On Wed, Jan 12, 2011 at 07:13:53PM -0500, Lars Carter wrote:
From an technical, operational, and security standpoint what would be the preferred way to route traffic between these two networks?
Static routing - at least "on" the direct link. For extra "security", you might want to make sure that the sensitive traffic won't take the internet path, but only the directconnection. Example: 192.168.0.0/24 being the prefix in question. Drop traffic for that /24 via a static Null0 (IOS et al) / discard or reject (JUNOS) route. Then add /25 statics for 192.168.0.0/25 and .128/25 via the direct link. On the BGP speaking network, make sure you don't accept 192.168.0.0/24 or more specifics of that via BGP from untrusted parties. In case the link goes down, the /25s should become inactive, and the /24 Null/discard/reject route prevents leakage of sensitive data in unintended (untrusted) directions (e.g. Internet) via default or covering aggregate routes. Of course all this assumes "no dynamic redundancy" etc. and some other things not further specified in your scenario. There are many ways to skin a cat. Best regards, Daniel -- CLUE-RIPE -- Jabber: dr@cluenet.de -- dr@IRCnet -- PGP: 0xA85C8AA0