to a port sold to a member/customer. The MAC address, configured when the customer networks routing equipment has proven to have been suitably configured for connecting to the AMS-IX switching fabric and is taken out of quarantine status, stays locked on the port; no frames with different source MAC addresses are allowed to enter the platform.

MAC Address Changes

If you swap routers or change interfaces or otherwise expect a change in MAC address, please contact the AMS-IX NOC by email to advise them of your new MAC address, preferably a day in advance, so the L2 ACLs can be updated. During an emergency outside office hours you can contact the AMS-IX NOC by telephone for immediate resolution.

Port Flap Dampening

In addition to per-port L2 ACLs, AMS-IX also implements port flap dampening on all customer-facing interfaces. If a port transitions from an Up to a Down state and back more than three times in five seconds, the port is disabled. After ten seconds it is automatically re-enabled.