I suspect no one has responded because your diagram and configuration don't make a lot of sense.

Is the cloud in the diagram meant to be the internet ?

No idea what 10.10.10.1 is meant to be ie. where is that IP assigned ?

Other points -

1) you have two default routes with equal costs so they would both be in the routing table. Are you wanting to use both links at the same time ?

If you are using PBR for one of the links do you need two default routes ?

2) everything is on the same IP subnet ie. your router, the client and both firewalls. This would mean PBR would need to send traffic back out of the same interface it came in on and I have seen that work sometimes and sometimes not.

What may be happening is the router is sending an ICMP redirect for one of the firewall IPs because everything is on the same IP subnet so the client goes direct to the firewall and never hits the PBR on the router.

Can you check the route table on the client and see what it shows ?

It would help if you could clarify all of the above and tell us exactly what you are trying to do in terms of which link you want to use for which traffic etc.

You may also need to reconfigure your client vlan to be a different one but first it would help if we knew what you were trying to do.

Jon

Thanks for your reply Jon and yes the cloud would be the internet

- 10.10.10.1 is the gateway for 10.10.10.2 which would be the hypothetical public static IP for 192.168.200.200 hence the /30 network.

1) My goal is to have 192.168.200.200 as the main gateway and 192.168.200.150 as a back up and use PBR to route www and ftp traffic through it IF available.

Since I am not able to keep track of the status of the outside interface of .150 and I would prefer to avoid pinging anyone else's equipment I added the route: 10.10.10.1 255.255.255.252 192.168.200.150 to force ICMP via said gateway. I have now noticed SLA's 2 "icmp-echo 10.10.10.2" should be to .1 which would be the ISP's gateway so the /30 mask is irrelevant.

2) That is why I asked for help "clarifying feasibility and practicality"

- Disregard VLAN configuration.

This router has no modules installed and the port channel could be undone if two separate interfaces are needed. 

Thanks again.

1) okay if that is the case you don't want the route via the backup link to be in the IP routing table so you need to change the AD of the second route so it is only used if the first route fails.

2) in terms of PBR as I say the issue may be because everything is on the same vlan/IP subnet but it may not.

How do you know the PBR isn't working ?

Jon

1) I'll add an AD value to it.

2) My second guessing as well.

In order to easily test PBR I connect via FTP to an external host and check the user's IP address.

I wanted to do this the easy way by configuring the client with two gateways and different metrics but this I have found useless to do via DHCP and when added manually to the client's (Win 7) sole NIC, randomness was the name of the game regardless of metrics.

I'll try #1 and will check again.

Thanks.

Jon, for what is worth, I have tested the following configuration and it works as I intended it.

Thanks.

object-group service COMCAST_Routed 
 tcp eq 443
 tcp eq ftp
 tcp eq www
 tcp eq ftp-data

track 1 ip sla 1 reachability
track 2 ip sla 2 reachability

interface Port-channel1
 ip address 192.168.200.100 255.255.255.0
 ip access-group 101 in
 no ip redirects
 no ip proxy-arp
 ip policy route-map RM-Comcast-traffic

interface GigabitEthernet0/0
 no ip address
 no ip proxy-arp
 duplex auto
 speed auto
 channel-group 1

interface GigabitEthernet0/1
 no ip address
 no ip proxy-arp
 duplex auto
 speed auto
 channel-group 1

ip route 0.0.0.0 0.0.0.0 192.168.200.200 track 1
ip route 0.0.0.0 0.0.0.0 192.168.200.150 track 2
ip route 8.8.8.8 255.255.255.255 192.168.200.150
ip route 10.10.10.1 255.255.255.255 192.168.200.200

ip access-list extended ACL-Comcast-traffic
 permit object-group COMCAST_Routed 192.168.200.0 0.0.0.255 any

ip sla 1
 icmp-echo 10.10.10.1 source-interface Port-channel1
 threshold 100
 timeout 2000
 frequency 15
ip sla schedule 1 life forever start-time now

ip sla 2
 icmp-echo 8.8.8.8 source-interface Port-channel1
 threshold 100
 timeout 2000
 frequency 15
ip sla schedule 2 life forever start-time now
logging trap debugging

route-map RM-Comcast-traffic permit 1
 match ip address ACL-Comcast-traffic
 set ip next-hop verify-availability 8.8.8.8 1 track 2