On Jan 18, 2011, at 4:54 PM, Robert Bonomi wrote: > >> Date: Fri, 14 Jan 2011 01:50:40 -0800 >> From: Randy Bush <ra...@psg.com> >> Subject: Re: Routing Suggestions >> >> i'm with jon and the static crew. brutal but simple. >> >> if you want no leakage, A can filter the prefix from it's upstreams, both >> can low-pref blackhole it, ... >> > > One late comment -- > > OP stated that the companies were exchanging 'sensitive' traffic. I suspect > that they di *NOT* want this traffic to route over the public internet -if- > he private point-to-point link goes down. if they're running any sort of a > dynamic/active routing protocol then -that- route is going to disappear > if/*WHEN* the private link goes down, and the packets will be subject to > whatever other routing rules -- e.g. a 'default' route -- are in place. > > This would seem to be a compelling reason to use a static route -- insuring > that traffic _fails_ to route, instead of failing over to a public internet > route, in the event of a link failure. > > That's why I always prefer to put this traffic inside an IPSEC VPN. Then, you gain the advantage of being able to let the internet serve as a backup for your preferred private path while still protecting your sensitive information.
Then I use dynamic routing and take advantage of the diverse path capabilities. Owen