AMS-IX has implemented a feature called “Quarantine VLAN” whereby all new ports are placed in their own separate VLAN, together with a monitor port.
|Q:||What is a Quarantine VLAN?|
|A:||A quarantine VLAN is a port VLAN on the AMS-IX switch containing two ports:
The monitoring system sniffs all broadcast, multicast and unknown unicast in the quarantine VLAN. Since there is only one other port in the LAN (the customers connection), this means it effectively sniffs all traffic coming from the customers port.
|Q:||Why have Quarantine VLANs?|
|A:||AMS-IX defines a fairly strict set of allowed traffic types on the peering LANs. Not all routers (and intermediate L2 devices) adhere to these guidelines; they typically have various protocols turned on by default such as CDP, EDP, STP, DEC MOP, etc., or they present more than one MAC address to the platform. These misbehaving/misconfigured devices potentially endanger the stability of the peers and/or switching platform. Hence, we cannot allow them on the peering LANs.
Rather than act reactively once a customer port is in production, we prefer to detect and fix these issues beforehand. Therefore, we introduced the concept of a quarantine VLAN. Once a customers router is connected and the port is up, we can quickly see if it is ‘clean’ (i.e. adheres to the rules). If it is not, the violating traffic does not harm the rest of the platform.
|Q:||When do you use Quarantine VLANs?|
|A:||New ports are always put into a quarantine VLAN first. This also goes for upgrades, downgrades and relocations, but not for cases where an existing member connection is plugged into a new switch port. As a rule of thumb, anything that introduces new equipment into the switching fabric goes into quarantine first.
In addition to the above, existing customer ports may be put into quarantine if they violate the allowed traffic types. Please note that this is only done in extreme cases. For CDP, keepalive, MOP, etc. we notify the member repeatedly before moving to such drastic measures. In cases of continuous port security violations or STP traffic, we are likely to move quicker because of the potential danger to the platform.
|Q:||How do I get out of a Quarantine VLAN?|
|A:||If your port is put into Quarantine the AMS-IX NOC will notify you of this. If the reason is because you are sending illegal traffic, please fix your configuration. Once you are confident the port adheres to the rules please contact the AMS-IX NOC and request the port be put back in production. The NOC will check the port's behaviour again. If all is fine, the port is put (back) in production. If not, we will notify you with details of the problem.|