Port configuration requirements for members
With our roots in cyber-security, we would like to do our part to create
a more secure and more reliable internet.
To obtain this, we have several requirements and security measures in place ensuring secure operation of our platform to create a great environment to exchange traffic.
To ensure reliable services, the physical media must be set up correctly on your interface towards ERA-IX
- Auto-negotiation: Disabled (speed forced to physical media speed).
- MTU (L3): 1500 Bytes
For optimal hygiene in our peering LAN, only the following ether types are allowed to enter our peering LAN:
0x0800IPv4, IPv4 internet traffic.
0x0806ARP, ARP for IPv4.
0x08DDIPv6, IPv6 internet traffic.
Ether types not present in this list are strictly forbidden and will be dropped by our platform.
Any link-local protocols must be disabled on the interface towards ERA-IX (such as LLDP, CDP, STP, flow-control).
We maintain an exact administration of which mac-address belongs where on
When getting connected, during the testing phase, ERA-IX will administer the mac-address. mac-address changes must always be communicated for the administrative records to be updated.
Any traffic originating from a mac-address not explicitly administered source will be dropped by our platform.
When our peering LAN has to traverse multiple switches inside the members network, ensure any intermediary switches do not send out any packets and no packets not destined for the peering LAN end up being sent to ERA-IX.
The members router must not reply to ARP requests not destined for their assigned IP address (disable proxy-arp) and must only configure the IP address assigned to them by ERA-IX. Any violating ARP packets which do not match our administrative records will be dropped and an incident will be logged to review.
By default, for all members, our route-servers are configured to drop IRR Invalid and RPKI Invalid routes. IRR is based on the AS-SET of the member and registrars enabled at ERA-IX's discretion to provide optimal security with minimum interference. IRR filters are refreshed automatically once per hour on our route-servers.
Peering LAN route propagation
Announcing our peering LAN prefixes to the internet is prohibited and
members must maintain correct routing policy to ensure the route is not advertised to the
We strongly recommend not importing the peering LAN into IGP to prevent accidental propagation and unwanted traffic from being sent to the peering LAN.