Are any of you operators utilizing VLANs to/with your transit providers in order to isolate traffic types or services, and/or to assist in traffic shaping before it hits your transit connections (isolating the effects of DDoS's)?
Would you be prepared to share experiences, do's/don'ts, gotcha's etc?
Off-line responses would be fine, obviously - I don't want to add to any of the current noise.
There was once a customer at a past job that used a sacrificial T1 to
do this... They'd just announce/next-hop the attacked thing to the T1
interface, apparently remembering that there was BHR community
available (and config'd for them) was hard to do.
Are you looking to save the traffic for a reason or would just junking
it down a tiny pipe work? (send me only x bps don't squeeze out all of
my pipe in the process, unless your vlan config also included
bandwidth limits?)
-Chris
Zocalo didn't do this with UUNet, but did with several transit providers
and peers who didn't have such communities.
-Bill
Are any of you operators utilizing VLANs to/with your transit
providers in order to isolate traffic types or services, and/or to
assist in traffic shaping before it hits your transit connections
(isolating the effects of DDoS's)?There was once a customer at a past job that used a sacrificial T1 to
do this... They'd just announce/next-hop the attacked thing to the T1
interface, apparently remembering that there was BHR community
available (and config'd for them) was hard to do.Are you looking to save the traffic for a reason or would just junking
it down a tiny pipe work? (send me only x bps don't squeeze out all of
my pipe in the process, unless your vlan config also included
bandwidth limits?)
I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually.
I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
The trick isn't the classification part, but needing multiple hardware queues. If you have multiple hardware queues, it doesn't matter
too much whether you use "virtual" things like MPLS, VLAN, DSCP, 802.1p,
PVCs, etc. Most will work.
If you don't have multiple hardware queues, then it also doesn't matter
too much whether you use "virtual" things like MPLS, VLANs, DSCP, 802.1P,
PVCs, etc. Most will not work.
Providers use sacrifical physical interfaces, e.g. a T1, because some routers aren't very good at managing multiple queues on a single physical
interface, and may not have multiple hardware queues on a single physical
interface.
Sean Donelan wrote:
I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually.
I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans.
Seems simple and logical to me, but I wasn't sure what I was missing.
The trick isn't the classification part, but needing multiple hardware queues. If you have multiple hardware queues, it doesn't matter
too much whether you use "virtual" things like MPLS, VLAN, DSCP, 802.1p,
PVCs, etc. Most will work.If you don't have multiple hardware queues, then it also doesn't matter
too much whether you use "virtual" things like MPLS, VLANs, DSCP, 802.1P,
PVCs, etc. Most will not work.Providers use sacrifical physical interfaces, e.g. a T1, because some routers aren't very good at managing multiple queues on a single physical
interface, and may not have multiple hardware queues on a single physical
interface.
These sacrificial interfaces don't have to go anywhere... as in, they can be an old router (or server) sitting all by itself talking to another router you care about.
I personally prefer to use L3 switches that can use an ASIC to blackhole traffic at exceedingly high rates and accept/originate routing feeds, but YMMV.
Deepak Jain
AiNET