Membership requirements, policies, switch setup

How to Join DSIX

A single page covering everything a new member needs: admission requirements, filtering and port-security policies, L2/VLAN rules, prohibited protocols, vendor-specific switch configurations and what happens if your port breaks house rules. Read it once, paste the vendor config, raise a ticket, peer.

Apply for membership Read requirements first
Before You Apply

Membership Requirements

DSIX follows industry-standard peering exchange requirements. Review the checklist below before requesting a peering port.

Mandatory Requirements

  • Valid public ASN
    Registered with RIPE NCC, ARIN, APNIC, LACNIC, or AFRINIC.
  • At least one routable prefix
    Minimum /24 for IPv4 or /48 for IPv6, properly allocated by your RIR or sponsor.
  • Up-to-date PeeringDB profile
    Many members now require peers to have a valid PeeringDB entry. Keep yours current.
  • Complete RIPE DB objects
    aut-num, route/route6, and maintainer objects must be in place. Route servers filter based on IRR data.
  • Valid abuse contact
    A working abuse-c email address registered with your RIR, monitored and responsive.
  • BGP-capable router
    Hardware or software router (Cisco, Juniper, MikroTik, Bird, FRRouting, OpenBGPD, etc.) connected to the exchange.
  • Peer with the Route Collector
    All new members must peer with AS65432 (the DSIX Route Collector) for administrative monitoring.

Recommended Best Practices

  • Open peering policy
    Accept peering with all DSIX members by default. Selective and mandatory policies are allowed but less efficient.
  • Publish RPKI ROAs
    Create Route Origin Authorizations at your RIR. Route servers prefer RPKI-valid announcements over IRR fallback.
  • Maintain an AS-SET macro
    Publish as-set / as-macro with all downstream ASNs you announce. Required for IRR-based filtering.
  • MANRS compliance
    Adopt the MANRS Actions: filter your announcements, prevent IP spoofing, maintain accurate contact info, publish routing data.
  • Dual-stack (IPv4 + IPv6)
    Run BGP sessions on both protocols. Modern internet services benefit significantly from native IPv6.
  • Max-prefix limits
    Configure max-prefix limits per peer to protect against accidental leaks. DSIX route servers enforce sensible defaults per ASN.
  • Peer with AS112
    Recommended to peer with our AS112 service for anycast reverse DNS of RFC 1918 and link-local ranges.

! Port & Layer 2 Rules (Enforced)

Single MAC address per port (auto-disabled if violated)
No link-local protocols: STP, RSTP, MSTP, CDP, LLDP, EDP, FDP, UDLD, keepalive, MOP
No broadcast or multicast storms (rate-limited and monitored)
No IP redirects, proxy ARP, or directed broadcasts on the peering interface
Unique VLAN per DSIX connection, not shared with other networks
No announcement of the DSIX peering LAN prefix (185.0.0.0/24, 2001:7f8:133::/64)

Requirements align with MANRS, RIPE, and Euro-IX best practices. New members go through a quarantine process verifying Layer 2 compliance before being activated in the production peering fabric.

Policies & Security

DSIX enforces strict routing and Layer 2 security policies to protect the exchange fabric.

Filtering Policy

  1. 1 Drop small prefixes, longer than /24 (IPv4) and /48 (IPv6)
  2. 2 Drop all well-known martians and bogon prefixes
  3. 3 Ensure AS path length is between 1 and 64 ASNs
  4. 4 Verify peer AS matches first AS in the AS path
  5. 5 Drop prefixes where next-hop IP doesn't match peer IP (prevents hijacking)
  6. 6 Drop prefixes with transit network ASNs in the path
  7. 7 Verify origin AS is in the client's registered IRRDB AS-SET
  8. 8 RPKI Valid → Accept the prefix
  9. 9 RPKI Invalid → Drop the prefix
  10. 10 RPKI Unknown → Fall back to standard IRRDB prefix filtering

RFC1997 well-known communities (NO_EXPORT) are passed through.

Port Security

Broadcast Traffic Storm Control

Strict limits on broadcast traffic per port. While low-level Layer 2 broadcasts (ARP) are normal, excessive broadcast traffic indicates misconfigurations, failing hardware, or firmware issues. Broadcast frames propagate across the flat peering LAN and can disrupt all members. Frames exceeding the threshold are dropped automatically.

Multicast Traffic Storm Control

Multicast traffic is limited per port. Small amounts (IPv6 neighbor discovery) are expected, but excessive multicast on non-multicast ports indicates configuration issues. Frames exceeding the allowed rate are dropped.

Single MAC Address per Port

All traffic on a DSIX port must originate from a single MAC address registered in static Layer 2 ACLs. Frames from unregistered MACs are dropped. Planned maintenance changing MAC addresses must be communicated to DSIX operations in advance.

Multiple MACs usually indicate: misconfigured routers forwarding link-local traffic, Layer 2 loops between DSIX ports, leaked frames from external networks, or faulty hardware.

Continuous Monitoring: DSIX monitors all peering LANs for broadcast traffic in real-time. Unauthorized or excessive traffic triggers immediate follow-up with the source member.

Switch Connectivity Guidelines

Official DSIX guidelines for connecting Layer 2 equipment. Improper configuration can cause automatic port shutdowns or degraded connectivity for all members.

General Policy

Members may connect their DSIX port to a Layer 2 switch and forward peering traffic to a router elsewhere in their network. However, the switch must ensure only traffic from the authorized router subinterface reaches the DSIX port.

Warning: If more than one MAC address is detected on a port, DSIX automated protection will immediately disable the port for a cooling-off period. Your network will be temporarily disconnected.

VLAN and Traffic Isolation

Each DSIX connection must operate on a unique VLAN. VLANs must not be shared between:

  • Multiple DSIX ports belonging to the same member
  • DSIX ports and any other non-DSIX networks

Prohibited Link-Local & Discovery Traffic

Members must disable all link-local and discovery protocols on DSIX-facing interfaces:

STP / RSTP / MSTP CDP LLDP EDP / FDP UDLD Keepalive MOP

MAC Address Policy Enforcement

If multiple MAC addresses are observed on a DSIX port:

  • Port automatically disabled for minimum 5 minutes
  • Significant packet loss or instability until resolved

Recommended Vendor Configurations

! Cisco IOS/IOS-XE - DSIX-facing switch interface
interface GigabitEthernetx/x
  spanning-tree bpdufilter enable
  no keepalive
  no cdp enable
  udld port disable
  no lldp transmit
  no lldp receive

! For older hardware without bpdufilter:
! spanning-tree bpduguard enable

Best Practices

  • Assign a dedicated VLAN per DSIX connection
  • Disable all Layer 2 control, discovery, and maintenance protocols
  • Use proper LACP or link redundancy, avoid creating Layer 2 loops
  • Monitor port statistics and MAC address tables regularly
  • Maintain out-of-band management for faster recovery
New Connection Quarantine: All new DSIX ports go through a quarantine process verifying: no discovery protocols (CDP, LLDP), keepalive/MOP disabled, no spanning tree BPDUs, correct 802.1q tagging. Your port will be activated once it passes all checks.

Frequently Asked Questions

What members ask before and after setting up their session.

Who can become a DSIX member?
Any organisation that operates a registered ASN, has its own IPv4 and/or IPv6 address space, and runs a BGP-capable router reachable at our Bucharest colocation. That includes ISPs, hosting providers, content networks, corporate AS operators and research networks. Sole individuals without an ASN are not eligible.
Do I need to be physically present at the DSIX datacenter?
You can either colocate a router in our Bucharest facility or cross-connect from a neighbouring datacenter. Remote peering (over a transit provider's L2VPN) is supported if that provider has a presence on the DSIX fabric and can extend a VLAN to us. Ask us for the list of carriers that already do this.
Is DSIX membership free?
Port and membership fees depend on the port speed (1G or 10G) and on whether you own the cross-connect. A 1G port for a small member is usually free; a 10G port on dedicated optics incurs a monthly fee. The route servers, AS112, route collector and looking glasses are all included at no extra cost for every member.
How long does on-boarding take from signed contract to first BGP session?
Typical cases complete in 3 to 5 business days: 1-2 days for contract + port provisioning, 1 day for your team to apply the switch config and announce your first prefix, then 1-2 days for the DSIX team to validate your announcements and promote you from quarantine. See the quarantine section below for what gets checked.
What is the quarantine stage?
Every new port spends a short supervised window on a quarantine VLAN where our NOC watches your BGP announcements, validates that your prefixes match your IRR as-set, checks for rogue broadcast/multicast or prohibited L2 protocols, and confirms ARP/ND behaviour is clean. Once everything looks correct, the port is moved to the production LAN and RS+RC sessions come up.
Do I need my own PeeringDB record before joining?
Strongly recommended. The RS inbound filters bootstrap from your PeeringDB record (for max-prefix limits and for confirming your IRR as-set). You can join before updating PeeringDB, but your session will stay filtered until your PeeringDB + IRR are consistent with what you announce.
What prefixes will the route servers actually accept from me?
Everything your IRR as-set registers, subject to RPKI being Valid or NotFound (Invalid is dropped), subject to max-prefix limits from PeeringDB, and subject to bogon + private-ASN rejection. If you want to announce a new prefix, register it under your IRR as-set and publish a ROA; the RS will pick it up on the next refresh cycle (typically within minutes).
Can I announce a default route or aggregate to DSIX?
No. The DSIX peering policy explicitly forbids default (0.0.0.0/0 or ::/0) and customer-facing aggregates. Members must announce their own origin prefixes or downstream customer prefixes under proper AS_PATH and IRR documentation.
What L2 protocols are prohibited on my port?
Spanning Tree (STP/RSTP/MSTP), CDP/LLDP/FDP advertisements outbound, VRRP/HSRP/CARP keepalives, DHCP server, IPv6 router advertisements, DTP, VTP. These either leak our fabric onto your network or confuse other members. See the Switch Connectivity section on this page for the full list and example denies.
What happens if my port sends prohibited traffic?
Port security triggers alarms that are reviewed by the NOC within one business day. First incident: email notice asking you to fix it. Repeat or high-impact incident: the port is moved back to quarantine pending correction. Severe cases (e.g. rogue DHCP affecting multiple members) result in immediate shutdown with a post-mortem required before reinstatement.
Do I need to announce MAC addresses or pin them?
Each member port has a MAC policy that limits learned MAC addresses to what you declared on your membership form. Typically 1 MAC (your router) per port. If you run an anycast or redundant setup behind the port you declare multiple MACs up-front; unexpected MACs are flagged by the port-security system.
Can I bring my own fiber?
Yes, provided it terminates in the DSIX cage or an allowed neighbouring rack with our approval. We support LC/SC connectors and single-mode/multi-mode fibres depending on the optic; bring your own optics or rent ours for the port speed you signed up for.
What router vendors are supported?
All of them. We publish example configs for Cisco IOS, Juniper Junos, Arista EOS, MikroTik RouterOS v6 and v7, BIRD, FRR, and VyOS on this page. If your platform speaks standard BGP and supports RFC 7947 route-server semantics, it works. Vendor-specific quirks (e.g. Cisco "neighbor transparent") are documented.
What is the DSIX SLA on port availability?
Ports target 99.9% annual availability excluding scheduled maintenance windows (Tue 02:00-06:00 EET). Failures are handled 24/7 by the DSIX NOC. See the full SLA page for credits and incident response timelines.
How do I leave DSIX?
Send written notice to noc@dreamserver.ro with the planned disconnect date. Standard notice is 30 days; we wind down BGP sessions, deactivate your RC/RS configs, purge your prefixes from filter sets, and physically disconnect the port. No exit fees.

Trusted By & Member Of

We are proud members of leading internet infrastructure organizations.

RIPE NCC MANRS PeeringDB RoTLD DSIX SBIX 4IXP LOCIX Euro-IX RIPE NCC MANRS PeeringDB RoTLD DSIX SBIX 4IXP LOCIX Euro-IX