Routing seperate VLANs to seperate firewalls / ISPs

Erik · ‎11-08-2007

I have some questions and hope someone can help! I work with a large network (4000+ users). Currently Internet traffic is routed through a single PIX 515E. A new ASA5540 was purchased and we have setup a connection to a new ISP.

I would like to transition our VLANs separately to the new ASA. Mainly, I am looking at configuring a test VLAN and having it routed to the new connection, but maintain our internal routes. Once tests are complete, I need to be able to move one or two VLANs with users over to the new connection for further testing.

Our end goal will be to have email and guest internet access on the old ISP connection through the PIX, and have in-house internet access and remote access through the new connection using the ASA. I'm looking for a way I can change the default route for specific VLANs or connections (the email server), and maintain the internal routing (EIGRP) for those VLANs. Currently there is a default route to the PIX that is set statically in our core and redistributing into EIGRP.

Any idea how I can easily/best accomplish this? Should I be looking at Route maps, PBR, or something else? Ideas are much appreciated!

Richard Burts · ‎11-08-2007

Erik

From your description I believe that the solution that will work best for you is PBR (which uses route maps). PBR gives you the ability to make routing decisions based on source address and allows you to set the next hop or the default next hop which should accomplish what you need. It would also make it relatively easy to add most VLANs as your testing progresses. And ultimately it will allow you to change your normal default route to point to the new ISP and also send email and guest VLAN to the old ISP.

HTH

Rick

HTH

Rick