OSPF and VLANs

Similar Messages

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

  In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
  (logical) on top of Datacenter (physical).
  Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
  If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

  Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
  I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
  -kn
  Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )

• How do you Redistribution EIGRP into OSPF and maintain a distance of 250 for a static route?

  Ok, I have scoured the forums long enough and have to post. The design is below. I moved a firewall to our new data center, which required adding some static routes for VPN connections and broadband backups. To minimize the amount of static routes I redistribute static into EIGRP with a route-map and prefix-list.
  My problem is the next part of my network. When the data leaves my 56128's it hits an edge device connecting to our dark fiber. On this edge device I am running OSPF onto the dark fiber, then redistribute some EIGRP subnets into OSPF and again all is well.
  Everything works up until the point the redistributed routes hit my RIB at my main data center where I am running IBGP. IBPG is run between our MPLS router and core for all our remote sites. When my backup route from the 56128's hits the cores, it supersedes the BGP route because the AD route O E2 [110/20] is lower than the BGP AD B [200/0]. Given the configuration below what can be done to remedy this? Oh when I redistribute I can only change the AD for the backup routes, all other routes should stay the same.
  56128's where my static routes are:
  ip route 192.168.101.0/24 192.168.30.77 name firewall 250
  router eigrp 65100
     redistribute static route-map Static-To-Eigrp
  route-map Static-To-Eigrp permit 10
     match ip address prefix-list Static2Eigrp
  ip prefix-list Static2Eigrp seq 2 permit 192.168.101.0/24
  Edge device:
  router eigrp 65100
   network 172.18.0.5 0.0.0.0
   network 172.18.0.32 0.0.0.3
   network 172.18.0.36 0.0.0.3
   redistribute ospf 65100 metric 2000000 0 255 1 1500
   redistribute static metric 200000 0 255 1 1500 route-map STATICS_INTO_EIGRP
   passive-interface default
   no passive-interface Port-channel11
   no passive-interface Port-channel12
   eigrp router-id 172.18.0.5
  router ospf 65100
   router-id 172.18.0.5
   log-adjacency-changes
   redistribute eigrp 65100 subnets route-map EIGRP_INTO_OSPF
   passive-interface default
   no passive-interface GigabitEthernet1/0/1
   no passive-interface GigabitEthernet1/0/2
   no passive-interface GigabitEthernet2/0/1
   no passive-interface GigabitEthernet2/0/2
   network 172.18.0.0 0.0.255.255 area 0
  ip prefix-list EIGRP_INTO_OSPF seq 5 permit 172.18.0.0/16 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 10 permit 192.168.94.0/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 15 permit 192.168.26.32/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 20 permit 192.168.30.72/29 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 25 permit 192.168.20.128/25 le 32
  ip prefix-list EIGRP_INTO_OSPF seq 26 permit 192.168.101.0/24 le 32 <- Backup Route for MPLS Remote Office
  route-map EIGRP_INTO_OSPF permit 10
   match ip address prefix-list EIGRP_INTO_OSPF

  So in the case of a /24. If it were say broken up into /25's? From our remote sites we are using aggregate-address summary-only. Not sure how I would advertise a more specific route via BGP, sorry.
  I didnt have this problem until I moved my firewalls. They plugged into the cores where IBGP was running and the static never kicked in unless the bgp route disappeared. I guess I could use my static redistribution for my VPN sites and use statics across the cores for the handful of backup links I have.

• Question about network statement in OSPF and BGP

  The network statements in OSPF and BGP can be used to advertise networks. But I'm not clear under what circumstances would make more sense to use network statements to advertise a network than by using other methods to have the network learned by other routers.
  Here is an example: assume I'm running BGP on router A. I want to advertise network 10.1.1.0/24 to other BGP peers. I have a OSPF route for this network. I can do 2 things: one is to use "network 10.1.1.0 mask 255.255.255.0", the other is to do "redistribute OSPF ... route-map OSPF-INTO-BGP", and create a prefix list to permit 10.1.1.0/24.
  Both would work to have this network learned by other BGP peers. But which is better for what purpose?
  Thanks a lot
  Gary

  Hi Gary,
  There is one little difference between the use of the two approaches - the route injected into BGP by using a network statement will carry an Origin attribute of IGP, whereas the route injected using redistribution will have an Origin attribute of Incomplete. Now, that is not a huge issue since you can always change that whatever value you desire both with the use of the network statement and redistribution. The important thing, however, is that in the BGP best path selection process, the Origin attribute comparison is fairly high up and will prefer a route with the attribute of IGP.
  Apart from that, there is absolutely no difference between using the network statement and using redistribution with a route-map that matches exactly on the same route that you would have specified with the network statement.
  I guess one advantage of using the redistribute approach is that it does not clutter up the BGP config. If you wish to add more routes, you simply add them to the prefix list so that you don't really touch the BGP config portion at all..
  Hope that helps - pls do remember to rate posts that help.
  Paresh

• WLC2112 with Guest / Web-Auth and vlan

  Hi
  I'm trying to configure my WLC with guest SSID and vlan 10.
  The security is only set to Web-auth, and it is all working if the guest network is set to nativ vlan (1) But it seems that the http(s)://1.1.1.1/login.html is not reacheble from the guest SSID/VLAN??
  Please help.
  Management IP Address 192.168.14.252
  Software Version 6.0.182.0
  Emergency Image Version
  I have tried with ver. 5.2 also -

  I think that 1.1.1.1 is only reachable from a wireless client during webauth. They should not be able to reach that address once they have passed through the web auth page.
  Don't know if that helps, or not.

• Help with wireless controller and VLANs

  Hi I'm trying to setup a wireless controller in preparation for a large site go live later this year. I'm struggling to get the controller and the WLAN using the correct VLAN. I want the controller on VLAN 100 and the clients on the WLAN on VLAN 200.                 
  My thought is that I would need a config similar to:
  Switchport for wireless controller management port set to trunk VLAN 100 and 200 with no native VLAN set.
  The management interface on the controller set to VLAN 100.
  A dynamic interface created on VLAN 200.
  When setup like this I can get to the controller on its management address but only from VLAN100 not from another VLAN on site or from other sites over the WAN.
  I have setup a WLAN which is set to use the dynamic interface on VLAN 200.
  I have set the AP to use HREAP and set the native VLAN as 200 and added the dynamic interface into the VLAN mappings
  When I connecting a client to the WLAN I get an address on VLAN 100.
  The switchport for the AP is set to native VLAN 100 and trunk 200 – this setup works for standalone APs at other sites.
  What am I missing?
  Also any idea why the management interface address is not routing? The netmask and gateway are set correctly.
  Thanks
  Paul

  Just to add to Steve's post... You only need to create a dynamic interface for vlan 200 if you have ap's also in local mode.  If your ap's are in H-REAP/FlexConnect mode, you don't need a dynamic interface for vlan 200.
  In you H-REAP/FlexConnect ap, you would set the wlan to vlan mapping there and the switchport configuration would be a trunk allowing vlan 100 (im assuming your native vlan for your ap) and vlan 200.  You should see something like the following:
  Thanks,
  Scott
  Help out other by using the rating system and marking answered questions as "Answered"

• Redistributing OSPF and eigrp

  We have a medium size network consisting of 14 locations connected to one location via a mixture of T-1?s , fiber, wide area wireless and metro e. We us a mixture of Cisco and Dell switches.
  We have run in to a problem combining the Cisco and the Dell and need some guidance.
  The locations that come to us via the P2P T-1?s start at the branch locations on 2620 Cisco routers and run back to 3600 Cisco router ? we are currently using router eigrp to define our networks.
  The problem that we are having at one location is that we have a layer 3 Dell switch behind the 2620 - the Dell switches will run OSPF and not Eigrp ? this there a way to have Eigrp advertise the the OSPF information it receives?
  OR may be to sum it up better can you run Eigrp on the outside interface that passes OSPF from the internal interface?
  Or is there a better way to do what I?m trying to do?
  Any help is greatly welcome

  Please see below config on the 2620:
  ip subnet-zero
  lane client flush
  cns event-service server
  interface FastEthernet0/0
  ip address 10.100.187.1 255.255.255.0
  duplex auto
  speed auto
  interface Serial0/0
  description *** NEW T-1 to admin ***
  ip address 10.100.181.10 255.255.255.252
  no ip mroute-cache
  no fair-queue
  router eigrp 100
  redistribute connected
  redistribute ospf 1
  network 10.0.0.0
  no auto-summary
  router ospf 1
  network 10.100.0.0 0.0.255.255 area 0.0.0.0
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.100.181.9
  no ip http server
  And on the 3600
  interface Serial2/0
  description *West Circuit ID 60.DHZ T-1
  ip address 10.100.181.9 255.255.255.252
  no cdp enable
  router eigrp 100
  network 10.100.178.0 0.0.0.255
  network 10.100.181.0 0.0.0.3
  network 10.100.181.4 0.0.0.3
  network 10.100.181.8 0.0.0.3
  network 10.100.181.12 0.0.0.3
  network 10.100.181.16 0.0.0.3
  network 10.100.181.20 0.0.0.3
  network 10.100.181.24 0.0.0.3
  network 10.100.181.28 0.0.0.3
  no auto-summary
  ip classless
  ip route 0.0.0.0 0.0.0.0 10.100.177.2
  ip route 10.100.150.0 255.255.254.0 10.100.181.10
  ip route 10.100.152.0 255.255.254.0 10.100.181.10
  ip route 10.100.154.0 255.255.254.0 10.100.181.10
  ip route 10.100.154.0 255.255.255.0 10.100.181.10
  ip route 10.100.155.0 255.255.255.0 10.100.181.10
  ip route 10.100.158.0 255.255.255.0 10.100.181.10
  ip route 10.100.187.0 255.255.255.0 10.100.181.10
  ip route 10.100.188.0 255.255.255.0 10.100.181.10
  ip route 10.100.190.0 255.255.255.0 10.100.181.10
  ip route 10.100.192.0 255.255.255.0 10.100.181.10
  ip route 10.100.199.0 255.255.255.0 10.100.181.6
  ip http server
  Thank you I will also review the link you sent.

• VRF configuration on subinterface and VLAN subinterface

  Hi
  Can I configure VRFs on subinterface (physical and VLAN) basis in a normal BGP/MPLS VPN configuration.
  Thanks
  VK

  Hi Sultan,
  You are very welcomed, i'd be more than glade to help you out your confusion, below is the output of one of my lab PEs, and moreover i've in production customers running with this setup, i've never faced the issue you are describing, if you can regenerate the test you are describing we can elaborate on it:
  interface FastEthernet0/0
  no ip address
  interface FastEthernet0/0.1
  encapsulation dot1Q 101
  ip vrf forwarding a
  ip address 101.101.101.1 255.255.255.252
  interface FastEthernet0/0.2
  encapsulation dot1Q 202
  ip vrf forwarding b
  ip address 202.202.202.1 255.255.255.252
  This is a 7200VXR (NPE-300) running "c7200-p-mz.122-25.S14.bin".
  BR,
  Mohammed Mahmoud.

• Igrp And Ospf And Rip And Sending Packet Out ?

  If I have got a scenario asking me not to send EIGRP packets out any other interfaces except interface Ethernet 0/0 (ip address is 183.1.123.3),,,,,,,,,,,then I can configure the router like this:
  Router eigrp 100
  Network 183.1.123.3 0.0.0.0------ ip address for fa 0/0,,,not the whole network.
  I can this for OSPf as well.
  Can I use same procedure with RIP ?
  Second question:
  For OSPF we choose router-id , why do we need to configure this for EIGRP or IGRP

  Hi,
  Router eigrp 100
  Network 183.1.123.3 0.0.0.0
  With this command, OSPF and EIGRP works only on that interface not any other interface.
  In case of RIP, its not possible. You have to use " passive interface " command in order to stop the RIP packets.
  in case of EIGRP, router -id is used to identify the originating router for external routes. If an external route is received with the local router ID, the route is discarded. The router ID can be configured with any IP address with two exceptions; 0.0.0.0 and 255.255.255.255 are not legal values and cannot be entered. A unique value should be configured for each router.
  HTH,
  -amit singh

• IPMP and VLANs

  I would like to have two NICs in IPMP configuration and public connections tagged with VLANs.
  I know the naming convention when one VLAN tag assigned to the physical NIC but I do not quite understand how to add multiple VLAN tags to one NIC and VLAN tags to pseudo interfaces.
  Here is the configuration I have:
  /etc/hostname.e1000g8
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-6 netmask + broadcast + failover up
  /etc/hostname.e1000g9
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-7 netmask + broadcast + failover up
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-12 netmask + broadcast + failover up
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-13 netmask + broadcast + failover up
  netmask + broadcast + group ipmpgroup4 deprecated -failover up addif sunsolaris10-14 netmask + broadcast + failover up
  ... and here how it looks like once configured:
  e1000g8: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 13
  inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
  groupname ipmpgroup4
  ether 0:50:56:23:29:c8
  e1000g8:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 13
  inet 10.10.1.116 netmask ff000000 broadcast 10.255.255.255
  e1000g9: flags=9040843<UP,BROADCAST,RUNNING,MULTICAST,DEPRECATED,IPv4,NOFAILOVER> mtu 1500 index 14
  inet 0.0.0.0 netmask ff000000 broadcast 0.255.255.255
  groupname ipmpgroup4
  ether 0:50:56:24:f:2e
  e1000g9:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.117 netmask ff000000 broadcast 10.255.255.255
  e1000g9:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.118 netmask ff000000 broadcast 10.255.255.255
  e1000g9:3: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.119 netmask ff000000 broadcast 10.255.255.255
  e1000g9:4: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 14
  inet 10.10.1.120 netmask ff000000 broadcast 10.255.255.255
  Regards
  Leonid

  Does anybody familiar with setting up multiple VLANs tags on network interfaces in Solaris 10?
  Regards
  Leonid

• AP541N cluster and VLAN

  Hi.
  Simple but not obvious question.
  I've added separated wifi for guest with VLAN ID 300. Now I have 2 more access points. They are in cluster but only one is connected to smart switch SLM2008.
  Should I need to connect all of them to smart switch? I do not understand how cluster and VLAN work.

  Hello Tomasz,
  Yes. I guess you need to connect all APs to the switch (same bridged network). Clustering only makes all your AP act as one single entity ( you don't have to connect to the second AP In a cluster separately. Same wireless configuration will do).
  Refer Clustering section under the below manual for further details:
  http://www.cisco.com/en/US/docs/wireless/access_point/csbap/AP541N/administration/guide/AP541Nadmin.pdf#page139
  Hope this helps,
  Vijay
  Please rate useful posts.
  Sent from Cisco Technical Support iPad App

• Difference between bridge-group and VLAN

  Hi all,
  I don't understand very well the difference between bridge-group and VLAN...
  Could someone explain me or give me a site which could help me?
  Thx U by advance!

  Khay
  bridge-group is used on a router to enable bridging on an interface. In terms of functionality a bridge-group is very similar to a VLAN. For example if you create bridge-group 1 and assign it to interfaces FastEthernet 1/0 and 2/0 and you create bridge-group 2 and assign it to interfaces FastEthernt 1/1 and 2/1 it is like creating 2 VLANs. Devices in bridge-group 1 (interfaces 1/0 and 2/0) can communicate with each other but not with devices in bridge-group 2 (intefaces 1/1 and 2/1).
  HTH
  Rick

• Aironet 1252 doesn't broadcast SSID and VLANs

  Best regards.
  I have an autonomus AP Aironet 1252 (software version: 12.4(18a)JA1)
  I configured 3 SSID and VLANs, but the AP doesn't broadcast SSID, the vlans are working fine because I tested configuring manually the hide SSID on laptops.
  Also the AP broadcasts the SSID whe only one SSID is configured!!!
  How I can do the AP to broadcast all SSIDs?
  Thanks in advance.

  From the command line of your AP.
  Change each SSID as follows.  You want to turn off "guest-mode" and enable "mbssid" at each SSID.  Guest-mode will only broadcast one SSID, you must use mbssid  to allow all SSIDs to broadcast.
  #config t
  #dot11 ssid
  #no guest-mode
  #mbssid
  Now from each radio
  #int d0
  #mbssid
  #int d1
  #mbssid

• Hi all, need advice on OSPF and private vlans

  Hi all.
  I have a project to complete and need some help on the possible solution I can use.
  Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
  I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
  My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
  Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
  I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
  Any help and advice would be greatly appreciated.
  Cheers
  Steve

  Steve
  Thanks, that helps.
  GRE is defintely out because apart from the 6500 GRE tunneling is not supported on the Cisco switches.
  It's good that area 7 is only for these users and not mixed up with other users.
  So if i understand correcty the 4500 interface connecting to the 6500 is in area 0 and the interface connecting to the 3550 is in area.
  Or is the 3550 connected to both areas and the 4500 totally in area 0 ?
  Can you confirm the above ?
  In terms of keeping them separate there are 2 possible choices. You can either -
  1) use VRF-LIte, although i'm not sure whether the HP switch would support this. With VRF-Lite you are in effect creating virtual devices on the same physical device. This means each virtual device has it's own routing and forwarding table so it is quite secure because you would only populate the routing table with the routes needed so there would be no way for users to jump to thes rest of your networks.
  The downside is that is can become quite complex to configure. If the 4500 is only used to connect are 7 to area 0 then that would not be a problem but the connection from the 6500 to the HP could and i don't even know whether the HP supports VRF-Lite functionality let alone how to configure it on that switch.
  But it would, at least from the 4500 to 6500 to HP provide complete separation in terms of routing and forwarding. Once it got to the HP it wouldn't but that might not be an issue.
  2) Use PBR (possibly together with acls). This is easier to configure ie. you configure PBR on the 4500 and the 6500 to get the traffic to the HP switch. But you do not get the actual separation you get with VRF-Lite ie. the traffic simply overrides the existing routing tables.
  The other thing to bear in mind with PBR is that you also have to configure the return traffic as well so each device would need multiple PBR configs.
  Again i don't know whether the HP supports PBR but it may not be an issue depending on what the routing is on the HP.
  You could also use a combination of the above ie VRF-Lite between the Cisco switches and then PBR for the last hop to the HP device.
  I should say i don't have a huge amount of experience with VRF-Lite but that should not necessarily stop you using it if it is what you need. There are lots of other people on here so i'm sure there will be other people who can help if i can't.
  It still depends on how much separation is required. VRF-Lite is definitely seen as a way to separate traffic running across a shared infrastructure, PBR is not really seen in the same way.  So it may well be worth going back to find out exactly what "segregating" user traffic means.
  I don't want to confuse the issue but it's still not entirely clear what the actual requirement is.
  Jon