Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Best Practices with regards to an Extranet

Hello All,

I am in the process of designing an Extranet and am trying to figure out what are the best practices for such a design in general.

In particular is there any standard practice regarding allowing public ip addressing space into the Campus Core.

This has generally not been a good ideal from what I have seen in the past with other designs however I cannot find anything that would substantiate that. The reasons I can think of why it is not good practice to allow public ip addressing into your campus is

- depending on the number of routes it could overwhelm your IGP (that's why you do not export the entire BGP table into your IGP)

- a network that you don't control can cause your routing environment to be unstable for eg. if your internal routing protocol is EIGRP and if you are redistributing this network into EIGRP and this network keeps flapping it could cause SIA issues which could depending on the size of your network cause some devices to age out if they do not receive queries in a timely manner.

Please let me know if these concerns do not apply or if you have any other reasons besides these for not allowing public address space into your network.

New Member

Re: Best Practices with regards to an Extranet

Does anyone have any feedback on this scenario? Thx

New Member

Re: Best Practices with regards to an Extranet

I think you should stick to the 3 tier Cisco design.


Create a seperate distro for your EDGE connecting to the internet and setup firewalls (Security Border) that will NAT the Public to private. Route your private traffic internally via IGP between your core/other distro's. On your EDGE run BGP and advertise your Public address space that you will NAT on the firewalls.

Thats what I do and it works great!

New Member

Re: Best Practices with regards to an Extranet

Hi Ralph,

Thanks for your reply. The design is for an Extranet solution so its a semi-trusted network. We are following the 3 tiered architecture hence External DMZ (Consider it the Access), Extranet Distribution and than the Core.

The specific question I had asked above was because there is a lot of administrative burden to NAT each vendor public ip to a private ip hence thinking of allowing all the vendor public ip addresses into the Core. Again this isn't an internet design so the # of routes aren't astronomical and should be easily handled by any IGP. I was just trying to confirm if anyone has had any issues which I think might occur if Public Addresses are allowed into the Campus Core in this fashion. Thx