Customer traffic separation

Customer traffic separation is designed for customer and internal traffic separation, partitioning, and isolation.

Customer traffic separation prevents externally connected devices from sniffing internal communications or adding traffic to internal communications. It also prevents switch flooding of internal traffic onto external networks. Flooded traffic includes broadcast (DHCP discover, ARP), unknown unicast, and multicast.

The clue to customer traffic separation is VLAN segregation. All internal communications are untagged but assigned to a default internal VLAN, VLAN 4090. All external traffic is carried on customer-specified VLAN, or if untagged, is assigned to internal VLAN 4091 by switches.

Switch access ports support a single VLAN and they are used to connect to non-VLAN capable devices, such as the Flexible Service Processors (FSPs), Remote Power Controllers (RPCs), and Terminal Server (TS). Traffic is not VLAN-tagged on this port.

Switch trunk ports support multiple VLANs, thus VLAN tags are required. Untagged traffic can be assigned to a VLAN that is part of a trunk port. This allows non-tagged customer traffic.