I have too many services to just want to use a T1 or two as
sacrificial pipes. and I don't want to be messing around manually.

I need to be able to have the transit providers effectively provide
isolation for each subnet, so my idea is to advertise each service up
a separate rate-limited VLAN. So if one service is DDoS'd, and its
100mb vlan is hosed, the other 9 services still cope easily with each
of their 100mb vlans.

Seems simple and logical to me, but I wasn't sure what I was missing.

That most providers like to do everything the same way everywhere, as much
as possible.

The real problem is that you may not really looking for a "100mb vlan."
Assuming you buy a 1Gbps pipe to FOOnet, and you're hoping for happy DDoS-
resistant bandwidth sharing of various services, what you really need is
something doing rate limiting. Having it come across as a vlan may actually
be more complex, and may make it more difficult (not technically, because it
is technically straightfoward-even-if-complex, but finding a provider who'll
/sell/ it).

The trick is that you don't want to fill up the pipe. That necessitates
rate limiting on the provider's side. This is obvious (I hope.)

Now, the question boils down to this:

Will it be easier to get FOOnet to:

1) Install rate limits for specific address ranges in your space, or

2) Install vlans and then install rate limits on those interfaces?

Depending on the equipment in question, it's possible that 1) isn't
possible. However, if it /is/ possible, from a configuration point of
view, it's probably going to look much more attractive to FOOnet than
having this complicated glob of vlan/rate limiting stuff sitting on
their router. But they may simply be unwilling.

So, the usual solution to this issue is to simply recognize that FOOnet
is going to have less of an issue selling you several 100Mbps circuits.
You can probably get a bit of a break on XC's, etc. too.

If you shop around long enough, at clueful providers, you may find someone
willing to do the vlan thing. It's certainly an elegant thing for /you/
on /your/ side, but remember that the complexity is just being shoved off
on someone who probably doesn't want it.

... JG