Hi, I currently have a setup below that works ok, but I'd like some opinions about some unanswered questions ive got.
Basically i currently offer IP based services to customers. What i do is run a fibre to a customer site, which on my end terminates in a switch as a vlan or as a trunk allowing that customer's specific vlans. Then a router linked to same switch with an allow all trunk that handles all the L3 interfaces as subinterfaces using dot1q. So for example customer A has vlans 10,11,12 and say customer B has vlans 20,21,22 which are L3 subinterfaces on the router. Some of these subinterfaces are used for plain internet access, some may be a member of a vrf for private (non internet) connections between customer sites. My concern here is whether this is best practise for delivering such services, or if other ways of doing this are out there and proven better. Also scalability and stability is a concern. there is a limit to how large you want a Layer2 network to be. Last but not least, security. what if a customer plugs the fibre link into his switch with a bunch of other vlans running. the only form of 'protection' that I currently have is restriction of vlans on the trunk from the customer, but some traffic (like spanning tree) travels on vlan1 as far as i recall and this cannot be blocked. another item would be vlan hopping. Im just after some pointers from what you all do out there to offer similar services, what the best practises for this are, lessons learnt, etc... so I can then delve into the details given the pointers, to ensure im running inline with tried and testing ways of doing things. thanks anton _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/