diff --git a/hosts/ixp-as11201/configuration.nix b/hosts/ixp-as11201/configuration.nix
index 195c1336..b9c88926 100755
--- a/hosts/ixp-as11201/configuration.nix
+++ b/hosts/ixp-as11201/configuration.nix
@@ -1,4 +1,4 @@
-{ lib, pkgs, ... }:
+{ lib, config, pkgs, ... }:
 
 let
   macPeering = "12:6d:81:f8:61:de";
@@ -27,45 +27,15 @@ in
       mac = macPeering;
     }];
 
-    binScripts.tap-up = lib.mkAfter ''
+    binScripts.tap-up = lib.mkAfter /* bash */ ''
       ${lib.getExe' pkgs.iproute2 "ip"} link set 'vm-ixp-as11201p' up
       ${lib.getExe' pkgs.iproute2 "ip"} link set dev 'vm-ixp-as11201p' master 'ixp-peering'
     '';
   };
 
   networking.ifstate.settings.namespaces.ixp-peering = {
-    options.sysctl =
-      let
-        options = {
-          ipv6 = {
-            # this machine should not participate in SLAAC
-            accept_ra = 0;
-            autoconf = 0;
-            # no redirects nor evil RH0
-            accept_redirects = 0;
-            accept_source_route = 0;
-            # no forwarding
-            forwarding = 0;
-          };
-          ipv4 = {
-            # no redirects nor source route
-            accept_redirects = 0;
-            send_redirects = 0;
-            accept_source_route = 0;
-            # handle arp requests strict
-            arp_ignore = 1;
-            arp_notify = 1;
-            # do strict rp filtering
-            rp_filter = 1;
-            # no forwarding
-            forwarding = 0;
-          };
-        };
-      in
-      {
-        all = options;
-        default = options;
-      };
+    # copy sysctl from default netns
+    options.sysctl = config.networking.ifstate.settings.options.sysctl;
     interfaces = [
       {
         name = "any112";
diff --git a/modules/dd-ix/default.nix b/modules/dd-ix/default.nix
index fd95a00a..970f78d6 100644
--- a/modules/dd-ix/default.nix
+++ b/modules/dd-ix/default.nix
@@ -12,5 +12,6 @@
     ./mariadb.nix
     ./monitoring.nix
     ./redis.nix
+    ./sysctl.nix
   ];
 }
diff --git a/modules/dd-ix/sysctl.nix b/modules/dd-ix/sysctl.nix
new file mode 100644
index 00000000..9ea77341
--- /dev/null
+++ b/modules/dd-ix/sysctl.nix
@@ -0,0 +1,46 @@
+{
+  networking.ifstate.settings.options.sysctl =
+    let
+      options = {
+        ipv6 = {
+          # this machine should not participate in SLAAC
+          autoconf = 0;
+          # nor accept router advertisements
+          accept_ra = 0;
+          # no redirects nor evil RH0
+          accept_redirects = 0;
+          accept_source_route = 0;
+          # no forwarding
+          forwarding = 0;
+          # unsolicited neighbour advertisements
+          ndisc_notify = 1;
+        };
+        ipv4 = {
+          # no redirects
+          accept_redirects = 0;
+          send_redirects = 0;
+          accept_source_route = 0;
+          # handle arp requests strict
+          arp_ignore = 1;
+          arp_notify = 1;
+          # do strict rp filtering
+          rp_filter = 1;
+          # no forwarding
+          forwarding = 0;
+        };
+      };
+    in
+    {
+      all = options;
+      default = options;
+      net.core = {
+        # Bufferbloat: fair queuing controlled delay
+        default_qdisc = "cake";
+        # tune SoftIRQ packet handling (5x)
+        netdev_budget_usecs = 10000;
+        netdev_budget = 1500;
+        dev_weight = 320;
+        netdev_max_backlog = 5000;
+      };
+    };
+}