Showing results for 
Search instead for 
Did you mean: 

Metro Ethernet Design question


I was wondering how service providers guarantee their security protection in the Metro Ethernet model, especially when Internet is one of the applications used over the Metro network.

For example: The customer edge switch (3550) is connected directly to the service provider aggregation layer(either Cisco Catalyst 4500 and 6500 Series switches ) .

In the network core, Cisco 12000 or Cisco 7600 Series routers.

So where is the security devices in this architecture, where is the firewalls, the IDS/IPS, that protects the service provider core from any threats.

Providing the customer with Internet in Ethernet switching technology the service will put the provider in a vulnerable position.

Am I thinking wrong here?



The CE will be hardened using storm control both multicast as well as broadcast on the ports where the end users are connected.

About the accesiability between the other users who are connected on the ports of same switches you have switchport security coded which will take care of the access violation part.

Also the maximum no of MAC address which can be permitted/allowed over the ports.

This inturn will send u a trap and can shut the port if theres any violation detected on those ports..

In the next layer where u say 6500 or 7600 u will have FWSM modules which will be taking care of filtering and other funtionalities which is very much similar to a standalone PIX firewall.

you can have redundandcy or even load balancing with

the FWSM modules over there in the 6500 switches.

And ofcourse the IP addressing schemes deployed would be in private scopes and will have either NAT pools or PAT enabled in the FWSM.

you got to have more n more ACLS on all the devices to mitigate the general known worms/virus or their variants in the network applied in applicable points.



You mentioned that NAT will be performed on the aggregation layer (6500) using the FWSM .

What is the best layer to do NAT here, is it the CE or the Core layer or the aggregation as you mentioned?

Another question, where is the security in the service provider core? IS there any firewalls or IDS/IPS ?

And what is the best practice in separating the Internet traffic from the MAN traffic at the customer edge .

Any thoughts?


I mentioned 6500 esp here coz of the FWSM compatibility with the box coz it doesnt fit in ur GSR.

And the NATting /FWSM comes one step before the Core layer where u have the whole lot of traffic aggregation from the access points are done.

Typical setup may be like this ..

3550/3750 (Access) --- 7600 -- 6500/GSR

It also depends upond the kinda setup or topology u hv in place or planning to hve.