RE: Policy-based routing is evil? Discuss.
I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as "load balancing" where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Phil Bedard wrote:
I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as "load balancing" where end-user traffic is assigned to a line according to source address.
In my opinion the main problems with this are:
- It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places
But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion.
Am I out to lunch?
No, but what better solution do we have to offer them? There are dynamic load distribution features and products (think Cisco PfR, for example), but those are routinely lambasted as well. - -- ========= bep -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJYgsoACgkQE1XcgMgrtyaHOgCfaS58WFFKaXfY87FddXZu4SGb b60AoPMY73ZtENIW4akBZbUMN0H9euY2 =XSi6 -----END PGP SIGNATURE-----
As others have pointed out, PBR ... * Is a fragile configuration. You're typically forcing next-hop without a [direct] failover option, * Often incurs a penalty (hardware cycles, conflicting feature sets, or outright punting to software), * Doesn't naturally load-balance (you pick the source ranges you route where) However, there are few alternatives in some cases... * If you are using some provider-owned IP space you often must route to that provider, * There may be policies restricting what traffic (sources) can transit a given provider There are few alternatives for the latter cases, unless you split the border across VRFs and assign routing policy on the VRF, which is a global decision across the VRF, and avoids PBR. We're doing a little of both, so I clearly don't take sides :) Jeff
participants (3)
-
Bruce Pinsky
-
Jeff Kell
-
Phil Bedard