[c-nsp] PfR

[Joel M Snyder]

 >Apart from cisco certifications, and Cisco Live seminars where it 
 >seems PfR predominantly lives - has anyone actually used this in the 
 >real world?

I designed it into a network of about 90 sites (global, not US) and it 
was not a resounding success.  The management was ugly, but more 
importantly it just didn't play well with others and at some clear 
points wasn't working at all.  It was pulled out in favor of a WAN opt 
solution (Cisco WaaS appliance in that case).  I reviewed it again and 
did some testing for a larger network of 400+ sites recently, but the 
feature set wasn't measuring up to the requirements and the customer 
stuck Riverbeds ahead of the IOS boxes and is quite happy with the results.

Some of this could have been my fault: at some point, piling on the IOS 
features generates conflicts in how things are pipelined through the 
router and you have to back out, re-engineer/redesign, change 
maps/acls/routes/etc.  This particular network (the 90 site one) was 
trying to use every IOS WAN feature imaginable.  The customer had bought 
IOS instead of a firewall, but what they really wanted was a UTM 
firewall with some minimal VPN and routing capability, instead of a 
router with some security features. The Cisco name was unbeatable and so 
we did a lot of square-peg into round-hole work.

So: my experience is that in complicated configurations with global 
WANs, it either doesn't work, or conflicts with something else, or 
doesn't have the feature set you want (NBAR should influence routing). 
If you are doing nothing BUT PfR at the edge and the config is otherwise 
clean, it might be made to work depending on exactly what you want out 
of it.

YMMV.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms