Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
300
Views
0
Helpful
4
Replies

Policy Based Routing Implementation

jasonfaraone
Level 4
Level 4

‎02-18-2009 07:52 AM - edited ‎03-04-2019 03:37 AM

At my location we have a primary and backup internet connection. The backup connection is completely underutilized; no traffic traverses it unless our main connection is down.

I'd like to use policy based routing to direct all http traffic across the backup link. I have a fair understanding of the PBR setup, I'm just not sure exactly where to implement it.

It's been explained to me that I would need to acquire a second PIX due to the way outbound PIX traffic does a route table lookup after traffic passes through the higher security interface. This is fine; I just want to verify that what I want to do is possible before investing in the hardware.

In the attached image, Switch 1 is our layer 3 switch. Router 1 is where both ISP's connect to our network.

I'm thinking I would just add another PIX, connect our web filter to it, set his default gateway to Router 1, and implement PBR on Router 1? Or would I configure PBR on Switch 1 (his current default route is Firewall 1) and configure Firewall 2 with a default gateway of ISP 2?

Sorry if this seems simple, I just don't get downtime windows very often and would like to get some feedback before trying anything.

On Router 1 routes are set up as follows:

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 [ISP 1]

ip route 0.0.0.0 0.0.0.0 [ISP 2]

Labels:
Preview file
22 KB
0 Helpful
4 Replies 4

andrew.prince
Level 10
Level 10

‎02-18-2009 09:02 AM

Personally looking at your diagram, to use both circuits, then I would implement PBR on the router, and let the router make the decisions based on traffic type.

There is no need to change anything else.

0 Helpful

jasonfaraone
Level 4
Level 4
In response to andrew.prince

‎02-18-2009 12:07 PM

Thanks for the reply! Here is another question thats been bothering me...

Our web filter has a NAT'd IP in a range thats associated (route wise) with our primary ISP. It seems like I could make outbound traffic head out of my backup ISP, but it would try to come back over the primary ISP. It seems like the "fix" would be to have a second firewall and use it to NAT a static IP associated with our backup ISP?

0 Helpful

bmcginn
Level 3
Level 3
In response to jasonfaraone

‎02-18-2009 01:22 PM

Have you thought about getting your own AS and a block of addresses?

0 Helpful

andrew.prince
Level 10
Level 10
In response to jasonfaraone

‎02-18-2009 11:54 PM

You could do that - but I think that is over complicating things. You could as brad suggestred get your own AS number and IP range.

You could possibly change the internal IP address between the router and pix to a seperate unroutable IP subnet. Then perform the NAT on the router facing the 2 ISP's. That way you could equaly load balance and the routing would route out and back over the same ISP link.

HTH>

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card