Best way to connect to another private network.

Unanswered Question
Oct 27th, 2008
User Badges:

I have a slight disagreement with my co-workers here. We are going to connect our corporate network to another company's network over dual 20mbs metro ethernet lines for redundancy. I think we should firewall it and route via BGP between our networks. We will treat them like a trusted extranet.

My colleague feels it's enough to firewall and NAT their network and we can use static routes pointing to them and etherchannel both ethernet ports.


What is the pro and cons of each scenario?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 10/27/2008 - 12:33
User Badges:
  • Purple, 4500 points or more

Personally, if there aren't a ton of subnets on the other end, I would opt for the simplicity of a static route.


--John

rshum Mon, 10/27/2008 - 12:35
User Badges:

They have about 80 subnets and there is nothing to say we only have to allow 3 or 4 in. They currently can't even identify exactly which users will need access to our network.

Jon Marshall Mon, 10/27/2008 - 12:36
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Roland


Let me put it another way. Why do you think using BGP is a better way to go than simply firewalling the connection. Is there some advantage security wise that you can see or is it simply because you feel this is a more optimal design. Are there routing policies you want to implement between you and your partner that require BGP capabilities ?


Bear in mind from a security perspective static routing is more secure than exchanging routes with an external company. You say they are trusted, how trusted and what resources are they accessing ?


Jon

rshum Mon, 10/27/2008 - 12:41
User Badges:

I was thinking of using BGP to route around a potential failure of one of the metro Ethernet circuits as well as keeping their address space away from ours (we're both using the 10.0.0.0 internally).



Jon Marshall Mon, 10/27/2008 - 12:47
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Okay. Well etherchannel would utilise both links at the same time and would sort out one of the link failures.


Not sure what you mean by keeping address spaces separate. How does BGP help with this ?


I'm not saying that i wouldn't go with your solution it's just that keeping it as simple as possible is usually the best way :)


By the way are the subnets you each need to get to summarisable ?


Jon

rais Mon, 10/27/2008 - 14:03
User Badges:
  • Silver, 250 points or more

I vote BGP.


Thanks.

Jon Marshall Mon, 10/27/2008 - 14:07
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Nice, well constructed argument :-)

pkaretnikov Mon, 10/27/2008 - 17:51
User Badges:

No matter what, firewalling is a great idea, but I don't see any major advantage in running BGP. Just have a summarized route pointing to the other (NAT'd) side.

Actions

This Discussion