Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
859
Views
0
Helpful
3
Replies

Best Practices with regards to an Extranet

vdadlaney
Level 1
Level 1

‎05-14-2008 02:34 PM - edited ‎03-03-2019 09:57 PM

Hello All,

I am in the process of designing an Extranet and am trying to figure out what are the best practices for such a design in general.

In particular is there any standard practice regarding allowing public ip addressing space into the Campus Core.

This has generally not been a good ideal from what I have seen in the past with other designs however I cannot find anything that would substantiate that. The reasons I can think of why it is not good practice to allow public ip addressing into your campus is

- depending on the number of routes it could overwhelm your IGP (that's why you do not export the entire BGP table into your IGP)

- a network that you don't control can cause your routing environment to be unstable for eg. if your internal routing protocol is EIGRP and if you are redistributing this network into EIGRP and this network keeps flapping it could cause SIA issues which could depending on the size of your network cause some devices to age out if they do not receive queries in a timely manner.

Please let me know if these concerns do not apply or if you have any other reasons besides these for not allowing public address space into your network.

Labels:
0 Helpful
3 Replies 3

vdadlaney
Level 1
Level 1

‎05-15-2008 06:38 AM

Does anyone have any feedback on this scenario? Thx

0 Helpful

ralphcarter
Level 1
Level 1
In response to vdadlaney

‎05-15-2008 07:32 PM

I think you should stick to the 3 tier Cisco design.

Core-distro-access

Create a seperate distro for your EDGE connecting to the internet and setup firewalls (Security Border) that will NAT the Public to private. Route your private traffic internally via IGP between your core/other distro's. On your EDGE run BGP and advertise your Public address space that you will NAT on the firewalls.

Thats what I do and it works great!

CCIE 26175
www.techsnips.com
0 Helpful

vdadlaney
Level 1
Level 1
In response to ralphcarter

‎05-15-2008 07:47 PM

Hi Ralph,

Thanks for your reply. The design is for an Extranet solution so its a semi-trusted network. We are following the 3 tiered architecture hence External DMZ (Consider it the Access), Extranet Distribution and than the Core.

The specific question I had asked above was because there is a lot of administrative burden to NAT each vendor public ip to a private ip hence thinking of allowing all the vendor public ip addresses into the Core. Again this isn't an internet design so the # of routes aren't astronomical and should be easily handled by any IGP. I was just trying to confirm if anyone has had any issues which I think might occur if Public Addresses are allowed into the Campus Core in this fashion. Thx

0 Helpful
Top