North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical


  • From: Rodney Joffe
  • Date: Wed Nov 14 16:59:17 2007

On Nov 13, 2007, at 11:16 AM, Christopher Morrow wrote:

On 11/13/07, Rodney Joffe <[email protected]> wrote:

Are any of you operators utilizing VLANs to/with your transit providers in order to isolate traffic types or services, and/or to assist in traffic shaping before it hits your transit connections (isolating the effects of DDoS's)?

There was once a customer at a past job that used a sacrificial T1 to do this... They'd just announce/next-hop the attacked thing to the T1 interface, apparently remembering that there was BHR community available (and config'd for them) was hard to do.

Are you looking to save the traffic for a reason or would just junking
it down a tiny pipe work? (send me only x bps don't squeeze out all of
my pipe in the process, unless your vlan config also included
bandwidth limits?)

I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually.

I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans.

Seems simple and logical to me, but I wasn't sure what I was missing.