On 8 September 2015 at 21:40, Josh Moore <jmoore@atcnetworks.net> wrote:
The question becomes manageability. Unique VLAN per customer is not always scalable. For example, only ~4000 VLAN tags. What happens when you have more than that many customers? Also, provisioning. Who is going to provision thousands of unique prefixes and VLANs, trunk them through relevant equipment and ensure they are secured as well?
VLAN tags can be stacked (QinQ). This allows 4096*4096 VLANs. Also it allows you to group them and use wildcard VLAN forwarding (ie. outer vlan 100 innervlan ANY). Or you can stuff the whole thing into a MPLS L2VPN tunnel. We are forced to use this scheme by the incumbent telco. It is simply the way they hand off customer links to us. One end user per VLAN, each "areacode" has an assigned outer tag and users within an area are assigned inner tags sequentially starting with vlan 2. Ie. user #1 is 100.2, user #2 is 100.3, user #3 living in a different area is 101.2. However we still want to preserve IPv4, so users will be sharing the same IPv4 subnet even though they are on different VLANs. This is done by vlan ranges on a layer 3 interface. As a consequence we are more or less forced to do the same for the IPv6 setup. Every user that shares a IPv4 subnet will also share a IPv6 /64 prefix on their uplinks. We use DHCPv6-PD to allocate a /48 prefix to each user, so the shared prefix is only used by the CPE on the uplink. Users will normally only see the shared prefix if they do a traceroute. Their computer will have an address from the /48 prefix. Regards, Baldur