[c-nsp] PBR or VRF

Tim Franklin tim at colt.net
Thu Dec 1 10:27:42 EST 2005


> My first thought was PBR to force the outlying offices internet bound 
> traffic down the DSL link. I was wondering if VRF would be 
> another way to 
> make this work. In reading it seems so but much of the docs 
> on VRF are in 
> the context of VPN's or MPLS. If VRF would work is there an 
> advantage/disadvantage to VRF over PBR. The hub router where 
> the PBR or VRF 
> happens is a 7206 NPE-400.

It doesn't sound to me like it needs *either*, unless I'm missing something
about the network from the description.

If each branch office has a single link to the hub site, and the hub site
has an Internet connection, just point the default route from each branch
towards the hub site, and the default route on the hub towards the Internet.

If you want separate "Internet" and "data" logical circuits on the
branch-hub links, and/or want the Internet traffic from the branches to go
through a customer firewall at the hub, then VRF-lite can be of use.

In the latter case, run VRF-lite at the hub to put the traffic from the
branches into a VRF.  Add all the branch links and one ethernet to the same
VRF, connected to the hub office network and the inside of the firewall,
with a default route in the VRF pointing to the firewall inside address.

In the global table, place the internet WAN link and another ethernet
connected to the outside of the firewall with a default route pointing
towards the Internet.

Stay clear of PBR unless you really don't have any other way to do things,
it's an absolute pain to troubleshoot, and IME it's not overly healthy for
router CPU.

Regards,
Tim.

-- 
____________   Tim Franklin                 e: tim at colt.net 
\C/\O/\L/\T/   Product Engineering Manager  w: www.colt.net 
 V  V  V  V    Managed Data Services        t: +44 20 7863 5714 
Data | Voice | Managed Services             f: +44 20 7863 5876  




More information about the cisco-nsp mailing list