:. AMS-IX .: Amsterdam Internet Exchange
Contact us || Site-Map || Home || Connect to AMS-IX || Services & pricing || Technical || Member list || FAQ
» Main » Technical

Port Security at AMS-IX

Network Loops

The greatest danger to any Ethernet network consists of loops. Unless countermeasures are taken, a loop will instantly bring down any network. Broadcasts are looped back to the network, creating duplicates and loading the CPUs of all connected equipment, or in the worst case creating self-sustaining broadcast storms as broadcasts are fed back on another port and sent out on the first port again.

Mitigation

Several mitigation strategies exist that can be deployed to detect network loops. The most well-known one is probably Spanning Tree (STP, IEEE802.1d). With this protocol, STP BPDUs are repeatedly multicasted out all ports, and links are disabled if the BPDUs are received back on the same or another port.

The main disadvantage of STP is that it is impossible to create an administrative boundary between two interconnected networks. In the case of AMS-IX this meant that whenever a customer connected his or her router via a layer-2 device that had STP enabled (or if later something changed in the customer's network), the whole platform would go through an STP topology change, sometimes even electing a new root bridge, with all the associated instabilities.

Port Security

AMS-IX uses a different technology to combat network loops: port security. This feature, now commonplace in equipment from all major Ethernet vendors, limits the number of MAC addresses that can be learned behind a port, and drops frames with any other source MAC address it receives on that port, optionally even disabling it for a while when a violating frame is detected. This means that network loops via member ports are automatically neutralised.

Implementation

The AMS-IX Connection Agreement allows for connecting one router to a port sold to a member. The MAC address, learned once when the member's routing equipment has proven to have been suitably configured for connecting to the AMS-IX switching fabric and is taken out of quarantine status, stays locked on the port; no frames with different source MAC addresses are allowed to enter the platform.

Since the implementation of port security in February 2003 it has protected the switching fabric from several potentially crippling network loops.

Copyright © AMS-IX B.V. 2008; all rights reserved.