Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
494
Views
0
Helpful
8
Replies

Best way to connect to another private network.

rshum
Level 1
Level 1

‎10-27-2008 12:20 PM - edited ‎03-06-2019 02:10 AM

I have a slight disagreement with my co-workers here. We are going to connect our corporate network to another company's network over dual 20mbs metro ethernet lines for redundancy. I think we should firewall it and route via BGP between our networks. We will treat them like a trusted extranet.

My colleague feels it's enough to firewall and NAT their network and we can use static routes pointing to them and etherchannel both ethernet ports.

What is the pro and cons of each scenario?

Labels:
0 Helpful
8 Replies 8

John Blakley
VIP Alumni
VIP Alumni

‎10-27-2008 12:33 PM

Personally, if there aren't a ton of subnets on the other end, I would opt for the simplicity of a static route.

--John

HTH, John *** Please rate all useful posts ***
0 Helpful

rshum
Level 1
Level 1
In response to John Blakley

‎10-27-2008 12:35 PM

They have about 80 subnets and there is nothing to say we only have to allow 3 or 4 in. They currently can't even identify exactly which users will need access to our network.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎10-27-2008 12:36 PM

Roland

Let me put it another way. Why do you think using BGP is a better way to go than simply firewalling the connection. Is there some advantage security wise that you can see or is it simply because you feel this is a more optimal design. Are there routing policies you want to implement between you and your partner that require BGP capabilities ?

Bear in mind from a security perspective static routing is more secure than exchanging routes with an external company. You say they are trusted, how trusted and what resources are they accessing ?

Jon

0 Helpful

rshum
Level 1
Level 1
In response to Jon Marshall

‎10-27-2008 12:41 PM

I was thinking of using BGP to route around a potential failure of one of the metro Ethernet circuits as well as keeping their address space away from ours (we're both using the 10.0.0.0 internally).

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to rshum

‎10-27-2008 12:47 PM

Okay. Well etherchannel would utilise both links at the same time and would sort out one of the link failures.

Not sure what you mean by keeping address spaces separate. How does BGP help with this ?

I'm not saying that i wouldn't go with your solution it's just that keeping it as simple as possible is usually the best way :)

By the way are the subnets you each need to get to summarisable ?

Jon

0 Helpful

rais
Level 7
Level 7

‎10-27-2008 02:03 PM

I vote BGP.

Thanks.

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to rais

‎10-27-2008 02:07 PM

Nice, well constructed argument :-)

0 Helpful

pkaretnikov
Level 1
Level 1

‎10-27-2008 05:51 PM

No matter what, firewalling is a great idea, but I don't see any major advantage in running BGP. Just have a summarized route pointing to the other (NAT'd) side.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card