Hi everyone, Hopefully my question is operational 'enough' to be asked here, as I don't know of any other place to ask... Still trying to redesign (as-I-go) our ISP network, I've realized that we are not large enough to deploy a full three layer approach (core, dist, acc), so I'm trying to consolidate, with the ability to scale if necessary. I also want full network reachability if I need to take any one router off-line for upgrade or replacement purposes. Given the following diagram (forgive me, it was drafted rather quickly with Visio, and just dumped onto a web box), I'm hoping for advice on whether I'm leaning the right way. http://ibctech.ca/p-ce.html What I want: - ability to take a router off-line for upgrade, and not be concerned about reachability issues if the lab-tested procedure fails miserably on production gear - a relatively easy way to keep traffic control measures at the access/edge (ACLs, uRPF, RTBH etc) - the 'core' free of interface ACLs (if possible), only running filtering ingress to the process-switch environment - the ability to scale without having to have a full mesh with all PE routers What I have: - numerous CPE routers connected to a CE switch that multi-homes into two different routers at two different locations in our access layer - an access layer that has no routers capable of a full BGP table (well, v4 that is) - a core layer that can handle full tables - a network access layer on the north side of the diagram that you can't see, with the same type of setup, but with full v4 routing tables being announced in - the access layer provides def-orig to CPE routers - the PE protects the CE from becoming transit What I am thinking - use the core routers as route-reflectors to the PE access routers, including a def-orig where it applies (to remain scalable, until PE can be replaced to hold full routes) - the PE routers send def-orig on to the CE sites - stop thinking about every network like it is an 'enterprise' network - look at most of my ISP environment as 'access clients', instead of always seeing my ISP as everything in my buildings. See the ISP as a 'network provider', and then realize the rest are just access 'clients': -- the 'hosting provider' -- the 'collocation provider' -- the 'Internet provider' -- the 'email provider' -- ect There is much, much more, but feedback on the above setup will get me going on the proper path... Steve