[100880] in North American Network Operators' Group
Re: VLANs
daemon@ATHENA.MIT.EDU (Deepak Jain)
Mon Nov 19 17:07:06 2007
Date: Mon, 19 Nov 2007 17:05:43 -0500
From: Deepak Jain <deepak@ai.net>
Reply-To: deepak@ai.net
To: Sean Donelan <sean@donelan.com>
CC: Rodney Joffe <rjoffe@centergate.com>,
Christopher Morrow <christopher.morrow@gmail.com>,
NANOG <nanog@merit.edu>
In-Reply-To: <Pine.GSO.4.64.0711141855590.7065@clifden.donelan.com>
Errors-To: owner-nanog@merit.edu
Sean Donelan wrote:
>
> On Wed, 14 Nov 2007, Rodney Joffe wrote:
>> I have too many services to just want to use a T1 or two as
>> sacrificial pipes. and I don't want to be messing around manually.
>>
>> I need to be able to have the transit providers effectively provide
>> isolation for each subnet, so my idea is to advertise each service up
>> a separate rate-limited VLAN. So if one service is DDoS'd, and its
>> 100mb vlan is hosed, the other 9 services still cope easily with each
>> of their 100mb vlans.
>>
>> Seems simple and logical to me, but I wasn't sure what I was missing.
>
> The trick isn't the classification part, but needing multiple hardware
> queues. If you have multiple hardware queues, it doesn't matter
> too much whether you use "virtual" things like MPLS, VLAN, DSCP, 802.1p,
> PVCs, etc. Most will work.
>
> If you don't have multiple hardware queues, then it also doesn't matter
> too much whether you use "virtual" things like MPLS, VLANs, DSCP, 802.1P,
> PVCs, etc. Most will not work.
>
> Providers use sacrifical physical interfaces, e.g. a T1, because some
> routers aren't very good at managing multiple queues on a single physical
> interface, and may not have multiple hardware queues on a single physical
> interface.
>
These sacrificial interfaces don't have to go anywhere... as in, they
can be an old router (or server) sitting all by itself talking to
another router you care about.
I personally prefer to use L3 switches that can use an ASIC to blackhole
traffic at exceedingly high rates and accept/originate routing feeds,
but YMMV.
Deepak Jain
AiNET
