[f-nsp] Policy based routing?

Nick Morrison nick at nick.on.net
Fri Feb 5 17:27:19 EST 2010


as an example of why you might decide to go out on the PBR limb...

in a company's network, you may have:


a network edge (foundry) with servers with lots of data on them

-- a distribution layer (foundry)

----  a core layer (foundry)

----  a core firewall (vendor X)

-- a dmz distribution layer (foundry)

a dmz network edge (foundry) with servers with lots of data on them


for most things, this is fine.  data is routed through the whole kit and
kaboodle.

the core firewall, though, is not capable of 10Gbps (or higher),

so for *some* traffic - massive file transfers, etc - we want to skip the
firewall layer.  for this, we'd use PBR on the core layer and on the dmz
distribution layer, using a (say) 20Gbps link between the two (configured
with a /30 - the far side is the next-hop.)  nothing but the selected
special traffic is allowed over this 20Gbps link; everything else goes
through the firewalls.


for musing.


n


On Fri, Feb 5, 2010 at 9:56 PM, Randy McAnally <rsm at fast-serv.com> wrote:

>  That's how I do it.
>
> --
> Randy
>
>
> *---------- Original Message -----------*
> From: Nick Morrison <nick at nick.on.net>
> To: seph at directionless.org
> Cc: foundry-nsp <foundry-nsp at puck.nether.net>
> Sent: Fri, 5 Feb 2010 21:29:33 +0000
> Subject: Re: [f-nsp] Policy based routing?
>
> > Silly question,
> >
> > If all you want is an ACL to block traffic, why not just use an
> access-group?
> >
> > N
> *l Message -------*
>



-- 
Nick Morrison <nick at nick.on.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/foundry-nsp/attachments/20100205/0183d437/attachment.html>


More information about the foundry-nsp mailing list