Connection Information
The following port speeds are available for connectivity into our peering points:
Auckland
10Gbit/s
10GBase-LR
100Gbit/s
100GBase-LR4
Wellington
10Gbit/s
10GBase-LR
100Gbit/s
100GBase-LR4
Christchurch
10Gbit/s
10GBase-LR
We offer Link Aggregation (LAG) for gradual capacity increases, with costs calculated by the number of ports times the port price.
General Notes
Security
We would appreciate it if you practice good network hygiene on your side to protect both your network and the broader internet community. This includes:
- Creating ROAs (Route Origin Authorisations) for your prefixes.
- Using RPKI to sign your route announcements, ensuring their authenticity and preventing route hijacking.
- Implementing BCP38 broadly across your network to prevent IP address spoofing.
- Enabling URPF (Unicast Reverse Path Forwarding) on your ports into the IX to prevent spoofed traffic.
Route servers
There are two route servers per exchange. The configuration of our Route Servers are re-deployed daily.
This means changes to peer configuration, AS-Sets and/or RPKI are reflected according to the following deployment schedule (NZ local time):
- Route Server 1 = 1:00 PM
- Route Server 2= 3:00 PM
We have communities which are universal across all exchanges. These communities allow peers to apply specific policies to their sessions.
Mac Limit
AS-Sets
Members are required to provide an AS-Set that defines the permitted ASNs your peering session is allowed to originate.
If you need assistance with creating an AS-Set, check our APNIC’s AS-Set page or contact us!
RPKI
In combination with AS-Sets for peers policies, we utilize Resource Public Key Infrastructure (RPKI) Route Origin Validation (ROV) to validate ROAs.
Currently; prefixes that are invalid are dropped, unknowns are tagged.
If you need assistance with RPKI, check out APNIC’s RPKI pages or contact us!
Limits
Advertisements
IX-assigned addresses shall not be advertised by its peers to other networks.
No Proxy ARP
Use of Proxy ARP on the routers interface to the IX is strictly prohibited.
No IP Directed Broadcasts
IP Directed Broadcasts are strictly prohibited.
Unicast Only
Frames forwarded shall only be Unicast, forwarding traffic to a Multicast or Broadcast MAC destination address is prohibited, except for the following:
- Broadcast ARP Packets
- Multicast ICMPv6 Neighbour Discovery packets (Excludes: Route Solicitation or Advertisement).
ALLOWED ETHERTYPES
Ethernet types:
- 0x800 – IPv4
- 0x806 – ARP
- 0x86DD – IPv6
Prefix Limits
- IPv4 max length = /24
- IPv6 max length = /48
Port Rate limits
We ingress rate limit Broadcast, Unknown Unicast and Multicast (BUM) traffic to 500 packets per second on all IX ports.
NO Link Local Traffic
Link local traffic shall not be forward to the Peering VLAN(s), Link-Local protocols include but are not limited to:
- ICMP redirects
- IEEE 802 Spanning Tree
- BOOTP/DHCP
- ICMPv6 Router Advertisements
- UDLD
- BFD
- PIM
- Interior routing protocol broadcasts
- OSPF/ISIS/IGRP/EIGRP etc.
- L2 Keepalives
- Vendor propriety protocols:
- Discovery protocols: CDP, EDP, FDP
- VLAN/trunking protocols: VTP, DTP
The following link-local protocols are exceptions and are allowed:
- ARP
- ICMPv6 Network Discovery
Policy Control
Policy control is achieved by the use of BGP Communities. Peers must tag their routes using the following, in order to control policy via the route server. The default behaviour is to advertise all prefixes to peers (63830:63830). Please ensure use of the following model:
0:PEER_AS
Do not advertise to specified peer
63830:PEER_AS
Advertise to specified peer
0:63830
Do not advertise to any peer
63830:63830
Advertise to all peers (Default)
1:PEER_AS
Prepend once to specified peer
2:PEER_AS
Prepend twice to specified peer
3:PEER_AS
Do not advertise to specified peer
For Extended Communities, prepend “rt:” to the community of choice, for example:
rt:0:PEER_AS
Do not advertise to specified peer
For Large Communities, prepend “63830:” to the community of choice, for example:
63830:0:PEER_AS
Do not advertise to specified peer
3rd Party Communities
3rd Party Communities are provided by Members across NZIX for serving content. If you wish to opt-in to any available services, please tag your prefixes with the below BGP community string:
CHC-IX
Community String
63830:40027
Content
Netflix
Supplied By
Vocus Group New Zealand (AS9790)
Purpose
Opt-in content cache for Netflix
Community String | Content | Supplied by | Purpose |
---|---|---|---|
63830:40027 | Netflix | Vocus Group New Zealand (AS9790) | Opt-in content cache for Netflix |