Policy-based routing is evil? Discuss.
Stuart Sheldon
stu at actusa.net
Fri Oct 11 18:45:10 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi all,
We use Linux for our edge routers which have multiple interfaces to
different BGP peers. Policy based routing allows us to insure that
traffic originating from a particular external IP address on the router,
goes out the matching network.
We have also used in on client systems to force particular protocols out
particular providers.
It's not that easy to do on Linux, as you need to make sure you have all
the proper link routes on place and positioned properly in the rule
chain, or you can really break things.
Stu
On 10/11/2013 11:35 AM, Christopher Morrow wrote:
> On Fri, Oct 11, 2013 at 2:13 PM, William Waites <wwaites at tardis.ed.ac.uk> wrote:
>> On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli <joelja at bogus.com> said:
>> > evil is not a synonym for ugly patch placed over a problem that
>> > could be handled better.
>>
>> Ok, fair enough. My first experience with PBR was as a summer intern in
>> the mid-1990s who inherited management of a large ATM network that had
>> a big VPN-esque thing built entirely that way and with no
>> documentation. It certainly felt evil at the time. ;)
>
> I think really PBR violates this:
> <http://en.wikipedia.org/wiki/Principle_of_least_astonishment>
>
> I see ISP folks MOSTLY avoid PBR, because it does weird things that
> NOC/ops folks just plain don't expect. I see Enterprise network folks
> fall back to PBR often, for reasons that they seem happy with... but
> man it makes things confusing :)
>
> -chris
>
- --
"Sometimes I lie awake at night and I ask, "Is life a multiple choice test
or is it a true or false test?" ...Then a voice comes to me out of the
dark and says, "We hate to tell you this but life is a thousand word essay."
-- Charles M. Schulz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJSWEc2AAoJEFKVLITDJSGSDSAP/iW6s1nM56cwAyQAq8djsn3x
OlD40O698iluf9r1ZmDABZqO3dWI/JxGktANmhC34b/ux9qMKx27RBEVS+L5Kp9p
f5YJxG0vr0lkqhVGngr9pOKTmOLdnLWwDiL0yUyxXngYm7ZG9E5aQ5mbLSz0DxBB
+JGoc4DXzI1lNXMSfklxooAZoRP6dbwxhzC8r/TIbExFyRuf/OgsR9bYB3wjpRvQ
7uXdHiLmLIO68pvRmGIIYQUNQ/aUSI9wod2jdleupK6yoO7fAktrndhj1+lD0TCS
kZA5/b2u5O+PJ61ocbK20s/mKVt/joVSfEG5IBQxqxKqpcc9N1x7Kr7XzoQuUFo/
M3szoDZnwIq5zgXWDvvt11+AzG5qraZCxfwaTpwHbuRAC9bZMIZkrpd4LLXTGwvG
bxuJmWqcY2ktX5XiyLRgvcYzw+Pkz6uNU+PpS9UYI7x9qSwkYGPomoj5iHbaTrs4
nKBQZgAUUcEkr7+kRfXIhq6ZZKsaoaFGCX8u5WeXBQj78GlEiOMxAthFPYr8iU8X
Kai4nCBx+c204hjoYdI5K2aFNztqh8Xj2qW3DyxrqwsKld46ZFut/zKs4qcJLvPP
jrs2ihtdsIHDn2QLVoRqHJWdpMn2l/TETbygqnRyO9hYUkqub7Zo/fVJwXCGNZDz
quDOESz/QwPH5IrOPiub
=ww8J
-----END PGP SIGNATURE-----
More information about the NANOG
mailing list