Configuration Guide

Peering

Technical Requirements

All members’ use of NL-ix infrastructure shall conform to the relevant standards as laid out in STD0001 and associated Internet standardisation documents.

Each participant’s network must have an ASN (Autonomous System Number) assigned by an appropriate LIR or Regional Internet Registry (RIR), being either ARIN, RIPE-NCC, APNIC or LACNIC. During the application process this assignment will be checked.

Physical

Ethernet ports into NL-ix are offered in following configurations:

1GE – 1000Base-LX

10GE – 10GBASE-LR

Nx10GE – Link Aggregated

100GE – 100GBASE-LR4

Nx100GE – Link Aggregated

NL-ix only supports standard single-mode (10km 1310nm) optics by default. For an additional charge, customer may request specialized optics, including extended reach optics in any common 100 Ghz DWDM or CWDM bands.

Options

By default, NL-ix Peering will be offered at line rate. **

1G/Nx10/Nx100G

**Other bandwidths available via our resellers

VLAN-tagging

Peering VLAN ports (VLAN 7) must always be tagged.

This differs per NL-ix service. E.g. VPLS’s do get tagged by default. VLL’s do not get tagged by default; only when you have multiple services on your NL-ix interface. We use industry standard IEEE 802.1q VLAN trunking, please see your vendor manual for information on how to tag your frames.

Media Access Control

Only 1 MAC address is permitted per IX port.

Allowed traffic

Frames forwarded to NL-ix must only have one of the following Ethertypes:

Any frames not matching the above Ethertypes will be discarded.

Not allowed traffic

The following traffic is explicitly not allowed on the NL-ix Peering VLAN 7:

  1. All broadcast and Non-IP protocols must be disabled facing the IX fabric, or filtered in some way when disabling is not an option. These include, but are not limited to forwarded DHCP, MOP, Ethernet Keepalives, LLDP, CDP (Cisco Discovery Protocol), VTP (VLAN Trunk Protocol), DTP (Dynamic Trunking Protocol), EIGRP (and other IGRP’s), BOOTP, PIM, UDLD

NetBIOS and IPv6 Router Advertisements

  1. IP/ICMP Redirects, IP Directed Broadcast and Proxy Protocols including Proxy ARP and IPv6 Proxy Neighbor must be disabled on IX facing interfaces.
  2. Layer-2 protocol traffic: spanning-tree must be disabled on IX facing interfaces.
  3. All Interior Gateway Protocols (IGPs, such as OSPF, IS-IS, RIP, etc) must be disabled on IX facing interfaces.

Information Regarding MAC Filtering

As noted under “Media Access Control” section above, NL-ix only permits 1 MAC address per port so any intermediate switches should be made silent.

During turn up, customer’s routing equipment is put into quarantine status to check for common configuration mistakes and to prove that it is suitably configured to participate in the peering fabric. Once verified, customer is placed out of quarantine, moved into production VLAN, and the MAC address of customer’s routing equipment will be noted and configured. The configured MAC address will stay locked and enforced using L2 ACL. No frames with different source MAC addresses are allowed to enter the peering fabric.

The implementation of MAC filtering is important to protect the NL-ix peering infrastructure against loops. Customers who intend to swap routers or otherwise change their MAC address should coordinate this change in advance with the NL-ix NOC or by configuring the new MAC in our MyNL-ix portal. In the event of an after-hours emergency necessitating our help on a MAC change, please call our NOC

Connecting Directly to the IX

Contact us by emailing sales@NL-ix.net. Together we will gather all the necessary information in order to help your business as best as we can

Once your order is placed, NL-ix will forward you a CFA/LOA for you to order a cross-connect into the IX node present in your selected facility. You are responsible for arranging and paying for the cross-connect to reach the IX fabric. To ease the cross-connect process, NL-ix is aggressively installing patch panels along various suites and Meet Me Areas in each facility, in coordination with the building owner. Contact our sales team if you have any questions regarding cross-connects at a particular facility.

Connecting through a reseller

Another way to join the NL-ix is via an authorised reseller. NL-ix is actively signing additional partners and resellers – check back with us often for an updated list.

Open Peering

Interconnecting internationally to other networks via a Transit provider with a full or partial routing BGP-table is a very effective Routing option. It can be used in combination with Peering either to improve and stabilise critical routes or to cut costs. Using multiple Transit providers over different ports guarantees redundancy. Open Peering is a tried and tested service offering full European coverage with the best routes available. It gives direct access to any network that peers on the routeservers of all the major European exchanges, supplemented with bilateral peering sessions and the PNI’s of the Open Peering initiative.

Make sure that:

  • You are only advertising routes you are allowed to advertise with prefix lists or similar;
  • You are filtering BOGON-routes in and outbound;
  • You configure redundant sessions, both to Nikhef and Telecity 2.
  • You have created RIPE Route-Objects and your AS-SET is correct and up-to-date.

Blackholing

You can blackhole traffic in EU-routing by adding community 20562:0 to your prefix. Below is an example for a Cisco router.

Cisco router example

ip route 192.168.1.1 255.255.255.255 Null0
router bgp 6500
network 192.168.1.1 255.255.255.255 route-map blackhole
route-map blackhole permit 10
set community 20562:0

Joint Transit

Joint Transit offers the best IP transit option. We have created a unique blend from geographic Tier 1 and Tier 2 Transit specialists that guarantee the best routes to specific regions. Users can connect from 116 datacenters in the 25 most important European metropolitan markets in 15 countries, receiving more than 600.000 IPv4 prefixes.

Configuration Example

Below is an example on how to configure your Joint Transit service. This config snippet can also be used to configure your Open Peering product.

Cisco router - BGP

router bgp 65000
bgp router-id 1.1.1.1
bgp log-neighbor-changes
bgp graceful-restart
bgp maxas-limit 50
!
address-family ipv4
bgp dampening
redistribute static
exit-address-family
!
address-family ipv4 vrf internet
bgp dampening
redistribute static
neighbor 213.207.12.x1 remote-as 24785
neighbor 213.207.12.x1 description eBGP with Transit Nikhef
neighbor 213.207.12.x1 version 4
neighbor 213.207.12.x1 activate
neighbor 213.207.12.x1 remove-private-as
neighbor 213.207.12.x1 soft-reconfiguration inbound
neighbor 213.207.12.x1 route-map BGP-NLix-1-Ingress in
neighbor 213.207.12.x1 route-map BGP-NLix-1-Engress out
neighbor 213.207.12.x1 maximum-prefix 750000
neighbor 213.207.12.x2 remote-as 24785
neighbor 213.207.12.x2 description description eBGP with Transit Telecity2
neighbor 213.207.12.x2 version 4
neighbor 213.207.12.x2 activate
neighbor 213.207.12.x2 remove-private-as
neighbor 213.207.12.x2 soft-reconfiguration inbound
neighbor 213.207.12.x2 route-map BGP-NLix-2-Ingress in
neighbor 213.207.12.x2 route-map BGP-NLix-2-Engress out
neighbor 213.207.12.x2 maximum-prefix 750000
maximum-paths eibgp 4
exit-address-family
!

Please note that that Transit is always redundant. You can configure a session to both Nikhef and Telecity 2.

Cisco router - Prex Lists

ip prefix-list BGP-Engress-Out-Filter seq 1 permit 203.0.113.0/24 le 32
!
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 2 deny 0.0.0.0/0
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 4 deny 10.0.0.0/8 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 6 deny 172.16.0.0/12 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 8 deny 192.168.0.0/16 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 10 deny 224.0.0.0/4 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 12 deny 240.0.0.0/4 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 14 deny 127.0.0.0/8 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 16 deny 169.254.0.0/16 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 18 deny 192.0.2.0/24 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 20 deny 198.51.100.0/24 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 22 deny 203.0.113.0/24 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 24 deny 192.42.172.0/24 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 26 deny 198.18.0.0/15 le 32
ip prefix-list BGP-Ingress-In-Full-Routing-Table seq 99 permit 0.0.0.0/0 le 24
!
route-map BGP-NLix-1-Engress permit 10 match ip address prefix-list BGP-Engress-Out-
Filter
!
route-map BGP-NLix-2-Engress permit 10 match ip address prefix-list BGP-Engress-Out-
Filter set as-path prepend 206730
!
route-map BGP-NLix-1-Ingress permit 10 match ip address prefix-list BGP-Ingress-In-
Permit-Default-Route
set local-preference 100
!
route-map BGP-NLix-2-Ingress permit 10 match ip address prefix-list BGP-Ingress-In-
Permit-Default-Route

Please make sure to filter both inbound and outbound as shown above. This way you cannot inadvertently announce and receive prefixes you do not want. We recommend you filter bogon-prefixes from Team Cymru www.team-cymru.org.

Virtual Network

A Virtual Network (Virtual Private LAN Service) is an NL-ix service whereby customers can apply dedicated ethernet VLAN connections between any two, or more, datacenter locations covered by the NL-ix. This service provides a form of point-to-multipoint transport, but also offers resilience by automatically rerouting the Virtual Network over a different path upon failing links or routers.

Technical features

  • One Mac per VLAN/port;
  • Metro-Ethernet requires customers to connect only one single MAC address per port, which is enforced using port security.
  • Any distance: NL-ix hides the distance between endpoints and repeats the signal along the way if needed.

Metro Ethernet supports standard size ethernet packets with 1500 bytes ethernet packet payload, (and 14 bytes ethernet header plus 4 byte ethernet CRC trailer) which means that dot1.q trunking, Q-in-Q, jumbo frames and MPLS are not supported.

Virtual Leased Line & Vwave

With MPLS Virtual Leased Lines NL-ix offers transparant and path-resilient transport capacity between all of it’s on-net data centers. This service provides a form of point-to-point transport capacity which is transparant, but also offers resilience by automatically rerouting the Virtual Leased Line over a different path upon failing links or routers.

Technical features

  • Point to Point Transport;
  • Transparant: allows unlimited MAC addresses, dot.1q, q-in-q, mac-in-mac, MPLS and jumbo frames;
  • Secure: delivers a completely private circuit where traffic cannot be seen by other customers or even NL-ix;
  • Any distance: NL-ix hides the distance between endpoints and repeats the signal along the way if needed.