I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually.
I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
That most providers like to do everything the same way everywhere, as much as possible. The real problem is that you may not really looking for a "100mb vlan." Assuming you buy a 1Gbps pipe to FOOnet, and you're hoping for happy DDoS- resistant bandwidth sharing of various services, what you really need is something doing rate limiting. Having it come across as a vlan may actually be more complex, and may make it more difficult (not technically, because it is technically straightfoward-even-if-complex, but finding a provider who'll /sell/ it). The trick is that you don't want to fill up the pipe. That necessitates rate limiting on the provider's side. This is obvious (I hope.) Now, the question boils down to this: Will it be easier to get FOOnet to: 1) Install rate limits for specific address ranges in your space, or 2) Install vlans and then install rate limits on those interfaces? Depending on the equipment in question, it's possible that 1) isn't possible. However, if it /is/ possible, from a configuration point of view, it's probably going to look much more attractive to FOOnet than having this complicated glob of vlan/rate limiting stuff sitting on their router. But they may simply be unwilling. So, the usual solution to this issue is to simply recognize that FOOnet is going to have less of an issue selling you several 100Mbps circuits. You can probably get a bit of a break on XC's, etc. too. If you shop around long enough, at clueful providers, you may find someone willing to do the vlan thing. It's certainly an elegant thing for /you/ on /your/ side, but remember that the complexity is just being shoved off on someone who probably doesn't want it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.