Hi,
Using a netvanta 3458 I've got a setup roughly like the WAN link failover app note on this site where I've got two WAN uplinks on eth 0/1 and 0/2, traffic coming in from the LAN on various VLANs via the switch ports. The wrinkle I'm trying to add to that scheme is to have the traffic from our GUEST VLAN prefer the opposite WAN link. i.e. When both uplinks are up, guest traffic routes out the secondary by default and fails overt to the primary.
I've tried to do this with PBR and with VRFs but it seems that at the end of the day the administrative cost of the default routes trump everything and I can only ever nat traffic out the winning route's interface.
What am I missing?
Thanks for you insights!
scott
Scott,
You should be able to use PBR to have the NetVanta 3458 to act as you want. The configured route-map should overrule the active route in the route table allowing you to control which path the GUEST VLAN traffic takes outbound to the internet.
It would be helpful to see your current configuration. Please remember to remove any information that may be sensitive to your network.
You may also find the document below, particularly Example #2, helpful. In the example, employee traffic needs to be routed to a cache server while guest traffic can be routed out the internet directly:
Configuring Policy Based Routing in AOS
Please do not hesitate to let us know if you have any questions.
Thanks,
Noor
Scott - I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Thanks,
Noor
Hi Noor,
Thank you for your response, unfortunately I haven't had another maintenance window yet to fully work this out. It seems that example 5 of the firewall configuration guide (nat mail traffic out a second ISP) as recommended in this thread: Configuring the Firewall (IPv4) AOS may also be quite relevant.
Thanks,
scott