Q: How do I contact the SIX for non-urgent issues?
A: Email info_a_t_seattleix.net.
Q: How do I contact SIX Network Operations?
A: For service-affecting problems, please email noc_a_t_seattleix.net. For non-urgent issues please email info_a_t_seattleix.net.
Q: What mailing lists are available for participants?
A: The mailing lists available are:
| List name | How to subscribe | Purpose |
|---|---|---|
| announce | announce-subscribe@seattleix.net | Moderated announcements list for people who aren't on the members list but need to hear about important SIX related matters (maintenance, meetings, etc.) from the SIX admins. All messages to this list are automatically sent to the members list too, so no need to subscribe to both. Member to member communication should be done using the members list or your own private list of peers. |
| chat | chat-subscribe@seattleix.net | Optional list for participants to freely discuss Seattle Internet issues. Examples of acceptable discussion include: offers/requests for surplus equipment, sharing of tips/tricks, building gossip, etc. |
| members | members-subscribe@seattleix.net | Intended to be low volume so that all technical contacts remain subscribed. Notices of maintenance work, SIX organization discussion and upcoming meetings are appropriate for this list. |
| multicast | multicast-subscribe@seattleix.net | For discussion of multicast over the SIX. |
Q: How do I unsubscribe from the SIX mailing lists?
A: Replace "-subscribe" with "-unsubscribe" in the above table.
Q: Location?
A: The physical location (no postal mail!) is Westin Office Building, 2001 6th Avenue, Seattle. NPA-NXX is 206-443. The mailing address is Seattle Internet Exchange, 1700 7th Ave Ste 116 #400, Seattle, WA 98101-1323.
Q: MAC Address Changes?
A: If you are going to perform maintenance that results in a possible MAC address change for packets sent from your router, please coordinate with info@seattleix.net in advance, or you risk being cut off. We can allow multiple specific MAC addresses temporarily, to enable transition.
In an emergency, if you are cut off, feel free to force your router to use the MAC address that was previously working for you.
Q: Where do I go for an address allocation or to change the reverse DNS for an existing address allocation?
A: To change your existing address allocation, email info_a_t_seattleix.net. For new participants, once your connection is up and tested, we will request the following:
Organization Name: Organization URL (or Peering Policy page if available): ASN: Reverse DNS FQDN (ex. six.example.net): Router MAC Address: Tech Name: Tech Email: Tech Phone: NOC Phone: NOC Email: Peering Email: Questions: - IPv6?: - If connecting via an extension, what is your connection speed?: - May we announce your connection speed?: - Do you understand and agree to the SIX rules (https://www.seattleix.net/rules)?: - Do you understand and agree to set your v4/v6 neighbor cache timeouts to at least 4 hours or as close to that as able in the case of vendor limitations? (short timeouts may result in quarantine): - Do you understand and agree to not propagate the SIX subnet routes beyond your SIX router and/or protect the SIX subnets with an ACL?: - Do you have permission to use the above ASN issued by a Regional Internet Registry?: - Do you understand and agree to only announce address space which you are authorized to announce?:
Q: What connection types and speeds are available?
A: You can connect via single-mode fiber. Available speeds are GigE, 10GbE, 40GbE, 100GbE, 400GbE and port-channel multiples. LACP is supported. Please see https://www.seattleix.net/join for more information.
Q: What is the fee for connecting to the SIX?
A: Please see https://www.seattleix.net/join for fees.
The building management or your colocation provider may charge you for the cost of labor and materials for running a circuit to the SIX, and may charge you a recurring fee.
Q: What are the rules?
A: Please check out https://www.seattleix.net/rules.
Q: What size MTU is supported?
A: The SIX provides both 1500 byte and 9000 byte VLANs. Write to info_a_t_seattleix.net to trunk your circuit to gain access to the 9000 byte VLAN.
Q: Does the SIX maintain a looking glass?
A: Yes, for each route server. Also, Packet Clearing House does at https://www.pch.net/tools/looking_glass/ .
Q: What is the organizational structure of the SIX?
A: The Seattle Internet Exchange is a Washington State nonprofit corporation. Our articles of incorporation, bylaws, and minutes of official meetings are available on our documents page. The SIX is an IRS 501(c)(6) income tax exempt organization.
Q: Who is on the SIX board and who are the officers?
A: Check out the Who's Who.
Q: How may an organization contribute to the SIX?
A: Funds may be contributed to the SIX via PayPal (paypal_a_t_seattleix.net) or via check to Seattle Internet Exchange, 1700 7th Ave Ste 116 #400, Seattle, WA 98101-1323. For credit cards, PayPal can be used. If you would like to contribute hardware, either to be used by the SIX or sold with the proceeds going to the SIX, please email info_a_t_seattleix.net to discuss options. Donors are recognized on the contributors page. Contributions are not deductible as charitable contributions for federal income tax purposes. They may be deductible as trade or business expenses if ordinary and necessary in the conduct of the taxpayer's business. The SIX is a 501(c)(6) income tax exempt organization.
Q: SIX logo?
A: Illustrator (.ai), 223x153 PNG, 223x153x5 PNG, 4096x2662 PNG, 446x306 JPEG
Q: Neighbor discovery ACL tips?
A: Participant ACLs must not violate neighbor discovery norms, since doing so will result in excess flooded packets on the community fabric and burden for SIX administrators. For IPv4 this means that a participant's router must be configured to receive and respond to ARP packets from all SIX participants, even those that are not direct peers. For IPv6, this means that participant routers must receive and respond to ICMPv6 neighbor solicitation packets from both fe80::/10 and all SIX participant addresses, including those that are not direct peers, directed toward fe80::/10, ff02::1:ff00:0/104, and the participant's unicast SIX assignments.
Pseudo-ACL example, in loose form:
Ingress ACLs:
permit arp
permit icmpv6 neighbor-advertisement
permit icmpv6 neighbor-solicitation
Egress ACLs:
permit arp
permit icmpv6 neighbor-advertisement
permit icmpv6 neighbor-solicitation
Pseudo-ACL example, in strict form:
Ingress ACLs:
permit arp 206.81.80.0/22 206.81.8#.###
permit arp 149.112.96.0/22 149.112.9#.###
permit icmpv6 2001:504:16::/63 2001:504:16::### neighbor-advertisement
permit icmpv6 2001:504:16::/63 2001:504:16::### neighbor-solicitation
permit icmpv6 2001:504:16::/63 fe80::/10 neighbor-advertisement
permit icmpv6 2001:504:16::/63 fe80::/10 neighbor-solicitation
permit icmpv6 2001:504:16::/63 ff02::1:ff00:0/104 neighbor-solicitation
permit icmpv6 fe80::/10 fe80::/10 neighbor-advertisement
permit icmpv6 fe80::/10 fe80::/10 neighbor-solicitation
permit icmpv6 fe80::/10 ff02::1:ff00:0/104 neighbor-solicitation
Egress ACLs:
permit arp 206.81.8#.### 206.81.80.0/22
permit arp 149.112.9#.### 149.112.96.0/22
permit icmpv6 2001:504:16::### any neighbor-advertisement
permit icmpv6 2001:504:16::### any neighbor-solicitation
permit icmpv6 fe80::/10 any neighbor-advertisement
permit icmpv6 fe80::/10 any neighbor-solicitation
Q: Any other tips on configuring my router?
A: The Amsterdam IX provides a helpful configuration guide for exchange point participants here. A variety of hardware is covered. We request a 4-hour ARP and neighbor timeout. Tips here for: Arista, Brocade, Cisco ASA, , Cisco IOS, Cisco IOS XR or XE, Cumulus, FreeBSD, Force 10, Juniper, Linux, Mikrotik, Nokia (Alcatel-Lucent), OpenBSD, Redback, Ubiquiti
Note: The below examples reference a /22 for the IPv4 address space, rather than the current /23. That is intentional. /22 includes both the MTU 1500 and MTU 9000 VLANs. Further, the MTU 1500 /23 may grow to /22 some day if needed, so it is best for your filters to use /22.
Globally:
no ip multicast-routingEgress ACLs for SIX-facing interface: (adjust for SIX assignments)
interface IFNAME ip access-group protect_six_subnet_v4_log out ipv6 access-group protect_six_subnet_v6_log out ip access-list protect_six_subnet_v4_log 10 permit ip 206.81.8X.YZ/32 206.81.80.0/22 20 permit ip 149.112.9X.YZ/32 149.112.96.0/22 # If on Jumbo VLAN 30 deny ip any 206.81.80.0/22 log 40 deny ip any 149.112.96.0/22 log # If on Jumbo VLAN 50 permit ip any any ipv6 access-list protect_six_subnet_v6_log 10 permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48 20 permit ipv6 fe80::/10 2001:504:16::/48 30 deny ipv6 any 2001:504:16::/48 log 40 permit ipv6 any anySIX-facing interface:
interface IFNAME ipv6 nd ra disabled all no ip pim no lldp transmit no lldp receiveGratuitous ARP event handler since Arista doesn't GARP on link up:
event-handler ixup_SIX trigger on-intf EthernetXx/Y operstatus action bash arping -bUI etXx_Y -c 3 206.81.8X.YZ action bash arping -bUI etXx_Y -c 3 149.112.9X.YZ # If on Jumbo VLAN
Globally:
mac-age-time 14400SIX-facing interface:
ip arp-age 240 ipv6 nd reachable-time 3600 ipv6 nd suppress-ra no fdp enable no cdp enableACL: (trunk example, adjust as appropriate for access interface and SIX assignments)
ip access-list extended filter-traffic-to-six-lan sequence 10 permit ip 206.81.8X.YZ 0.0.0.0 206.81.80.0 0.0.3.255 sequence 20 permit ip 149.112.9X.YZ 0.0.0.0 149.112.96.0 0.0.3.255 # If on Jumbo VLAN sequence 30 deny ip any 206.81.80.0 0.0.3.255 option ignore sequence 40 deny ip any 149.112.96.0 0.0.3.255 option ignore # If on Jumbo VLAN sequence 50 permit ip any any ipv6 access-list ipv6-filter-traffic-to-six-lan permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48 sequence 10 permit ipv6 fe80::/10 2001:504:16::/48 sequence 20 deny ipv6 any 2001:504:16::/48 sequence 30 permit ipv6 any any sequence 40 interface ve 2 ip access-group filter-traffic-to-six-lan out ipv6 traffic-filter ipv6-filter-traffic-to-six-lan out interface ve 3 ip access-group filter-traffic-to-six-lan out ipv6 traffic-filter ipv6-filter-traffic-to-six-lan out
Since it is a firewall, and traffic might return on a different interface, it is important to put the SIX interface in the same zone as other internet connection(s) to avoid dropping legitimate traffic. This was tested on a Cisco ASA firewall running Version 9.18(4)22.
Globally:
sysopt noproxyarp [nameif of SIX interface]SIX-facing interface:
ipv6 nd suppress-ra
Globally:
no ip gratuitous-arps no ipv6 source route no ip device tracking [for intermediate switches: to prevent ARP tell 0.0.0.0 who-has messages]SIX-facing interface:
no cdp enable no lldp receive no lldp transmit no mop enable udld port disable no ip directed-broadcast no ip redirects no ip unreachables no ip proxy-arp no keepalive ipv6 nd suppress-ra [if 'ipv6 nd ra suppress' does not work] ipv6 nd ra suppress [if 'ipv6 nd suppress-ra' does not work] no ipv6 mfib forwarding no ipv6 mld router no ipv6 pim no ipv6 redirects arp timeout 14400 or ip arp timeout 14400 ipv6 nd cache expire 14400 ipv6 nd reachable-time 14400000 ip device tracking maximum 0 [for intermediate switches: to prevent ARP tell 0.0.0.0 who-has messages]Egress ACLs for SIX-facing interface: (adjust for SIX assignments)
interface IFNAME ip access-group protect_six_subnet_v4_log out ipv6 access-group protect_six_subnet_v6_log out ip access-list protect_six_subnet_v4_log 10 permit ip 206.81.8X.YZ/32 206.81.80.0/22 10 permit ip 149.112.9X.YZ/32 149.112.96/22 # If on Jumbo VLAN 20 deny ip any 206.81.80.0/22 log 20 deny ip any 149.112.96/22 log # If on Jumbo VLAN 30 permit ip any any ipv6 access-list protect_six_subnet_v6_log 10 permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48 20 permit ipv6 fe80::/10 2001:504:16::/48 30 deny ipv6 any 2001:504:16::/48 log 40 permit ipv6 any any
Globally:
ip name-server vrf Mgmt-intf NAMESERVER_IP_ADDRESS ip domain lookup source-interface NOT_SIX_INTERFACESIX-facing interface: (adjust for SIX assignments)
interface IFNAME ipv4 address 206.81.[ROUTER IP] 255.255.254.0 ipv4 address 149.112.[ROUTER IP] 255.255.252.0 # If on Jumbo VLAN arp timeout 14400 ipv6 nd suppress-ra ipv6 nd reachable-time 14400000 [or 3600000 if max-constrained] ipv6 address 2001:504:16::[ROUTER IP]/64 lldp transmit disable ! negotiation auto ipv4 access-group IPV4-SEATTLE-SIX-OUT egress ipv6 access-group IPV6-SEATTLE-SIX-OUT egress ! ! Adjust as appropriate since SIX IP assignment may not be used to originate remote packets: call-home source-interface MgmtEth0/RSP0/CPU0/0 domain lookup source-interface lo0 http client source-interface ipv4 MgmtEth0/RSP0/CPU0/0 ftp client vrf MANAGEMENT source-interface MgmtEth0/RSP0/CPU0/0 ntp source Loopback0 ! ipv4 access-list IPV4-SEATTLE-SIX-OUT 10 permit ipv4 206.81.8X.YZ/32 206.81.80.0/22 20 permit ipv4 149.112.9X.YZ/32 149.112.96/22 # If on Jumbo VLAN 30 deny ipv4 any 206.81.80.0/22 log 40 deny ipv4 any 149.112.96/22 log # If on Jumbo VLAN 50 permit ipv4 any any ! ipv6 access-list IPV6-SEATTLE-SIX-OUT 10 permit ipv6 2001:504:16::XXXX/128 2001:504:16::/48 20 permit ipv6 fe80::/10 2001:504:16::/48 30 deny ipv6 any 2001:504:16::/48 log 40 permit ipv6 any any
sudo service lldpd stop sudo systemctl disable lldpd ! ref: https://docs.cumulusnetworks.com/cumulus-linux/ ! Assume port 48 is facing IX interface swp48 alias IX bridge-accessmstpctl-portbpdufilter yes mtu 1500 ! For broadcom based systems: net del interface swp48 port-security ! Disable all STP in and out of a port net add interface swp48 stp portbpdufilter ! Disable LLDP, CDP lldpcli configure system interface pattern *,!eth0,!swp48,swp*
sysctl.conf or interface startup script: echo "net.link.ether.inet.max_age=14400" >> /etc/sysctl.conf sysctl -p
interface IFNAME
arp timeout 240
Juniper: (start with ARP timeout changes and apply MAC timeout changes if needed)
[edit system arp aging-timer interface IFNAME] 240; or [edit system arp interfaces IFNAME] aging-timer 240; [edit protocols l2-learning] global-mac-table-aging-time 14400; or [edit ethernet-switching-options] mac-table-aging-time 14400; or [edit vlans] mac-table-aging-time 14400; Integrated Routing and Bridging (IRB) interface: Junos 15.1R6 and later: set bridge-domains XXX bridge-options mac-table-aging-time 14400 Alternatively: set routing-instances XXX protocols vpls mac-table-aging-time 14400 [edit protocols lldp interface IFNAME] { disable; } Various (example IX interface is xe-1/0/0.0): set protocols igmp interface xe-1/0/0.0 disable set protocols pim interface xe-1/0/0.0 disable set protocols rstp interface xe-1/0/0.0 disable set protocols rstp interface xe-1/0/0.0 no-root-port set protocols lldp interface xe-1/0/0.0 disable set protocols lldp-med interface xe-1/0/0.0 disable set protocols igmp-snooping vlan all disable # prevent fe80:: routing: set forwarding-options family inet6 source-checkingEgress ACLs for SIX-facing interface: (adjust for SIX assignments)
firewall family inet filter PROTECT-SIX-v4 term SIX_ALLOW { from { source-address { 206.81.8X.YZ/32; } destination-address { 206.81.80.0/22; } } then accept; } term SIX_ALLOW_JUMBO { from { source-address { 149.112.9X.YZ/32; } destination-address { 149.112.96.0/22; } } then accept; } term SIX_DENY { from { destination-address { 206.81.80.0/22; } } then discard; } term SIX_DENY_JUMBO { from { destination-address { 149.112.96.0/22; } } then discard; } term DEFAULT_ALLOW { then accept; } firewall family inet6 filter PROTECT-SIX-v6 term SIX_ALLOW { from { source-address { 2001:504:16::XXXX/128; } destination-address { 2001:504:16::/48; } } then accept; } term SIX_DENY { from { destination-address { 2001:504:16::/48; } } then discard; } term DEFAULT_ALLOW { then accept; }
sysctl.conf or modify as appropriate for interface startup script:
# Make interfaces ARP correctly for a multi-interface machine.
echo "net.ipv4.conf.all.arp_filter = 1" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.arp_announce = 1" >> /etc/sysctl.conf
sysctl -p
# Various:
echo "net.ipv6.conf.SIX_IFNAME.autoconf = 0" >> /etc/sysctl.conf
echo "net.ipv6.conf.SIX_IFNAME.router_solicitations = -1" >> /etc/sysctl.conf
echo "net.ipv4.neigh.SIX_IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
echo "net.ipv6.neigh.SIX_IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
# If using VLANs 2 & 3:
echo "net.ipv4.neigh.SIX_IFNAME/2.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
echo "net.ipv4.neigh.SIX_IFNAME/3.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
echo "net.ipv6.neigh.SIX_IFNAME/2.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
echo "net.ipv6.neigh.SIX_IFNAME/3.base_reachable_time_ms=14400000" >> /etc/sysctl.conf
# Linux IPv6 routing table max size default of 4096 is way too low for modern tables:
echo "net.ipv6.route.max_size=262144" >> /etc/sysctl.conf
sysctl -p
ip link set multicast off dev SIX_IFNAME
RHEL/CentOS and the like:
/etc/sysconfig/network-scripts/ifcfg-eno1 (for example)
NAME=eno1 # adjust as appropriate
DEVICE=eno1 # adjust as appropriate
TYPE=Ethernet
PROXY_METHOD=none
BROWSER_ONLY=no
BOOTPROTO=none
DEFROUTE=no
IPV4_FAILURE_FATAL=no
IPV6INIT=yes
IPV6_AUTOCONF=no
IPV6_DEFROUTE=no
IPV6_FAILURE_FATAL=no
ONBOOT=yes
MTU=1500 # or 9000 for jumbo VLAN
ARPCHECK=no
If using Network Manager: (restart after changes)
/etc/NetworkManager/NetworkManager.conf
[connection]
ipv4.dad-timeout = 0
iptables:
IPv4:
# SIX subnets should only be reachable by this router, so anything to be forwarded should be dropped:
-A FORWARD -d 206.81.80.0/22 -o SIX_IFNAME -j DROP
-A FORWARD -d 149.112.96.0/22 -o SIX_IFNAME -j DROP
IPv6:
# SIX subnets should only be reachable by this router, so anything to be forwarded should be dropped:
-A FORWARD -d 2001:504:16::/48 -o SIX_IFNAME -j DROP
Proxmox:
# If your router is a VM hosted by Proxmox, you need to make sure your host configures the following
# as appropriate for your VM, and ensures it remains set after any reboots.
#
# Without this, your router may fail to receive ICMPv6 multicast packets necessary for IPv6 Neighbor
# Discovery to function properly. Failure to receive these packets will increase multicast traffic for
# the whole fabric and thus is a rule violation.
echo 0 > /sys/devices/virtual/net/vmbr0/bridge/multicast_snooping
Must be running RouterOS 6.35+ to avoid misplaced ARPs. Turn off fast-path to avoid misplaced packets. Don't redirect.
All:
/ip settings set allow-fast-path=no arp-timeout=4h send-redirects=no
/tool romon port add forbid=yes interface=IFNAME
Pre-6.41 disable neighbor discovery:
/ip neighbor discovery set IFNAME discover=no
6.41+ disable neighbor discovery:
/interface list add name=SIXLIST
/interface list member add interface=SIX_IFNAME list=SIXLIST
/ip neighbor discovery-settings set discover-interface-list=!SIXLIST
Various:
/ipv6 settings set accept-redirects=no
/ipv6 address add address=2001:504:16::XXXX advertise=no interface=SIX_IFNAME
/tool mac-server ping set enabled=no
/tool mac-server set [find interface=all] disabled=yes
/tool mac-server mac-winbox set [find interface=all] disabled=yes
# Prevent IPv6 Router Solicitations & Router Advertisements
#
# Either disable Network Discovery on the SIX interface or use something like the following if that
# does not work:
/ipv6 firewall filter
add action=drop chain=output icmp-options=133:0-255 log=yes out-interface=INTERFACE_SIX protocol=icmpv6
add action=drop chain=output icmp-options=134:0-255 log=yes out-interface=INTERFACE_SIX protocol=icmpv6
# Protect SIX fabric - IPv4 (maintains fast path):
/ip route rule
add src-address=206.81.80.0/22 dst-address=206.81.80.0/22 table=main
add src-address=149.112.96.0/22 dst-address=149.112.96.0/22 table=main
add dst-address=206.81.80.0/22 action=drop
add dst-address=149.112.96.0/22 action=drop
# Protect SIX fabric - IPv4 (breaks fast path):
/ip firewall address-list
add address=206.81.80.0/22 list=SIX comment="SIX IPv4"
add address=149.112.96.0/22 list=SIX comment="SIX IPv4"
/ip firewall filter
add action=drop chain=forward comment="Drop FORWARD to IX (peering subnets)" dst-address-list=SIX
# Protect SIX fabric - IPv6 (breaks fast path):
/ipv6 firewall address-list
add address=2001:504:16::/48 list=SIX comment="SIX IPv6"
/ipv6 firewall filter
add action=drop chain=forward comment="Drop FORWARD to IX (peering subnets)" dst-address-list=SIX
NOTE: If using check-gateway function, you must use ping and not ARP to avoid broadcasts.
NOTE: If another IPv6 participant tries to establish a BGP session with an unconfigured
router, the unconfigured router will send a multicast ND packet more frequently than
allowed on the SIX fabric. To fix this, either turn up the IPv6 session or ask the other
participant to stop trying to establish a session with the unconfigured router. Scott Reed
of Global Net has contributed the following sophisticated way of handling this:
---
# The following code shows how to build a BGP_PEERS address-list and then build firewall
# filter rules to allow BGP sessions to establish only from IP’s on the list and drop the
# rest. Usually RouterOS people will have a drop all rule at the end of the input chain,
# but for the sake of an example I will just explicitly define a drop rule for the
# remaining BGP traffic.
# IPv4
# Build a BGP_PEERS address-list
/ip firewall address-list
add list=BGP_PEERS address=206.81.80.2
add list=BGP_PEERS address=206.81.80.3
#
# Add a filter rule to allow BGP with IP's listed in the address-list
# Add a second filter rule to drop remaining BGP
/ip firewall filter
add action=accept chain=input port=179 protocol=tcp src-address-list=BGP_PEERS comment="Allow BGP from BGP_Peers"
add action=drop chain=input port=179 protocol=tcp comment="Drop BGP"
# IPv6
# Build a BGP_PEERS address-list
/ipv6 firewall address-list
add list=BGP_PEERS address=2001:504:16::2
add list=BGP_PEERS address=2001:504:16::3
#
# Add a filter rule to allow BGP with IP's listed in the address-list
# Add a second filter rule to drop remaining BGP
/ipv6 firewall filter
add action=accept chain=input port=179 protocol=tcp src-address-list=BGP_PEERS comment="Allow BGP from BGP_Peers"
add action=drop chain=input port=179 protocol=tcp comment="Drop BGP"
# The following code shows how to populate the BGP_PEERS address-list by using the
# remote address of enabled BGP peers.
# IPv4
:foreach x in=[/routing bgp peer find where disabled=no address-families=ip] do={
:local praip [/routing bgp peer get $x remote-address]
:if ( [:len [/ip firewall address-list find where list=BGP_PEERS address=$praip]] = 0 ) do={
/ip firewall address-list add list=BGP_PEERS address=$praip
:put "$praip added to list BGP_PEERS"
} else={
:put "$praip already exists in list BGP_PEERS"
}
}
# IPv6
:foreach x in=[/routing bgp peer find where disabled=no address-families=ipv6] do={
:local praipv6 ([/routing bgp peer get $x remote-address] . "/128")
:toip6 $praipv6
:if ( [:len [/ipv6 firewall address-list find where list=BGP_PEERS address=$praipv6]] = 0 ) do={
/ipv6 firewall address-list add list=BGP_PEERS address=$praipv6
:put "$praipv6 added to list BGP_PEERS"
} else={
:put "$praipv6 already exists in list BGP_PEERS"
}
}
---
Egress ACLs for SIX-facing interface:
default-action forward description "SIX-PEERING Interface" entry 10 create description "Allow only router IP through" match src-ip 206.81.[ROUTER IP]/32 exit action forward exit exit entry 20 create description "Allow only router IP through - Jumbo VLAN" match src-ip 149.112.[ROUTER IP]/32 exit action forward exit exit entry 30 create description "SIX fabric subnet" match dst-ip 206.81.80.0/22 exit action drop exit exit entry 40 create description "SIX fabric subnet - Jumbo VLAN" match dst-ip 149.112.96.0/22 exit action drop exit exit default-action forward description "SIX-PEERING Interface" entry 10 create description "Allow only router IPv6 through" match src-ip 2001:504:16::[ROUTER IP]/128 exit action forward exit exit entry 20 create description "Allow only router IPv6 through" match src-ip fe80::/10 exit action forward exit exit entry 30 create description "SIX fabric v6 subnet" match dst-ip 2001:504:16::/48 exit action drop exit exit
# /etc/sysctl.conf
net.inet.ip.arptimeout=14400
# /etc/ospfd.conf
no redistribute 206.81.80.0/22
no redistribute 149.112.96.0/22
# /etc/ospf6d.conf
no redistribute 2001:504:16::/48
# /etc/pf.conf
block out quick log on $SIX_IF from ! ($SIX_IF) to {206.81.80.0/22, 149.112.96.0/22, 2001:504:16::/48}
Use [route(8) sourceaddr][1] to override source address selection behavior,
for both IPv4 and IPv6, to avoid issues caused by a SIX peering IP being
chosen, since SIX peering IPs are not able to get replies from beyond the
peering fabric, and will trigger ACL violations if trying to send packets
beyond the peering fabric. Consider an iBGP interface if available.
Example: "route sourceaddr -ifp int-if"
[1]: https://man.openbsd.org/route.8#sourceaddr
NOTE: As of 8/14/2018, SEOS-12.1.1.12p13 has an apparent bug with fe80:: to routable addresses not being handled properly, resulting in broadcasts which violate SIX rules. Thus Redback routers which exhibit this should not be used for IPv6 peering at the SIX.
context local
int IFNAME
ip arp timeout 14400
sysctl.conf or interface startup script: echo "net.ipv4.neigh.IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf echo "net.ipv6.neigh.IFNAME.base_reachable_time_ms=14400000" >> /etc/sysctl.conf "reboot" or "sysctl -p" set service ubnt-discover disable set service unms lldp disable set service lldp interface IFNAME disable ----------------------------------------------------------------------- SNAT Example: EdgeRouter devices are based on Debian and follow Linux source interface determination logic. This may cause your device to attempt to use its SIX address for on-device processes, which will not work as SIX addresses are not reachable on the Internet and will fill up SIX's ACL logs. You can work around this with SNAT. Apply SNAT rules to all of your egress interfaces, including DIA, to avoid asymmetric route problems, using operational mode: # Enter op mode configure # Rules for SIX interface, duplicate as needed for MTU 9000 VLAN (149.112.96.0) and DIA interfaces set service nat rule 5000 description 'Exclude SIX-SIX traffic from SNAT' set service nat rule 5000 destination address 206.81.80.0/22 set service nat rule 5000 exclude set service nat rule 5000 log disable set service nat rule 5000 outbound-interface [your SIX interface] set service nat rule 5000 outside-address address [a routable IP address] set service nat rule 5000 protocol all set service nat rule 5000 source address [your SIX IP address] set service nat rule 5000 type source set service nat rule 5001 description 'SIX address to SNAT' set service nat rule 5001 destination address 0.0.0.0/0 set service nat rule 5001 log disable set service nat rule 5001 outbound-interface [your SIX interface] set service nat rule 5001 outside-address address [a routable IP address] set service nat rule 5001 protocol all set service nat rule 5001 source address [your SIX interface] set service nat rule 5001 type source # Example for DIA set service nat rule 5002 description 'DIA exclude' set service nat rule 5002 destination address [DIA BGP peer address or subnet] set service nat rule 5002 exclude set service nat rule 5002 log disable set service nat rule 5002 outbound-interface [your DIA interface] set service nat rule 5002 outside-address address [a routable IP address] set service nat rule 5002 protocol all set service nat rule 5002 source address [your DIA BGP address] set service nat rule 5002 type source set service nat rule 5003 description 'DIA address to SNAT' set service nat rule 5003 destination set service nat rule 5003 log disable set service nat rule 5003 outbound-interface [your DIA interface] set service nat rule 5003 outside-address address [a routable IP address] set service nat rule 5003 protocol all set service nat rule 5003 source address [your DIA BGP address] set service nat rule 5003 type source EdgeRouter does not support IPv6 SNAT rule configuration in op mode so you will need to change to the regular shell. (Save them as a startup script in /config/scripts/post-config.d/ so they will be retained and run on reboot). As with IPv4, repeat for DIA interfaces. # First, remove the IP6NAT bypass ip6tables -t raw -D OUTPUT -j NOTRACK ip6tables -t raw -D PREROUTING -j NOTRACK # Then, add the rules ip6tables -t nat -A POSTROUTING -s 2001:504:16::/48 -d 2001:504:16::/48 -o [your SIX interface] -m comment --comment v6-SIX-SNAT-exclude -j RETURN ip6tables -t nat -A POSTROUTING -s 2001:504:16::/48 -o [your SIX interface] -m comment --comment v6-SIX-SNAT -j SNAT --to-source [a routable IP address] -----------------------------------------------------------------------
Comments/corrections/suggestions/additions to webmaster_a_t_seattleix.net please.