rjoffe at centergate.com
Wed Nov 14 20:30:38 UTC 2007
On Nov 13, 2007, at 11:16 AM, Christopher Morrow wrote:
> On 11/13/07, Rodney Joffe <rjoffe at centergate.com> wrote:
>> Are any of you operators utilizing VLANs to/with your transit
>> providers in order to isolate traffic types or services, and/or to
>> assist in traffic shaping before it hits your transit connections
>> (isolating the effects of DDoS's)?
> There was once a customer at a past job that used a sacrificial T1 to
> do this... They'd just announce/next-hop the attacked thing to the T1
> interface, apparently remembering that there was BHR community
> available (and config'd for them) was hard to do.
> Are you looking to save the traffic for a reason or would just junking
> it down a tiny pipe work? (send me only x bps don't squeeze out all of
> my pipe in the process, unless your vlan config also included
> bandwidth limits?)
I have too many services to just want to use a T1 or two as
sacrificial pipes. and I don't want to be messing around manually.
I need to be able to have the transit providers effectively provide
isolation for each subnet, so my idea is to advertise each service up
a separate rate-limited VLAN. So if one service is DDoS'd, and its
100mb vlan is hosed, the other 9 services still cope easily with each
of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
More information about the NANOG