[nsp] Colo DC setup

[Terry Baranski]

> I'm trying to design a new network for our colo/dedicated 
> server customers.
> What we are going to get will be most propably 2x 6500s for 
> the core/distribution and 2950s for the access layer. So the 
> customers servers will be connected to the 2950s which got 1 
> uplink to each of the 6500s running HSRP.
...
> What I wanted to do then is to isolated the customers servers 
> as much as possible with the option to enable communication 
> were necessary.

Offhand, I'd say protected ports on the 2950s and VACLs on the 6500s.  I
see no reason to bother with PVLANs in this case -- VACLs can do the
filtering you require and are more flexible from the standpoint of being
easy to change or make exceptions when necessary.

The problem with protected ports though is that they're not flexible.
Your only real option when making an exception for a given device is to
make its port unprotected, which means it can now talk to all other
ports (protected or not) on the switch.  The 2950s have some IP ACL
capability but it is very, very restrictive in nature and therefore
mostly useless in all but the simplest of scenarios.

So with that in mind, you may want to consider going with 3550s instead
of 2950s.  A 3550 gives you full ACL/VACL functionality with the option
of turning on layer-3 switching if it becomes desirable down the road.
Much more flexible and scalable.  

-Terry