All connections on the same LAN belong to same Ethernet domain. It is mandatory to follow a set of basic rules to ensure the correct forwarding for all peers.
All members should reach our NOC (noc@fccn.pt) if any abnormal behaviour if found on GigaPIX infrastructure.
If any incident evaluation results in a non-compliant state, GigaPIX team is allowed to move a member to a quarantine VLAN. All peering sessions will then become unavailable until further resolution.
The only allowed traffic is Ethernet with MTU equal or lower than 1500 Bytes. The following Ethertypes are permitted:
ARP and IPv6 Neighbor Discovery packets are also forwarded. However, one should not use proxy ARP on GigaPIX connected interfaces.
All local communication protocols must be disabled. Some examples are:
We strongly recommend connecting your L3 device directly to GigaPIX switch. Only one MAC address is allowed and additional ones will be dropped and logged.
All traffic should be unicast and only a small amount of bandwidth will be available for exceptions:
Only the allocated IPv4 and IPv6 addresses should be configured on L3 interfaces.
GigaPIX prefixes must not be exported to other ASNs. GigaPIX team will always act if an unauthorized transit of its networks is detected. Proper safety of these addresses can only exist if all the possible flows are known and protected.
Traffic sourced and destined to GigaPIX addresses should be limited to BGP (TCP, port 179) and minimal ICMP to ensure proper operation, management and troubleshoot. They should not be used for NAT, Proxys or tunnelling in any way.
GigaPIX will also ask a peer to apply proper filtering if unauthorised traffic (or allowed but volumetric) destined to another member IP address is detected within the LAN.
Although there are proper filters on GigaPIX Route Servers, proved prefixes hijack will result in an immediate move to quarantine VLAN.
Application traffic is not monitored in any GigaPIX system. However, all members should collaborate ensuring that malicious traffic is promptly detected and stopped within the IXP. We offer blackholing service on Route Servers if proper configuration exists on receiving members.
An ASN might reach GigaPIX team to suspend a member if they prove to be under attack with signatures such as: