Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Policy Based Routing Implementation

At my location we have a primary and backup internet connection. The backup connection is completely underutilized; no traffic traverses it unless our main connection is down.

I'd like to use policy based routing to direct all http traffic across the backup link. I have a fair understanding of the PBR setup, I'm just not sure exactly where to implement it.

It's been explained to me that I would need to acquire a second PIX due to the way outbound PIX traffic does a route table lookup after traffic passes through the higher security interface. This is fine; I just want to verify that what I want to do is possible before investing in the hardware.

In the attached image, Switch 1 is our layer 3 switch. Router 1 is where both ISP's connect to our network.

I'm thinking I would just add another PIX, connect our web filter to it, set his default gateway to Router 1, and implement PBR on Router 1? Or would I configure PBR on Switch 1 (his current default route is Firewall 1) and configure Firewall 2 with a default gateway of ISP 2?

Sorry if this seems simple, I just don't get downtime windows very often and would like to get some feedback before trying anything.

On Router 1 routes are set up as follows:

ip forward-protocol nd

ip route [ISP 1]

ip route [ISP 2]


Re: Policy Based Routing Implementation

Personally looking at your diagram, to use both circuits, then I would implement PBR on the router, and let the router make the decisions based on traffic type.

There is no need to change anything else.

Community Member

Re: Policy Based Routing Implementation

Thanks for the reply! Here is another question thats been bothering me...

Our web filter has a NAT'd IP in a range thats associated (route wise) with our primary ISP. It seems like I could make outbound traffic head out of my backup ISP, but it would try to come back over the primary ISP. It seems like the "fix" would be to have a second firewall and use it to NAT a static IP associated with our backup ISP?


Re: Policy Based Routing Implementation

Have you thought about getting your own AS and a block of addresses?

Re: Policy Based Routing Implementation

You could do that - but I think that is over complicating things. You could as brad suggestred get your own AS number and IP range.

You could possibly change the internal IP address between the router and pix to a seperate unroutable IP subnet. Then perform the NAT on the router facing the 2 ISP's. That way you could equaly load balance and the routing would route out and back over the same ISP link.


CreatePlease to create content