I’ve got a request from a partner vendor
in a completely separate routing domain to directly route a /24 rfc1918 network on my rfc1918 internal network. The proposed solution has their handoff directly connected to our router with static routes with next-hop on my router pointing to the vendor router.
192.168.1.0 (ext network) —> 10.1.1.1/30 (ext p2p) <— cable —> 10.1.1.2/30 (int p2p) <—192.168.2.0/24
At first glance, this sets off a bunch of red flags with bad practice merging two private networks of two completely separate orgs. Realistically, it will work as long as we keep track of the overlapping subnet on the vendors network to make sure we don’t provision the same subnet on our network. I know there is a certain level of trust needed from the external network to not route a ton of traffic my way but hope to at least use an ACL to allow only expected subnets through the p2p interface.
So I was wondering if anybody has scenarios or issues I am overlooking with this setup?
Best Answer
You need to work out and put in writing the security definitions (=what connections are allowed - anything else isn't) and the other formalities (average/maximum bandwidth, QoS, availability, ...). Make the security definitions rough (subnet A <-> subnet B etc) and rigid, and let the connecting parties handle the details (host-based or port-based filtering).
From the network side, that shouldn't be a big problem, especially when there's no overlap (that we can see). Of course, you need to filter out any traffic but the permitted.