Date: Fri, 29 Mar 2024 10:12:35 +0200 (SAST) Message-ID: <1094474858.4374.1711699955342@localhost> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_4373_265843237.1711699955341" ------=_Part_4373_265843237.1711699955341 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
In order to help maintain hygiene across the peering fabric, all peering= participant ports are subjected to a standard layer-2 filtering policy to = limit frames that are considered unwanted at the peering fabric. Belo= w is a list of frames that are filtered (dropped) by default. This li= st is revised as necessary.
entry STP = { if { ethernet-destination-address 01:80:c2:00:00:00; } then { deny; log; = count STP; } } entry STP-ALT { if { ethernet-destination-address 01:80:C2:00:00:08; } then= { deny; log; count STP-ALT; } } entry PVST { if { ethernet-destination-address 01:00:0c:cc:cc:cd; } then { = deny; log; count PVST; } } entry CDP { if { ethernet-destination-address 01:00:0c:cc:cc:cc; } then { d= eny; log; count CDP; } } entry LLDP { if { ethernet-destination-address 01:80:c2:00:00:0e; } then { = deny; log; count LLDP; } } entry IPv6_RA { if { protocol icmpv6;icmp-type 134; } then { deny; log; cou= nt RA; } } entry ISL { if { ethernet-destination-address 01:00:0c:00:00:00; } then { d= eny; log; count ISL; } } entry EDP { if match all { ethernet-destination-address 00:e0:2b:00:00:00 ;= snap-type 0x00bb ; } then { deny ; count EDP ; } } entry MIKROTIK { if match all { ethernet-destination-address 01:80:c2:00:88= :bf ; ethernet-type 0x88bf ; } then { deny ; count MIKROTIK ; } } entry HUAWEI { if { ethernet-type 0x9998 ; } then { deny ; count HUAWEI; } = } entry HUAWEI_LOOPBACK { if { ethernet-type 0x999a ; } then { deny ; count H= UAWEI_LOOPBACK; } } entry ETH_9003 { if { ethernet-type 0x9003 ; } then { deny ; count eth_9003= ; } }
In general peers are expected to send = only IPv4 (0x0800 ), IPv6 (0x86dd ) and ARP (0x0806)= ethertypes. Other frames types will be dropped without notice.
To keep security at the highest level we implement Layer 2 MAC filtering= on the INX-ZA peering fabric. This is to help prevent unauthorised traffic= from entering the exchange. Each peering port/bundle is restricted to a si= ngle MAC address and is statically locked down. Additionally, MAC add= ress learning is disabled on each port, meaning we will not learn a new MAC= address if the old one becomes unavailable.
If you require the MAC on your port to change please email ops @ inx.net.za=
to schedule the time the change will take place and our team will be on st=
andby to perform the change.