Sean Donelan wrote:
On Wed, 14 Nov 2007, Rodney Joffe wrote:
I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually.
I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
The trick isn't the classification part, but needing multiple hardware queues. If you have multiple hardware queues, it doesn't matter too much whether you use "virtual" things like MPLS, VLAN, DSCP, 802.1p, PVCs, etc. Most will work.
If you don't have multiple hardware queues, then it also doesn't matter too much whether you use "virtual" things like MPLS, VLANs, DSCP, 802.1P, PVCs, etc. Most will not work.
Providers use sacrifical physical interfaces, e.g. a T1, because some routers aren't very good at managing multiple queues on a single physical interface, and may not have multiple hardware queues on a single physical interface.
These sacrificial interfaces don't have to go anywhere... as in, they can be an old router (or server) sitting all by itself talking to another router you care about. I personally prefer to use L3 switches that can use an ASIC to blackhole traffic at exceedingly high rates and accept/originate routing feeds, but YMMV. Deepak Jain AiNET