On 2 Sep 2015, at 7:38, jim deleskie wrote:
These networks survived many "large" DDoS attacks and far more fat
finger incidents then I like to think
about.
What I'm saying is that keeping flow telemetry and other
management-plane traffic from mixing with customer data-plane traffic is
important in order to ensure visibility and control during a significant
network-impacting event.
I've personally been involved in assisting multiple operators in
multiple incidents in which either DDoS attack traffic or inadvertent
routing redistribution excursions led to loss of visibility and control,
resulting in unnecessarily-long times to resolution.
Virtual separation is generally Good Enough, and what we see with
customers who run it all in-band is an increasing number who're taking
steps to achieve at least virtual separation (~20%, as Avi noted, is
about what we see implemented, currently). It isn't nearly as many as
we would like to see, and it isn't happening as fast as we'd like to see
it, but we encourage it wherever we can.
The OP on this thread was essentially asking about the best approach.
OOB, whether virtual or physical, is the best approach. Economic
factors may militate against this, at least initially, but a disaster or
two can change that economic analysis.
I also suspect that increasing use of 'SDN'-type (apologies for using
that overused acronym!) orchestration across the entire network topology
(e.g., not just within the IDC) is going to lead to more separation of
management-plane traffic from customer data-plane traffic, as the
implications sink in.
-----------------------------------
Roland Dobbins <rdobb...@arbor.net>
