Policy-based routing is evil? Discuss.

I'm having a discussion with a small network in a part of the world
where bandwidth is scarce and multiple DSL lines are often used for
upstream links. The topic is policy-based routing, which is being
described as "load balancing" where end-user traffic is assigned to a
line according to source address.

In my opinion the main problems with this are:

- It's brittle, when a line fails, traffic doesn't re-route

You can always know what IPs are on the other end of the link, add static
routes for them to make sure they're reachable and based on ping results
use the link or not. It works fairly well if 1-2 minutes of downtime is not
an issue. I've done this using Linux and a bash script and it worked to
balance traffic across two links with up/down detection. iproute2 does

Or you could run FreeBSD with PF and ifstated and it would be an almost
instantaneous failover.

Cool toy for scripting. I had no ideea as I'm not very familiar with *BSD.

- None of the usual debugging tools work properly

As long as you don't have asymmetric routing in place, debugging will be
the same. Even so, you can (at least on Linux) do a "tcpdump -i any" and
see what goes in/out of your box :slight_smile:

Asymmetric routing is a fact of life and is fairly common.

If you have asymmetric routing, you may run into other issues, but still
you can get stuff working. Just saying that with a little care you can get
away without it.

- Adding a new user is complicated because it has to be done in (at
   least) two places

I agree it's not scaleable, but for when all you have are DSL lines or low
capacity lines over which you cannot run an IGP, you'll have make it work
with what you have :slight_smile:

But I'm having a distinct lack of success locating rants and diatribes
or even well-reasoned articles supporting this opinion.

I would go for the "right tools for the right job" idea and say that PBR in
the case you're mentioning of a valid use and probably the most effective
way of doing business for them.

Also take into consideration that in many parts of the world, the effort of
configuring and maintaining a setup like this fall in the the day to day
job of one or several network admins. Also, most of the time is cheaper to
hire more people than go and buy let's say professional networking

Hmm, really? The professional networking equipment required for this type
of thing would be in the ~10k new and significantly cheaper used. That's
not a lot of salary.

I'm pretty sure there are places that even 6K can be one man's salary for a
year or more, so yeah, really it's cheaper to have some one do manual stuff
than buy something professional. But I'm veering a bit off-topic with this