Worldstream Elastic Network

Uplink

Worldstream Elastic Network consists of dual uplinks. The interfaces can be combined or used singularly. Read the next section for more details.

LLDP

LLDP – Link Layer Discovery Protocol is disabled within the Worldstream network. Our expertise led us to
disable LLDP on interfaces facing the Worldstream network. LLDP can send data about the local network device or server with sensitive data about the device, this data might contain details on firmware versions and possible bugs or backdoors. Due to this, Worldstream has decided to disable LLDP packets on customer facing interfaces.

Spanning Tree Protocol (STP)

Spanning Tree is not supported within the Worldstream network. All BPDU’s received on the Worldstream switch will be dropped and filtered from being forwarded. This decision is made to prevent interaction in the STP topology between the Worldstream and customer network. Topology change notifications might interrupt forwarding traffic for customers in these situations. The customer will handle its own STP domain without the capability to join or send BPDU’s within the Worldstream network.

Worldstream has made multiple security measures to prevent loops without the use of the spanning-tree protocol. For more information, please check the “Loop Prevention” and “Port Channel” sections.

Storm Control

Customer facing ports are set up with a maximum amount of multicast, unknown unicast, and broadcast traffic. This security measure is configured in case of an ongoing loop. When the Worldstream switch receives more than the configured limit (limit is set in packets per second and % of the current speed), the traffic will be dropped.

Levels are set to:

  • Multicast: 10000 packets per second.
  • Broadcast: 0.05% of the current link speed.
  • Unknown Unicast: 1% of the current link speed.

MTU Size

A maximum MTU size of maximum 9000 is allowed for layer 2 services, for layer 3 services a
maximum of 1500 is allowed (this includes the packet headers).

Port Channel / NIC Bonding / NIC Teaming

By default, a WEN connection is configured with 802.3ad, also called LACP (Link Aggregation Control Protocol). When the switch does not receive a LACP packet within 30 seconds the switch will disable the LACP configuration. The configuration on the port-channel has the same details as the switchport.

Loop prevention

This feature is enabled within the WEN service to protect the Worldstream Network from packets that have the same origin as destination. To illustrate the method, the Worldstream switch will send broadcast packets towards customer facing devices. If this broadcast is received on its second port, the port will be disabled to prevent a loop. Packets outbound from one of the ports of the Worldstream switch should never enter the second port. Ensure that a correct set-up of your device has a system that prevents ports will becoming a bridge.

Locations

WEN is active in three physical separate locations:

  • Naaldwijk
  • Haarlem
  • Frankfurt

General latency between the locations of the top of rack switches:

  • Naaldwijk – Haarlem 1.6 ms
  • Naaldwijk – Frankfurt 12.5 ms
  • Haarlem – Frankfurt 12.5 ms

MAC Limit

Each port is configured with a MAC limit within the WEN network. This means each server or attached network device has the possibility to announce up to 250 MAC addresses towards the Worldstream switch. If this contains more than the configured maximum limit the switch will stop accepting new MAC addresses on that interface. New devices or hosts will not be able to communicate over the WEN network.

This measure has been implemented to prevent the switch from being overloaded with the maximum number of MAC addresses possible for the hardware to handle.

MAC Flaps

There is a MAC flap detection active in our WEN network. When a MAC changes six times within two minutes from interface, we will time-out the respective MAC address for 90 seconds.

IPv6 Neighbor Limit

Configured IPv6 services are assigned with a prefix of /48 or smaller (by default /64). The number of hosts within these subnets have the capability of overloading the switch’ maximum hardware count. A maximum of 500 IPv6 hosts are allowed per VLAN to prevent spoofing attacks.

General

Blocked Ports

By default the following incoming ports in our network are blocked. These ports are limited due to potential security risks: 

  • 11211 UDP 
  • 19 UDP 

DHCP

Running a DHCP server on public interfaces is not allowed. If you want to run a DHCP server, make sure it is active on a local network.

Go to the previous page.

If you have any question about our Worldstream Network, feel free to send us an email here.

Learn more about our services: worldstream.com