Best practises for Hub and spoke Metro Etherent network

Hi there,

It is my first MAN deployment. I will use the 6513 as the core switch and the 3550 as the edge switches to the customer.

The customer has 9 locations. The customer asked for interconnection between the 9 locations and his Data center in his HQ.

Additionally his Internet connection is at the HQ too.

What is the best practice to architect this solution addressing security? How I deploy VLANs (like one vlan for the internet, one vlan for each department, one management vlan. Etc)

Any advises


Hi Sam...

Please find the sample diagram herein. I hope u r following this kind of topology!!! Usually the 3550 is in ring topology when it comes to Metro Ethernet. SO u can think of a q-in-q mechanism as well wherein the 3550 will act a u-PE. All u need from 3550 to the CE is different VLANs say each for video voice and data services+a management VLAN. There would be two management VLANs each for managing CE and the u-PEs(3550 in ur case if they r in ring fashion).

Please do let me know if this clarifies ur doubts.



Hello Raj,

Thanks for your reply , but I have couple of questions

Do we need to upgrade this Ethernet to layer 3 for traffic shapping for both voice and video ? if not Can I change the 6513 with a layer 2 switch if I dont need any routing between the customer VLans ?

And what do you think of Security ? especially Internet will be provided through our core ?

Please advise

Hi Sam,

Let me add my two cents here, when speaking about MAN deployments the name of the game is MPLS, so I guess you are using the same on your Cat 6500s and connecting your customers on 3550s using Vlans.

Regarding your questions:

a) Upgrading Ethernet to L3 for traffic shaping: This is basically done at 3550, so I suppose that's what you intend to do, plus you will be letting Spokes talk to only Hub site, so inter Vlan, atleast between Hub and each spoke will be required, hence inter valn routing. Other way is to configure P2P circuits between Hub site with Vlan mapping (per spoke) and Spoke sites with Port mapping, in this scenario Inter Vlan routing is not a necessity.

b) Security: This depends on what exact architecure you have deployed, in my case I have simply installed a Gateway router with BGP peering with PEs, a separate VRF alongwith redistribution does the trick.

Hope I addresses the query correctly, let me know if that helped..



