Best Practices

The preferred method to connect with the Denver Internet Exchange peering fabric is with a router. If you decide to connect with a switch, it is critical that the port facing our port is configured to act as a router normally would. This includes 1 MAC address, layer 3 terminated point-to-point connection, no loops, no spanning-tree, and no discovery protocols. Following these configuration principles, the security protocols listed below will likely be never encountered.

Security Protocols

  • Storm-Control limits broadcast, multicast, and unknown unicast traffic to 5% of the port bandwidth.
  • 1 MAC address is permitted on a port configured as an access port, this will be learned dynamically.
  • 1 MAC address is permitted on a port configured as a trunk port, this will be learned dynamically.
  • Ports with more than 1 MAC addresses detected will receive a link down for 5 minutes.
  • Ports that receive a BPDU from your end will receive a link down for 5 minutes.
  • In order to prevent loops or other configuration errors, RSTP/VSTP are run on all VLANs with the intention a negotiation is not received. If one is received, the BPDU link down will take effect.
  • Route servers and the route collector will accept ICMP, ICMP6 and TCP port 179 traffic only.
  • BGP Session Culling, a.k.a. IETF BCP 214, is implemented during maintenance activity.
  • ICMP and ICMP6 echos are rate-limited and should be used sparingly.

We reserve the right to implement other industry accepted security protocols, with or without notice, should the need arise to protect the peering fabric and peers on the fabric.