Showing results for 
Search instead for 
Did you mean: 

Best Practices with regards to an Extranet


Hello All,

I am in the process of designing an Extranet and am trying to figure out what are the best practices for such a design in general.

In particular is there any standard practice regarding allowing public ip addressing space into the Campus Core.

This has generally not been a good ideal from what I have seen in the past with other designs however I cannot find anything that would substantiate that. The reasons I can think of why it is not good practice to allow public ip addressing into your campus is

- depending on the number of routes it could overwhelm your IGP (that's why you do not export the entire BGP table into your IGP)

- a network that you don't control can cause your routing environment to be unstable for eg. if your internal routing protocol is EIGRP and if you are redistributing this network into EIGRP and this network keeps flapping it could cause SIA issues which could depending on the size of your network cause some devices to age out if they do not receive queries in a timely manner.

Please let me know if these concerns do not apply or if you have any other reasons besides these for not allowing public address space into your network.

3 Replies 3


Does anyone have any feedback on this scenario? Thx

I think you should stick to the 3 tier Cisco design.


Create a seperate distro for your EDGE connecting to the internet and setup firewalls (Security Border) that will NAT the Public to private. Route your private traffic internally via IGP between your core/other distro's. On your EDGE run BGP and advertise your Public address space that you will NAT on the firewalls.

Thats what I do and it works great!

CCIE 26175

Hi Ralph,

Thanks for your reply. The design is for an Extranet solution so its a semi-trusted network. We are following the 3 tiered architecture hence External DMZ (Consider it the Access), Extranet Distribution and than the Core.

The specific question I had asked above was because there is a lot of administrative burden to NAT each vendor public ip to a private ip hence thinking of allowing all the vendor public ip addresses into the Core. Again this isn't an internet design so the # of routes aren't astronomical and should be easily handled by any IGP. I was just trying to confirm if anyone has had any issues which I think might occur if Public Addresses are allowed into the Campus Core in this fashion. Thx

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: