cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
444
Views
0
Helpful
4
Replies

Policy routing

mbjohnson
Level 1
Level 1

Hi we have 2 firewalls on our internal network, each of them going out through different ISP's. Core network is dual 6509's with MSFS-2. We would like some of the servers to go out one of the firewall and the majority of users to go out the other firewall/link. How can this be accomplished? Will policy routing work or are there any other way to achieve this?

thanks for any help you can provide.

4 Replies 4

Edison Ortiz
Hall of Fame
Hall of Fame

Based on your requirement, Policy Based Routing (PBR) seems to be a feasible solution.

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch20/piconfig.htm#wp1001398

Thanks for the link, I have a few questions though:

We have multiple VLANs on the inside (users, servers, etc). Everything get routed by our MSFC's which have a default route pointing to a Pix firewall. Once we add the second Pix with the 2nd Internet link, what VLAN interfaces do I apply the policy maps in order for this to work?

For example the firewalls are sitting on VLAN 1 and the servers are sitting on VLAN 20, users on VLAN 10 etc. I would want the default gateway for the users to be one Pix and for some of the servers the other Pix. At the same time I don't want this policy to overwrite any stating/dynamic routing existing on the MSFC's which would send traffic destined to other offices to a different router or VPN box.

Thanks!

The policy route-map will be applied on the ingress interfaces Vlan before any routing takes place.

Thanks for the link, I have a few questions though:

We have multiple VLANs on the inside (users, servers, etc). Everything get routed by our MSFC's which have a default route pointing to a Pix firewall. Once we add the second Pix with the 2nd Internet link, what VLAN interfaces do I apply the policy maps in order for this to work?

For example the firewalls are sitting on VLAN 1 and the servers are sitting on VLAN 20, users on VLAN 10 etc. I would want the default gateway for the users to be one Pix and for some of the servers the other Pix. At the same time I don't want this policy to overwrite any stating/dynamic routing existing on the MSFC's which would send traffic destined to other offices to a different router or VPN box.

Thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: