Rodney Joffe rjoffe at centergate.com
Wed Nov 14 20:30:38 UTC 2007

On Nov 13, 2007, at 11:16 AM, Christopher Morrow wrote:

> On 11/13/07, Rodney Joffe <rjoffe at centergate.com> wrote:
>> Are any of you operators utilizing VLANs to/with your transit
>> providers in order to isolate traffic types or services, and/or to
>> assist in traffic shaping before it hits your transit connections
>> (isolating the effects of DDoS's)?
> There was once a customer at a past job that used a sacrificial T1 to
> do this... They'd just announce/next-hop the attacked thing to the T1
> interface, apparently remembering that there was BHR community
> available (and config'd for them) was hard to do.
> Are you looking to save the traffic for a reason or would just junking
> it down a tiny pipe work? (send me only x bps don't squeeze out all of
> my pipe in the process, unless your vlan config also included
> bandwidth limits?)

I have too many services to just want to use a T1 or two as  
sacrificial pipes.  and I don't want to be messing around manually.

I need to be able to have the transit providers effectively provide  
isolation for each subnet, so my idea is to advertise each service up  
a separate rate-limited VLAN. So if one service is DDoS'd, and its  
100mb vlan is hosed, the other 9 services still cope easily with each  
of their 100mb vlans.

Seems simple and logical to me, but I wasn't sure what I was missing.
> -Chris

More information about the NANOG mailing list