[c-nsp] vlans to customer - good practise / myth to bust !

vince anton mvanton at gmail.com
Mon Aug 3 13:51:03 EDT 2009


Hi,

I currently have a setup below that works ok, but I'd like some opinions
about some unanswered questions ive got.

Basically i currently offer IP based services to customers.  What i do is
run a fibre to a customer site, which on my end terminates in a switch as a
vlan or as a trunk allowing that customer's specific vlans.  Then a router
linked to same switch with an allow all trunk that handles all the L3
interfaces as subinterfaces using dot1q.  So for example customer A has
vlans 10,11,12 and say customer B has vlans 20,21,22  which are L3
subinterfaces on the router.

Some of these subinterfaces are used for plain internet access, some may be
a member of a vrf for private (non internet) connections between customer
sites.

My concern here is whether this is best practise for delivering such
services, or if other ways of doing this are out there and proven better.

Also scalability and stability is a concern. there is a limit to how large
you want a Layer2 network to be.

Last but not least, security.  what if a customer plugs the fibre link into
his switch with a bunch of other vlans running.  the only form of
'protection' that I currently have is restriction of vlans on the trunk from
the customer, but some traffic (like spanning tree) travels on vlan1 as far
as i recall and this cannot be blocked. another item would be vlan hopping.

Im just after some pointers from what you all do out there to offer similar
services, what the best practises for this are, lessons learnt, etc...  so I
can then delve into the details given the pointers, to ensure im running
inline with tried and testing ways of doing things.

thanks


anton


More information about the cisco-nsp mailing list