We are looking at ways to offer our customers to connect to our VoIP-platform in various ways (IPSec/GRE over internet, L2 via some other provider's network, dark fiber) via a unit managed by us. Providing proactive monitoring (for example with an Accedian Nano-NID) of the connection and delivering a interface at their premises totaly to their specification with regards to IP-subnetting, IPv4/IPv6, port aggregation and media type. The traffic is then terminated in our SBC which handles overlapping IP-adressing and the such, so no address translation should be done.
Please se attached network diagram.
Current thinking is to run a virtual-router per customer in the terminating unit in our end and terminate every customer interface (wheter it be a physical or "virtual" GRE or IPSec-interfaces) together with a VLAN-interface in the VR. Then run BGP over that to be able to build redundant paths.
When it comes to the hardware, some EX switch would be nice mainly due to it not interfearing with traffic on L4 and above, SRX would be good as it offers added flexibility and ability to do IPSec and no additional licensing is needed for BGP. We would of course prefer to use a single type/model of device as CPE.