VLANs

• Previous message (by thread): VLANs
• Next message (by thread): Comcast SMTP problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sean Donelan wrote:
> 
> On Wed, 14 Nov 2007, Rodney Joffe wrote:
>> I have too many services to just want to use a T1 or two as 
>> sacrificial pipes.  and I don't want to be messing around manually.
>>
>> I need to be able to have the transit providers effectively provide 
>> isolation for each subnet, so my idea is to advertise each service up 
>> a separate rate-limited VLAN. So if one service is DDoS'd, and its 
>> 100mb vlan is hosed, the other 9 services still cope easily with each 
>> of their 100mb vlans.
>>
>> Seems simple and logical to me, but I wasn't sure what I was missing.
> 
> The trick isn't the classification part, but needing multiple hardware 
> queues.  If you have multiple hardware queues, it doesn't matter
> too much whether you use "virtual" things like MPLS, VLAN, DSCP, 802.1p,
> PVCs, etc.  Most will work.
> 
> If you don't have multiple hardware queues, then it also doesn't matter
> too much whether you use "virtual" things like MPLS, VLANs, DSCP, 802.1P,
> PVCs, etc.  Most will not work.
> 
> Providers use sacrifical physical interfaces, e.g. a T1, because some 
> routers aren't very good at managing multiple queues on a single physical
> interface, and may not have multiple hardware queues on a single physical
> interface.
> 

These sacrificial interfaces don't have to go anywhere... as in, they 
can be an old router (or server) sitting all by itself talking to 
another router you care about.

I personally prefer to use L3 switches that can use an ASIC to blackhole 
traffic at exceedingly high rates and accept/originate routing feeds, 
but YMMV.

Deepak Jain
AiNET

• Previous message (by thread): VLANs
• Next message (by thread): Comcast SMTP problems
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]