[100838] in North American Network Operators' Group
Re: VLANs
daemon@ATHENA.MIT.EDU (Rodney Joffe)
Wed Nov 14 16:58:10 2007
Cc: NANOG <nanog@merit.edu>
From: Rodney Joffe <rjoffe@centergate.com>
To: Christopher Morrow <christopher.morrow@gmail.com>
In-Reply-To: <75cb24520711131016yfde064cs3509db30b1007b3d@mail.gmail.com>
Date: Wed, 14 Nov 2007 13:30:38 -0700
Errors-To: owner-nanog@merit.edu
On Nov 13, 2007, at 11:16 AM, Christopher Morrow wrote:
>
> On 11/13/07, Rodney Joffe <rjoffe@centergate.com> wrote:
>>
>> Are any of you operators utilizing VLANs to/with your transit
>> providers in order to isolate traffic types or services, and/or to
>> assist in traffic shaping before it hits your transit connections
>> (isolating the effects of DDoS's)?
>>
>
> There was once a customer at a past job that used a sacrificial T1 to
> do this... They'd just announce/next-hop the attacked thing to the T1
> interface, apparently remembering that there was BHR community
> available (and config'd for them) was hard to do.
>
> Are you looking to save the traffic for a reason or would just junking
> it down a tiny pipe work? (send me only x bps don't squeeze out all of
> my pipe in the process, unless your vlan config also included
> bandwidth limits?)
I have too many services to just want to use a T1 or two as
sacrificial pipes. and I don't want to be messing around manually.
I need to be able to have the transit providers effectively provide
isolation for each subnet, so my idea is to advertise each service up
a separate rate-limited VLAN. So if one service is DDoS'd, and its
100mb vlan is hosed, the other 9 services still cope easily with each
of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
>
>
> -Chris
>
