We put ours in our DC.
We run a combination 3 tiered classical network architecture with modularisation. So essentially each User Site has its own distribution, which connects to two of 6 core devices.
We also have a distribution specifically for Servers, and a newer one for NMS applications. This aims to achieve a greater level of security and resilience of the NMS infrastructure by logically preventing issues that are caused on the User distributions from having an adverse impact on the NMS which can skew the results for all sites.
Private VLAN, in our core Data Center, NATed for edge routers