Q: How do I contact the SIX for non-urgent issues?
A: Email info_a_t_seattleix.net.

Q: How do I contact SIX Network Operations?
A: For service-affecting problems, please email noc_a_t_seattleix.net. For non-urgent issues please email info_a_t_seattleix.net.

Q: What mailing lists are available for participants?
A: The mailing lists available are:

List name How to subscribe Purpose
announce announce-subscribe@seattleix.net Moderated announcements list for people who aren't on the members list but need to hear about important SIX related matters (maintenance, meetings, etc.) from the SIX admins. All messages to this list are automatically sent to the members list too, so no need to subscribe to both. Member to member communication should be done using the members list or your own private list of peers.
chat chat-subscribe@seattleix.net Optional list for participants to freely discuss Seattle Internet issues. Examples of acceptable discussion include: offers/requests for surplus equipment, sharing of tips/tricks, building gossip, etc.
members members-subscribe@seattleix.net Intended to be low volume so that all technical contacts remain subscribed. Notices of maintenance work, SIX organization discussion and upcoming meetings are appropriate for this list.
multicast multicast-subscribe@seattleix.net For discussion of multicast over the SIX.

Q: How do I unsubscribe from the SIX mailing lists?
A: Replace "-subscribe" with "-unsubscribe" in the above table.

Q: Location?
A: The physical location (no postal mail!) is Westin Office Building, 2001 6th Avenue, Seattle. NPA-NXX is 206-443. The mailing address is Seattle Internet Exchange, 1700 7th Ave Ste 116 #400, Seattle, WA  98101-1323.

Q: MAC Address Changes?
A: If you are going to perform maintenance that results in a possible MAC address change for packets sent from your router, please coordinate with info@seattleix.net in advance, or you risk being cut off. We can allow multiple specific MAC addresses temporarily, to enable transition.

In an emergency, if you are cut off, feel free to force your router to use the MAC address that was previously working for you.

Q: Where do I go for an address allocation or to change the reverse DNS for an existing address allocation?
A: To change your existing address allocation, email info_a_t_seattleix.net. For new participants, once your connection is up and tested, we will request the following:

Organization Name:
Organization URL (or Peering Policy page if available):
ASN:
Reverse DNS FQDN (ex. six.example.net):
Router MAC Address:
Tech Name:
Tech Email:
Tech Phone:
NOC Phone:
NOC Email:
Peering Email:
Questions:
- IPv6?:
- If connecting via an extension, what is your connection speed?:
- May we announce your connection speed?:
- Do you understand and agree to the SIX rules
  (https://www.seattleix.net/rules)?:
- Do you understand and agree to set your v4/v6 neighbor cache timeouts to
  at least 4 hours or as close to that as able in the case of vendor
  limitations?  (short timeouts may result in quarantine):
- Do you understand and agree to not propagate the SIX subnet routes
  beyond your SIX router and/or protect the SIX subnets with an ACL?:
- Do you have permission to use the above ASN issued by a Regional
  Internet Registry?:
- Do you understand and agree to only announce address space which you are
  authorized to announce?:

Q: What connection types and speeds are available?
A: You can connect via single-mode fiber. Available speeds are GigE, 10GbE, 40GbE, 100GbE, 400GbE and port-channel multiples. LACP is supported. Please see https://www.seattleix.net/join for more information.

Q: What is the fee for connecting to the SIX?
A: Please see https://www.seattleix.net/join for fees.

The building management or your colocation provider may charge you for the cost of labor and materials for running a circuit to the SIX, and may charge you a recurring fee.

Q: What are the rules?
A: Please check out https://www.seattleix.net/rules.

Q: What size MTU is supported?
A: The SIX provides both 1500 byte and 9000 byte VLANs. Write to info_a_t_seattleix.net to trunk your circuit to gain access to the 9000 byte VLAN.

Q: Does the SIX maintain a looking glass?
A: Yes, for each route server. Also, Packet Clearing House does at https://www.pch.net/tools/looking_glass/ .

Q: What is the organizational structure of the SIX?
A: The Seattle Internet Exchange is a Washington State nonprofit corporation. Our articles of incorporation, bylaws, and minutes of official meetings are available on our documents page. The SIX is an IRS 501(c)(6) income tax exempt organization.

Q: Who is on the SIX board and who are the officers?
A: Check out the Who's Who.

Q: How may an organization contribute to the SIX?
A: Funds may be contributed to the SIX via PayPal (paypal_a_t_seattleix.net) or via check to Seattle Internet Exchange, 1700 7th Ave Ste 116 #400, Seattle, WA 98101-1323. For credit cards, PayPal can be used. If you would like to contribute hardware, either to be used by the SIX or sold with the proceeds going to the SIX, please email info_a_t_seattleix.net to discuss options. Donors are recognized on the contributors page. Contributions are not deductible as charitable contributions for federal income tax purposes. They may be deductible as trade or business expenses if ordinary and necessary in the conduct of the taxpayer's business. The SIX is a 501(c)(6) income tax exempt organization.

Q: SIX logo?
A: Illustrator (.ai), 223x153 PNG, 223x153x5 PNG, 4096x2662 PNG, 446x306 JPEG

Q: Neighbor discovery ACL tips?
A: Participant ACLs must not violate neighbor discovery norms, since doing so will result in excess flooded packets on the community fabric and burden for SIX administrators. For IPv4 this means that a participant's router must be configured to receive and respond to ARP packets from all SIX participants, even those that are not direct peers. For IPv6, this means that participant routers must receive and respond to ICMPv6 neighbor solicitation packets from both fe80::/10 and all SIX participant addresses, including those that are not direct peers, directed toward fe80::/10, ff02::1:ff00:0/104, and the participant's unicast SIX assignments.

Pseudo-ACL example, in loose form:

Ingress ACLs:
      
  permit arp
      
  permit icmpv6 neighbor-advertisement
  permit icmpv6 neighbor-solicitation
    
Egress ACLs:
     
  permit arp
      
  permit icmpv6 neighbor-advertisement
  permit icmpv6 neighbor-solicitation

Pseudo-ACL example, in strict form:

Ingress ACLs:
      
  permit arp    206.81.80.0/22   206.81.8#.###
  permit arp    149.112.96.0/22   149.112.9#.###
      
  permit icmpv6 2001:504:16::/63 2001:504:16::###   neighbor-advertisement
  permit icmpv6 2001:504:16::/63 2001:504:16::###   neighbor-solicitation
  permit icmpv6 2001:504:16::/63 fe80::/10          neighbor-advertisement
  permit icmpv6 2001:504:16::/63 fe80::/10          neighbor-solicitation
  permit icmpv6 2001:504:16::/63 ff02::1:ff00:0/104 neighbor-solicitation
  permit icmpv6 fe80::/10        fe80::/10          neighbor-advertisement
  permit icmpv6 fe80::/10        fe80::/10          neighbor-solicitation
  permit icmpv6 fe80::/10        ff02::1:ff00:0/104 neighbor-solicitation
    
Egress ACLs:
     
  permit arp    206.81.8#.### 206.81.80.0/22
  permit arp    149.112.9#.### 149.112.96.0/22
      
  permit icmpv6 2001:504:16::### any                neighbor-advertisement
  permit icmpv6 2001:504:16::### any                neighbor-solicitation 
  permit icmpv6 fe80::/10        any                neighbor-advertisement
  permit icmpv6 fe80::/10        any                neighbor-solicitation

Q: Any other tips on configuring my router?
A: The Amsterdam IX provides a helpful configuration guide for exchange point participants here. A variety of hardware is covered. We request a 4-hour ARP and neighbor timeout. Tips here for: Arista, Brocade, Cisco ASA, , Cisco IOS, Cisco IOS XR or XE, Cumulus, FreeBSD, Force 10, Juniper, Linux, Mikrotik, Nokia (Alcatel-Lucent), OpenBSD, Redback, Ubiquiti

Note: The below examples reference a /22 for the IPv4 address space, rather than the current /23. That is intentional. /22 includes both the MTU 1500 and MTU 9000 VLANs. Further, the MTU 1500 /23 may grow to /22 some day if needed, so it is best for your filters to use /22.

Arista:

Globally:

    no ip multicast-routing

Egress ACLs for SIX-facing interface: (adjust for SIX assignments)

    interface IFNAME
       ip access-group protect_six_subnet_v4_log out 
       ipv6 access-group protect_six_subnet_v6_log out

    ip access-list protect_six_subnet_v4_log
       10 permit ip 206.81.8X.YZ/32 206.81.80.0/22
       20 permit ip 149.112.9X.YZ/32 149.112.96.0/22  # If on Jumbo VLAN
       30 deny ip any 206.81.80.0/22 log
       40 deny ip any 149.112.96.0/22 log  # If on Jumbo VLAN
       50 permit ip any any

    ipv6 access-list protect_six_subnet_v6_log
       10 permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48
       20 permit ipv6 fe80::/10 2001:504:16::/48
       30 deny ipv6 any 2001:504:16::/48 log
       40 permit ipv6 any any

SIX-facing interface:

    interface IFNAME
       ipv6 nd ra disabled all
       no ip pim
       no lldp transmit
       no lldp receive

Gratuitous ARP event handler since Arista doesn't GARP on link up:

    event-handler ixup_SIX
       trigger on-intf EthernetXx/Y operstatus
       action bash arping -bUI etXx_Y -c 3 206.81.8X.YZ
       action bash arping -bUI etXx_Y -c 3 149.112.9X.YZ  # If on Jumbo VLAN

Brocade:

Globally:

    mac-age-time 14400

SIX-facing interface:

    ip arp-age 240
    ipv6 nd reachable-time 3600
    ipv6 nd suppress-ra
    no fdp enable
    no cdp enable

ACL: (trunk example, adjust as appropriate for access interface and SIX assignments)

    ip access-list extended filter-traffic-to-six-lan
     sequence 10 permit ip 206.81.8X.YZ 0.0.0.0 206.81.80.0 0.0.3.255
     sequence 20 permit ip 149.112.9X.YZ 0.0.0.0 149.112.96.0 0.0.3.255  # If on Jumbo VLAN
     sequence 30 deny ip any 206.81.80.0 0.0.3.255 option ignore
     sequence 40 deny ip any 149.112.96.0 0.0.3.255 option ignore  # If on Jumbo VLAN
     sequence 50 permit ip any any

    ipv6 access-list ipv6-filter-traffic-to-six-lan
     permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48 sequence 10
     permit ipv6 fe80::/10 2001:504:16::/48 sequence 20
     deny ipv6 any 2001:504:16::/48 sequence 30
     permit ipv6 any any sequence 40

    interface ve 2
     ip access-group filter-traffic-to-six-lan out
     ipv6 traffic-filter ipv6-filter-traffic-to-six-lan out

    interface ve 3
     ip access-group filter-traffic-to-six-lan out
     ipv6 traffic-filter ipv6-filter-traffic-to-six-lan out

Cisco ASA:

Since it is a firewall, and traffic might return on a different interface, it is important to put the SIX interface in the same zone as other internet connection(s) to avoid dropping legitimate traffic. This was tested on a Cisco ASA firewall running Version 9.18(4)22.

Globally:

    sysopt noproxyarp [nameif of SIX interface]

SIX-facing interface:

    ipv6 nd suppress-ra

Cisco IOS:

Globally:

    no ip gratuitous-arps
    no ipv6 source route

    no ip device tracking    [for intermediate switches: to prevent ARP tell 0.0.0.0 who-has messages]

SIX-facing interface:

    no cdp enable
    no lldp receive
    no lldp transmit
    no mop enable
    udld port disable
    no ip directed-broadcast
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no keepalive
    ipv6 nd suppress-ra    [if 'ipv6 nd ra suppress' does not work]
    ipv6 nd ra suppress    [if 'ipv6 nd suppress-ra' does not work]
    no ipv6 mfib forwarding
    no ipv6 mld router
    no ipv6 pim
    no ipv6 redirects
 
    arp timeout 14400
    or
    ip arp timeout 14400

    ipv6 nd cache expire 14400
    ipv6 nd reachable-time 14400000

    ip device tracking maximum 0    [for intermediate switches: to prevent ARP tell 0.0.0.0 who-has messages]

Egress ACLs for SIX-facing interface: (adjust for SIX assignments)

    interface IFNAME
       ip access-group protect_six_subnet_v4_log out 
       ipv6 access-group protect_six_subnet_v6_log out

    ip access-list protect_six_subnet_v4_log
       10 permit ip 206.81.8X.YZ/32 206.81.80.0/22
       10 permit ip 149.112.9X.YZ/32 149.112.96/22  # If on Jumbo VLAN
       20 deny ip any 206.81.80.0/22 log
       20 deny ip any 149.112.96/22 log  # If on Jumbo VLAN
       30 permit ip any any

    ipv6 access-list protect_six_subnet_v6_log
       10 permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48
       20 permit ipv6 fe80::/10 2001:504:16::/48
       30 deny ipv6 any 2001:504:16::/48 log
       40 permit ipv6 any any

Cisco IOS XR or XE:

Globally:

 ip name-server vrf Mgmt-intf NAMESERVER_IP_ADDRESS
 ip domain lookup source-interface NOT_SIX_INTERFACE

SIX-facing interface: (adjust for SIX assignments)

interface IFNAME
 ipv4 address 206.81.[ROUTER IP] 255.255.254.0
 ipv4 address 149.112.[ROUTER IP] 255.255.252.0  # If on Jumbo VLAN
 arp timeout 14400
 ipv6 nd suppress-ra
 ipv6 nd reachable-time 14400000   [or 3600000 if max-constrained]
 ipv6 address 2001:504:16::[ROUTER IP]/64
 lldp
  transmit disable
 !
 negotiation auto
 ipv4 access-group IPV4-SEATTLE-SIX-OUT egress
 ipv6 access-group IPV6-SEATTLE-SIX-OUT egress
 !
 ! Adjust as appropriate since SIX IP assignment may not be used to originate remote packets:
 call-home
   source-interface MgmtEth0/RSP0/CPU0/0
 domain lookup source-interface lo0
 http client source-interface ipv4 MgmtEth0/RSP0/CPU0/0
 ftp client vrf MANAGEMENT source-interface MgmtEth0/RSP0/CPU0/0
 ntp
   source Loopback0
!
ipv4 access-list IPV4-SEATTLE-SIX-OUT
 10 permit ipv4 206.81.8X.YZ/32 206.81.80.0/22
 20 permit ipv4 149.112.9X.YZ/32 149.112.96/22  # If on Jumbo VLAN
 30 deny ipv4 any 206.81.80.0/22 log
 40 deny ipv4 any 149.112.96/22 log  # If on Jumbo VLAN
 50 permit ipv4 any any
!
ipv6 access-list IPV6-SEATTLE-SIX-OUT
 10 permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48
 20 permit ipv6 fe80::/10 2001:504:16::/48
 30 deny ipv6 any 2001:504:16::/48 log
 40 permit ipv6 any any

Cumulus:

sudo service lldpd stop
sudo systemctl disable lldpd

! ref: https://docs.cumulusnetworks.com/cumulus-linux/
! Assume port 48 is facing IX
interface swp48
  alias IX
  bridge-access 
  mstpctl-portbpdufilter yes
  mtu 1500

! For broadcom based systems:
net del interface swp48 port-security

! Disable all STP in and out of a port
net add interface swp48 stp portbpdufilter

! Disable LLDP, CDP
lldpcli configure system interface pattern *,!eth0,!swp48,swp*

FreeBSD:

sysctl.conf or interface startup script:

  echo "net.link.ether.inet.max_age=14400" >> /etc/sysctl.conf
  sysctl -p

Force 10:

interface IFNAME
    arp timeout 240

Juniper: (start with ARP timeout changes and apply MAC timeout changes if needed)

[edit system arp aging-timer interface IFNAME] 240;
or
[edit system arp interfaces IFNAME] aging-timer 240;

[edit protocols l2-learning] global-mac-table-aging-time 14400;
or
[edit ethernet-switching-options] mac-table-aging-time 14400;
or
[edit vlans] mac-table-aging-time 14400;

Integrated Routing and Bridging (IRB) interface: Junos 15.1R6 and later: set bridge-domains XXX bridge-options mac-table-aging-time 14400

Alternatively: set routing-instances XXX protocols vpls mac-table-aging-time 14400

[edit protocols lldp interface IFNAME] { disable; }

Various (example IX interface is xe-1/0/0.0):

set protocols igmp interface xe-1/0/0.0 disable
set protocols pim interface xe-1/0/0.0 disable
set protocols rstp interface xe-1/0/0.0 disable
set protocols rstp interface xe-1/0/0.0 no-root-port
set protocols lldp interface xe-1/0/0.0 disable
set protocols lldp-med interface xe-1/0/0.0 disable
set protocols igmp-snooping vlan all disable

# prevent fe80:: routing:
set forwarding-options family inet6 source-checking

Egress ACLs for SIX-facing interface: (adjust for SIX assignments)

    firewall family inet filter PROTECT-SIX-v4
    term SIX_ALLOW {
        from {
            source-address {
                206.81.8X.YZ/32;
            }
            destination-address {
                206.81.80.0/22;
            }
        }
        then accept;
    }
    term SIX_ALLOW_JUMBO {
        from {
            source-address {
                149.112.9X.YZ/32;
            }
            destination-address {
                149.112.96.0/22;
            }
        }
        then accept;
    }
    term SIX_DENY {
        from {
            destination-address {
                206.81.80.0/22;
            }
        }
        then discard;
    }
    term SIX_DENY_JUMBO {
        from {
            destination-address {
                149.112.96.0/22;
            }
        }
        then discard;
    }
    term DEFAULT_ALLOW {
        then accept;
    }

    firewall family inet6 filter PROTECT-SIX-v6
    term SIX_ALLOW {
        from {
            source-address {
                2001:504:16::XXXX/128;
            }
            destination-address {
                2001:504:16::/48;
            }
        }
        then accept;
    }
    term SIX_DENY {
        from {
            destination-address {
                2001:504:16::/48;
            }                              
        }
        then discard;
    }
    term DEFAULT_ALLOW {
        then accept;
    }

Linux:

sysctl.conf or modify as appropriate for interface startup script:

  # Make interfaces ARP correctly for a multi-interface machine.
  echo "net.ipv4.conf.all.arp_filter = 1" >> /etc/sysctl.conf
  echo "net.ipv4.conf.all.arp_announce = 1" >> /etc/sysctl.conf
  sysctl -p

  # Various:
  echo "net.ipv6.conf.SIX_IFNAME.autoconf = 0" >> /etc/sysctl.conf
  echo "net.ipv6.conf.SIX_IFNAME.router_solicitations = -1" >> /etc/sysctl.conf
  echo "net.ipv4.neigh.SIX_IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  echo "net.ipv6.neigh.SIX_IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  # If using VLANs 2 & 3:
  echo "net.ipv4.neigh.SIX_IFNAME/2.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  echo "net.ipv4.neigh.SIX_IFNAME/3.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  echo "net.ipv6.neigh.SIX_IFNAME/2.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  echo "net.ipv6.neigh.SIX_IFNAME/3.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  # Linux IPv6 routing table max size default of 4096 is way too low for modern tables:
  echo "net.ipv6.route.max_size=262144" >> /etc/sysctl.conf
  sysctl -p

  ip link set multicast off dev SIX_IFNAME

RHEL/CentOS and the like:

  /etc/sysconfig/network-scripts/ifcfg-eno1 (for example)

    NAME=eno1     # adjust as appropriate
    DEVICE=eno1   # adjust as appropriate
    TYPE=Ethernet
    PROXY_METHOD=none
    BROWSER_ONLY=no
    BOOTPROTO=none
    DEFROUTE=no
    IPV4_FAILURE_FATAL=no
    IPV6INIT=yes
    IPV6_AUTOCONF=no
    IPV6_DEFROUTE=no
    IPV6_FAILURE_FATAL=no
    ONBOOT=yes
    MTU=1500      # or 9000 for jumbo VLAN
    ARPCHECK=no

  If using Network Manager: (restart after changes)

    /etc/NetworkManager/NetworkManager.conf

      [connection]
        ipv4.dad-timeout = 0

iptables:

  IPv4:

    # SIX subnets should only be reachable by this router, so anything to be forwarded should be dropped:
    -A FORWARD -d 206.81.80.0/22 -o SIX_IFNAME -j DROP
    -A FORWARD -d 149.112.96.0/22 -o SIX_IFNAME -j DROP

  IPv6:

    # SIX subnets should only be reachable by this router, so anything to be forwarded should be dropped:
    -A FORWARD -d 2001:504:16::/48 -o SIX_IFNAME -j DROP

Proxmox:

  # If your router is a VM hosted by Proxmox, you need to make sure your host configures the following
  # as appropriate for your VM, and ensures it remains set after any reboots.
  #
  # Without this, your router may fail to receive ICMPv6 multicast packets necessary for IPv6 Neighbor
  # Discovery to function properly. Failure to receive these packets will increase multicast traffic for
  # the whole fabric and thus is a rule violation.
  echo 0 > /sys/devices/virtual/net/vmbr0/bridge/multicast_snooping

Mikrotik:

Must be running RouterOS 6.35+ to avoid misplaced ARPs. Turn off fast-path to avoid misplaced packets. Don't redirect.
All:

/ip settings set allow-fast-path=no arp-timeout=4h send-redirects=no
/tool romon port add forbid=yes interface=IFNAME

Pre-6.41 disable neighbor discovery:

/ip neighbor discovery set IFNAME discover=no

6.41+ disable neighbor discovery:

/interface list add name=SIXLIST
/interface list member add interface=SIX_IFNAME list=SIXLIST
/ip neighbor discovery-settings set discover-interface-list=!SIXLIST

Various:

/ipv6 settings set accept-redirects=no
/ipv6 address add address=2001:504:16::XXXX advertise=no interface=SIX_IFNAME

/tool mac-server ping set enabled=no
/tool mac-server set [find interface=all] disabled=yes
/tool mac-server mac-winbox set [find interface=all] disabled=yes

# Prevent IPv6 Router Solicitations & Router Advertisements
#
# Either disable Network Discovery on the SIX interface or use something like the following if that
# does not work:
/ipv6 firewall filter
  add action=drop chain=output icmp-options=133:0-255 log=yes out-interface=INTERFACE_SIX protocol=icmpv6
  add action=drop chain=output icmp-options=134:0-255 log=yes out-interface=INTERFACE_SIX protocol=icmpv6

# Protect SIX fabric - IPv4 (maintains fast path):
/ip route rule
  add src-address=206.81.80.0/22 dst-address=206.81.80.0/22 table=main
  add src-address=149.112.96.0/22 dst-address=149.112.96.0/22 table=main
  add dst-address=206.81.80.0/22 action=drop
  add dst-address=149.112.96.0/22 action=drop

# Protect SIX fabric - IPv4 (breaks fast path):
/ip firewall address-list
  add address=206.81.80.0/22 list=SIX comment="SIX IPv4"
  add address=149.112.96.0/22 list=SIX comment="SIX IPv4"
/ip firewall filter
  add action=drop chain=forward comment="Drop FORWARD to IX (peering subnets)" dst-address-list=SIX

# Protect SIX fabric - IPv6 (breaks fast path):
/ipv6 firewall address-list
  add address=2001:504:16::/48 list=SIX comment="SIX IPv6"
/ipv6 firewall filter
  add action=drop chain=forward comment="Drop FORWARD to IX (peering subnets)" dst-address-list=SIX

NOTE: If using check-gateway function, you must use ping and not ARP to avoid broadcasts.

NOTE: If another IPv6 participant tries to establish a BGP session with an unconfigured
router, the unconfigured router will send a multicast ND packet more frequently than
allowed on the SIX fabric. To fix this, either turn up the IPv6 session or ask the other
participant to stop trying to establish a session with the unconfigured router. Scott Reed
of Global Net has contributed the following sophisticated way of handling this:

---
# The following code shows how to build a BGP_PEERS address-list and then build firewall
# filter rules to allow BGP sessions to establish only from IP’s on the list and drop the
# rest. Usually RouterOS people will have a drop all rule at the end of the input chain,
# but for the sake of an example I will just explicitly define a drop rule for the
# remaining BGP traffic.

# IPv4
# Build a BGP_PEERS address-list
/ip firewall address-list
  add list=BGP_PEERS address=206.81.80.2
  add list=BGP_PEERS address=206.81.80.3
#
# Add a filter rule to allow BGP with IP's listed in the address-list
# Add a second filter rule to drop remaining BGP
/ip firewall filter
  add action=accept chain=input port=179 protocol=tcp src-address-list=BGP_PEERS comment="Allow BGP from BGP_Peers"
  add action=drop chain=input port=179 protocol=tcp comment="Drop BGP"

# IPv6
# Build a BGP_PEERS address-list
/ipv6 firewall address-list
  add list=BGP_PEERS address=2001:504:16::2
  add list=BGP_PEERS address=2001:504:16::3
#
# Add a filter rule to allow BGP with IP's listed in the address-list
# Add a second filter rule to drop remaining BGP
/ipv6 firewall filter
  add action=accept chain=input port=179 protocol=tcp src-address-list=BGP_PEERS comment="Allow BGP from BGP_Peers"
  add action=drop chain=input port=179 protocol=tcp comment="Drop BGP"

# The following code shows how to populate the BGP_PEERS address-list by using the
# remote address of enabled BGP peers.

# IPv4
:foreach x in=[/routing bgp peer find where disabled=no address-families=ip] do={
    :local praip [/routing bgp peer get $x remote-address]
    :if ( [:len [/ip firewall address-list find where list=BGP_PEERS address=$praip]] = 0 ) do={
        /ip firewall address-list add list=BGP_PEERS address=$praip
         :put "$praip added to list BGP_PEERS"
        } else={
            :put "$praip already exists in list BGP_PEERS"
            }
    }
 
# IPv6
:foreach x in=[/routing bgp peer find where disabled=no address-families=ipv6] do={
    :local praipv6 ([/routing bgp peer get $x remote-address] . "/128")
     :toip6 $praipv6
    :if ( [:len [/ipv6 firewall address-list find where list=BGP_PEERS address=$praipv6]] = 0 ) do={
        /ipv6 firewall address-list add list=BGP_PEERS address=$praipv6
         :put "$praipv6 added to list BGP_PEERS"
        } else={
            :put "$praipv6 already exists in list BGP_PEERS"
            }
    }
---

Nokia (Alcatel-Lucent):

Egress ACLs for SIX-facing interface:

    default-action forward
    description "SIX-PEERING Interface" 
    entry 10 create
        description "Allow only router IP through"
        match 
            src-ip 206.81.[ROUTER IP]/32
        exit 
        action
            forward
        exit
    exit 
    entry 20 create
        description "Allow only router IP through - Jumbo VLAN"
        match 
            src-ip 149.112.[ROUTER IP]/32
        exit 
        action
            forward
        exit
    exit 
    entry 30 create
        description "SIX fabric subnet"
        match 
            dst-ip 206.81.80.0/22
        exit 
        action
            drop
        exit
    exit 
    entry 40 create
        description "SIX fabric subnet - Jumbo VLAN"
        match 
            dst-ip 149.112.96.0/22
        exit 
        action
            drop
        exit
    exit 
    
    default-action forward
    description "SIX-PEERING Interface" 
    entry 10 create
        description "Allow only router IPv6 through" 
        match 
            src-ip 2001:504:16::[ROUTER IP]/128
        exit 
        action
            forward
        exit
    exit 
    entry 20 create
        description "Allow only router IPv6 through" 
        match 
            src-ip fe80::/10
        exit 
        action
            forward
        exit
    exit 
    entry 30 create
        description "SIX fabric v6 subnet" 
        match 
            dst-ip 2001:504:16::/48
        exit 
        action
            drop
        exit
    exit

OpenBSD:

# /etc/sysctl.conf
net.inet.ip.arptimeout=14400

# /etc/ospfd.conf
no redistribute 206.81.80.0/22
no redistribute 149.112.96.0/22

# /etc/ospf6d.conf
no redistribute 2001:504:16::/48

# /etc/pf.conf
block out quick log on $SIX_IF from ! ($SIX_IF) to {206.81.80.0/22, 149.112.96.0/22, 2001:504:16::/48}

Use [route(8) sourceaddr][1] to override source address selection behavior,
for both IPv4 and IPv6, to avoid issues caused by a SIX peering IP being
chosen, since SIX peering IPs are not able to get replies from beyond the
peering fabric, and will trigger ACL violations if trying to send packets
beyond the peering fabric. Consider an iBGP interface if available.
Example: "route sourceaddr -ifp int-if"
[1]: https://man.openbsd.org/route.8#sourceaddr

Redback:

NOTE: As of 8/14/2018, SEOS-12.1.1.12p13 has an apparent bug with fe80:: to routable addresses not being handled properly, resulting in broadcasts which violate SIX rules. Thus Redback routers which exhibit this should not be used for IPv6 peering at the SIX.
context local
    int IFNAME
        ip arp timeout 14400

Ubiquiti:

sysctl.conf or interface startup script:

  echo "net.ipv4.neigh.IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  echo "net.ipv6.neigh.IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
  "reboot" or "sysctl -p"

set service ubnt-discover disable

set service unms lldp disable

set service lldp interface IFNAME disable

-----------------------------------------------------------------------

SNAT Example:

EdgeRouter devices are based on Debian and follow Linux source interface 
determination logic. This may cause your device to attempt to use its SIX
address for on-device processes, which will not work as SIX addresses are
not reachable on the Internet and will fill up SIX's ACL logs. You can
work around this with SNAT. Apply SNAT rules to all of your egress
interfaces, including DIA, to avoid asymmetric route problems, using
operational mode:

# Enter op mode
configure

# Rules for SIX interface, duplicate as needed for MTU 9000 VLAN (149.112.96.0) and DIA interfaces
set service nat rule 5000 description 'Exclude SIX-SIX traffic from SNAT'
set service nat rule 5000 destination address 206.81.80.0/22
set service nat rule 5000 exclude
set service nat rule 5000 log disable
set service nat rule 5000 outbound-interface [your SIX interface]
set service nat rule 5000 outside-address address [a routable IP address]
set service nat rule 5000 protocol all
set service nat rule 5000 source address [your SIX IP address]
set service nat rule 5000 type source
set service nat rule 5001 description 'SIX address to SNAT'
set service nat rule 5001 destination address 0.0.0.0/0
set service nat rule 5001 log disable
set service nat rule 5001 outbound-interface [your SIX interface]
set service nat rule 5001 outside-address address [a routable IP address]
set service nat rule 5001 protocol all
set service nat rule 5001 source address [your SIX interface]
set service nat rule 5001 type source

# Example for DIA
set service nat rule 5002 description 'DIA exclude'
set service nat rule 5002 destination address [DIA BGP peer address or subnet]
set service nat rule 5002 exclude
set service nat rule 5002 log disable
set service nat rule 5002 outbound-interface [your DIA interface]
set service nat rule 5002 outside-address address [a routable IP address]
set service nat rule 5002 protocol all
set service nat rule 5002 source address [your DIA BGP address]
set service nat rule 5002 type source
set service nat rule 5003 description 'DIA address to SNAT'
set service nat rule 5003 destination
set service nat rule 5003 log disable
set service nat rule 5003 outbound-interface [your DIA interface]
set service nat rule 5003 outside-address address [a routable IP address]
set service nat rule 5003 protocol all
set service nat rule 5003 source address [your DIA BGP address]
set service nat rule 5003 type source

EdgeRouter does not support IPv6 SNAT rule configuration in op mode so you 
will need to change to the regular shell. (Save them as a startup script
in /config/scripts/post-config.d/ so they will be retained and run on
reboot). As with IPv4, repeat for DIA interfaces.

# First, remove the IP6NAT bypass
ip6tables -t raw -D OUTPUT -j NOTRACK
ip6tables -t raw -D PREROUTING -j NOTRACK

# Then, add the rules
ip6tables -t nat -A POSTROUTING -s 2001:504:16::/48 -d 2001:504:16::/48 -o [your SIX interface] -m comment --comment v6-SIX-SNAT-exclude -j RETURN
ip6tables -t nat -A POSTROUTING -s 2001:504:16::/48 -o [your SIX interface] -m comment --comment v6-SIX-SNAT -j SNAT --to-source [a routable IP address]

-----------------------------------------------------------------------

Comments/corrections/suggestions/additions to webmaster_a_t_seattleix.net please.