[j-nsp] Bandwidth limiting and DDoS protection

[Mark Johnson]

Hi Folks,

We provide dedicated bandwidth/colo and currently use an over engineered network to allow burst above the customer's CDR. For
example, a customer has a dedicated VLAN on a Cisco switch which appears as a dot1Q sub-interface on a router. He may have a 1Mb/s
CDR but we allow to burst to (say) 10Mb/s. We use Cisco rate-limiting to limit him to 10Mb/s and charge for use above 1Mb/s at 95th
percentile billing.

On our transit/peering routers we rate-limit traffic destined to his subnet(s) to 10Mb/s CDR. This is done mainly to protect our
infrastructure from large DDoS traffic flows but as we have multiple transit peering routers (lets say three) this may still allow
30Mb/s to him.

As we are about to replace a couple of Ciscos with Junipers I would like to go a little further now but ideally the same solution
will work with both Ciscos and Junipers.

I would like to mark the traffic below 1Mb/s to/from the customer as (shall we say) gold service. Traffic between (say) 1Mb/s and
5Mb/s as silver service, and traffic above 5Mb/s as bronze service. Traffic above 10Mb/s will be dropped.

Traffic coming from the customer will be marked based upon the sub-interface it arrives on and traffic destined to the customer
marked upon the destination subnet.

The idea is to prevent poor service within our network by giving priority to traffic within a customer's CDR especially when a DDoS
attack is in progress and especially when the traffic is crossing DS3/STM1/FE links.

Any pointers to the *best* way to achieve this that is compatible with Cisco 7200's 12.2S?

Kind regards,

Mark