---
title: Node Provider Networking Guide
slug: node-networking-guide
description: Networking requirements for connecting node machines to the Internet Computer — bandwidth, IPv4/IPv6, switch layout, BMC isolation, and monitoring.
tags:
  - node-provider
  - networking
  - infrastructure
  - ipv4
  - ipv6
  - monitoring
date: 2026-05-04
related:
  - node-provider-documentation
  - data-center-and-isp-guide
  - node-domain-name-guide
  - decentralization-and-security
---

This guide covers the networking that a node provider is expected to put
in place around each rack of node machines. Configuring networks is not
trivial; providers should be comfortable with IP networking and with the
configuration of switches and other network equipment before starting.

## What you need to provide

A typical site needs the following ingredients before any node is
turned on:

- **A 10G switch fabric** — SFP+ or 10G Ethernet, with enough ports for
  the planned deployment, plus cabling.
- **Bandwidth** of approximately **300 Mbps per node**, sustained, with
  unfiltered access to the public internet.
- **One IPv6 `/64` prefix** for the deployment. Each node receives
  multiple IPv6 addresses out of that prefix.
- **At least two IPv4 addresses per data center**, attached to the first
  two node machines in the first rack at that site.
- **One domain name per IPv4-configured node** (see
  [Node Provider Domain Name Guide](/wiki/node-domain-name-guide/)).

All IP addresses are assigned statically; IC-OS configures the network
from the values supplied during deployment.

## Cabling

At least one 10G port on each server must connect to the 10G switch.
Port locations depend on the chassis vendor; for the example
Supermicro 1U servers in the upstream guide the 10G ports sit on the
add-in NIC at the rear of the chassis. Confirm the layout for the
specific hardware in use before pulling cables.

## Per-node configuration

Every node machine requires:

- A public, static IPv6 address on the assigned `/64`.
- A configured IPv6 gateway with reachability to the wider internet.
- Unfiltered internet access — no upstream packet filtering against
  IC-OS traffic.

The first two nodes in the first rack of each data center additionally
require:

- A public, static IPv4 address.
- A configured IPv4 gateway with reachability to the wider internet.
- Unfiltered internet access on IPv4 as well.

Beyond that pair, additional nodes can run on IPv6 only. The IPv4 pair
preserves the network's ability to reach back into the data center
regardless of how the rest of the rack is configured.

## What not to do

> [!WARNING]
> **Do not place external firewalls or packet filters in front of node
> machines.** Filtering node traffic upstream disrupts protocol
> behavior. IC-OS manages its own software firewalls on each node.

> [!WARNING]
> **Do not configure LACP bonding** on the switch ports facing IC nodes.
> IC nodes do not currently support LACP.

## BMC isolation

Baseboard Management Controllers (BMCs) ship with notoriously poor
security defaults. Treat the BMC network as hostile and isolate it from
the public internet:

- Replace the default BMC password with a strong, unique credential on
  every machine before the BMC is reachable from anywhere outside the
  rack.
- Never expose the BMC interface broadly to the public internet.
- Place the BMC on an isolated management network — a separate switch
  or a dedicated VLAN — rather than the production node network.
- Where operationally acceptable, restrict BMC access to physical
  presence at the site.

## Network and server monitoring

Providers are expected to monitor both the switch fabric and the node
machines. Two common approaches:

**SNMP**

- Use SNMPv3 so that polling traffic is authenticated and encrypted.
- Define alerting thresholds for bandwidth, CPU, memory, and interface
  errors.
- Retain historical data to support trend analysis and capacity
  planning.

**gNMI / gRPC streaming telemetry**

- Confirm that the switch and NIC firmware support gNMI before
  committing to it.
- Run telemetry over TLS.
- Configure subscriptions for the metrics that matter, with sample
  intervals tuned to the load you can ingest.

For node-level alerting and the available open-source helpers, see
[Node Provider Alerting Options](/wiki/node-alerting-options/).

## Pre-launch checklist

Before the first node is powered on, verify:

- [ ] 10G switch is in place and configured.
- [ ] At least one 10G port per server is patched to the switch.
- [ ] The IPv6 `/64` prefix is allocated and routed to the rack.
- [ ] At least two IPv4 addresses are reserved for the data center.
- [ ] Domain names exist for each IPv4 node.
- [ ] Sustained bandwidth of around 300 Mbps per node is available.
- [ ] BMCs are not reachable from the public internet.

## Related

- [Node Provider Documentation](/wiki/node-provider-documentation/)
- [Data Center and ISP Guide](/wiki/data-center-and-isp-guide/)
- [Node Provider Domain Name Guide](/wiki/node-domain-name-guide/)
- [Node Provider Alerting Options](/wiki/node-alerting-options/)