Two Default Routes on an SGE/SFE

I am looking to create two default routes on an SGE.

I will be setting up a network in which two organizations will be sharing a common infrastructure and phone system but need to maintain separate data and servers.

I will create three VLANs: Company A, Company B, and Voice VLAN.  I will also put in ACLs to allow traffic between each organization and the voice but restricting traffic between the organizations.

Clearly, each company will need a default route out to their firewall.  Will the SGE switches support two default routes?  Both VLANs would attempt the one with the lowest cost first, but the one company would get blocked due to the ACL and would try the next higher cost default route. 

Any thoughts?  Does the SGE support multiple default routes?

Hi Adam,

Sound like the switch should be in  Layer 2 mode, with two user VLANs with a interface in each VLAN connected  to two seperate Firewalls.

Easily achieved on the SGE2000 or even the very capable 300 series switch  product.

My train of twisted thought makes me think, in a router, with dual WAN,  you can have two default routes, depending on the router,   it starts to perform equal cost multipath routing between the two WAN interfaces, if the route costs are equal.  If there routes are not equal then the higher cost route is not used.

Usually, a dual port WAN in a router can support  policy based routing, so that one subnet can go out to one firewall and the other subnet can be policy routed  through a different  interface to another firewall.  that's what i think you are trying to achieve.

The SGE2XXX switch want to have one default route not two. I just can't recall seeing policy based routing on the SFE/SGE.

I think,  if you could squeeze two default routes into the SGE2000, we would have a situation of  equal cost multipath routing between the two WAN interfaces which usually ends up as a round robin .  Not what you want.

Why not just leave the switch in Layer two mode  with four VLANs configured,

  • VLAN1 admin VLAN for you to administer the network.
  • VLAN2  company A data VLAN
  • VLAN3  company B data VLAN
  • VLAN3  Voice VLAN

Have a untagged port on each  data vlan connected to the Firewall device that also performs some sort of DHCP functionality and gateway functionality for the VLAN members..

Yep use the ACL functionality to restrict any potential routing between data vlans, if that is what you want.

just my 2 cents worth

regards Dave.