Portal

Port Configuration

Port configuration requirements for members

Built Secure

With our roots in cyber-security, we would like to do our part to create a more secure and more reliable internet.
To obtain this, we have several requirements and security measures in place ensuring secure operation of our platform to create a great environment to exchange traffic.

Media Configuration

To ensure reliable services, the physical media must be set up correctly on your interface towards ERA-IX

  • Auto-negotiation: Disabled (speed forced to physical media speed).
  • MTU (L3): 1500 Bytes

Allowed Traffic

For optimal hygiene in our peering LAN, only the following ether types are allowed to enter our peering LAN:

  • 0x0800 IPv4, IPv4 internet traffic.
  • 0x0806 ARP, ARP for IPv4.
  • 0x08DD IPv6, IPv6 internet traffic.

Ether types not present in this list are strictly forbidden and will be dropped by our platform.

Link-local Protocols

Any link-local protocols must be disabled on the interface towards ERA-IX (such as LLDP, CDP, STP, flow-control).

Mac-address Security

We maintain an exact administration of which mac-address belongs where on our network.
When getting connected, during the testing phase, ERA-IX will administer the mac-address. mac-address changes must always be communicated for the administrative records to be updated.
Any traffic originating from a mac-address not explicitly administered source will be dropped by our platform.
When our peering LAN has to traverse multiple switches inside the members network, ensure any intermediary switches do not send out any packets and no packets not destined for the peering LAN end up being sent to ERA-IX.

ARP Security

The members router must not reply to ARP requests not destined for their assigned IP address (disable proxy-arp) and must only configure the IP address assigned to them by ERA-IX. Any violating ARP packets which do not match our administrative records will be dropped and an incident will be logged to review.

Route-server Filtering

By default, for all members, our route-servers are configured to drop IRR Invalid and RPKI Invalid routes. IRR is based on the AS-SET of the member and registrars enabled at ERA-IX's discretion to provide optimal security with minimum interference. IRR filters are refreshed automatically once per hour on our route-servers.

Peering LAN route propagation

Announcing our peering LAN prefixes to the internet is prohibited and members must maintain correct routing policy to ensure the route is not advertised to the DFZ.
We strongly recommend not importing the peering LAN into IGP to prevent accidental propagation and unwanted traffic from being sent to the peering LAN.