Best way to connect to another private network.

Unanswered Question
Oct 27th, 2008

I have a slight disagreement with my co-workers here. We are going to connect our corporate network to another company's network over dual 20mbs metro ethernet lines for redundancy. I think we should firewall it and route via BGP between our networks. We will treat them like a trusted extranet.

My colleague feels it's enough to firewall and NAT their network and we can use static routes pointing to them and etherchannel both ethernet ports.

What is the pro and cons of each scenario?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Mon, 10/27/2008 - 12:33

Personally, if there aren't a ton of subnets on the other end, I would opt for the simplicity of a static route.


rshum Mon, 10/27/2008 - 12:35

They have about 80 subnets and there is nothing to say we only have to allow 3 or 4 in. They currently can't even identify exactly which users will need access to our network.

Jon Marshall Mon, 10/27/2008 - 12:36


Let me put it another way. Why do you think using BGP is a better way to go than simply firewalling the connection. Is there some advantage security wise that you can see or is it simply because you feel this is a more optimal design. Are there routing policies you want to implement between you and your partner that require BGP capabilities ?

Bear in mind from a security perspective static routing is more secure than exchanging routes with an external company. You say they are trusted, how trusted and what resources are they accessing ?


rshum Mon, 10/27/2008 - 12:41

I was thinking of using BGP to route around a potential failure of one of the metro Ethernet circuits as well as keeping their address space away from ours (we're both using the internally).

Jon Marshall Mon, 10/27/2008 - 12:47

Okay. Well etherchannel would utilise both links at the same time and would sort out one of the link failures.

Not sure what you mean by keeping address spaces separate. How does BGP help with this ?

I'm not saying that i wouldn't go with your solution it's just that keeping it as simple as possible is usually the best way :)

By the way are the subnets you each need to get to summarisable ?


pkaretnikov Mon, 10/27/2008 - 17:51

No matter what, firewalling is a great idea, but I don't see any major advantage in running BGP. Just have a summarized route pointing to the other (NAT'd) side.


This Discussion