Connecting a Device to the MasterDC Hosting Network
Last Update 10/11/2021
This description applies to the default port settings unless other settings, higher MAC address counts, or the use of a spanning tree is agreed upon.
Physical Layer L1
The connected device must have the Ethernet port set for baud rate and duplex mode auto-negotiation. Setting the baud rate and duplex mode to “hard” leads to a duplex mismatch and transmission errors in the case of 100 Mbps and 1000 Mbps ports.
Line Layer L2
Allowed Ethernet Frame Types
Toward the customer’s device, we only accept Ethernet frames with the following EtherType:
- 0 x 0800 – IPv4
- 0 x 0806 – ARP
- 0 x 86dd – IPv6
In the case of a connection via dot1q trunk: 0 x 8100 – dot1q.
Furthermore, the corresponding EtherType that is transported in dot1q must be of an allowed type. Frames with a different EtherType may be discarded.
Maximum Number of MAC Addresses per Port
Static port security is configured on ports with a maximum number of MAC addresses calculated from the formula number_of_assignes_IPs + 30.
Using only Ethernet Unicast Frames
Only Ethernet frames with a destination unicast MAC address can be sent from a connected device, except broadcast ARP and ICMPv6.
Disabled L2 and Link-Local Protocols
- ICMP Redirects
- IEEE 802 Spanning Tree
- Proprietární protkoly
- Discovery Protocols: CDP, EDP
- VLAN/Trunking Protocols: VTP, DTP
- IGP (e.g., OSPF, ISIS, IGRP, EIGRP)
- FHRP – VRRP, HSRP, GLBP
- ICMPv6 ND-RA
- L2 Keepalives
BPDU Guard is configured on the ports, and sending Spanning Tree BPDUs towards the MasterDC switch is disabled, and will lead to a port’s closure. Both hardware switches and software bridges, such as the bridge device in the Linux OS, generate these frames. Therefore, before connecting, this protocol must be disabled or filtered out of the hardware switch.
Storm control is configured on the ports. If the number of incoming frames with a target multicast or broadcast MAC exceeds 100 PPS, the port will automatically close for thirty seconds. After thirty seconds, the port will reactivate, and if the limit is exceeded, the port will close again.
Network Layer L3
IPv4 ARP Cache
Each router in the MasterDC network contains an ARP cache, which can cause a delay when IPs move between MAC addresses within the same VLAN and the same L3 subnet. Therefore, if you change the MAC of an IP, you must notify the router of the change – using gratuitous ARP. In Linux, the
send_arp utility from the heartbeat package is used to do this. After the IP is moved to the new server, the new server must run:
send_arp eth0 MOVED_IP auto not_used
Windows operating systems send gratuitous ARP automatically.
The ARP cache timeout is set to 4 hours.
IPv6 ND RA
Our routers do not send IPv6 ND RA. Instead, they respond to RS with a list of configured prefixes with the no-autoconfig flag.
This setting causes the device’s appropriate route configuration but does not autoconfigure IPv6 addresses from these prefixes. Therefore, the actual IPv6 addresses must be statically configured on the servers, as well as the default gateway.
Example of Switch Port Configuration
Below is an example of a server port configuration on a Cisco Catalyst switch with IOS.
switchport access vlan XXX
switchport mode access
switchport port-security maximum 30
switchport port-security violation restrict
spanning-tree bpduguard enable
storm-control action shutdown
storm-control broadcast level pps 100
storm-control multicast level pps 100