Hello Harold, thanks a lot for your quick answer!!

I checked your URL, and what I see is that STD ACLs can be used in checking source addresses and Extended ACLs can be used in checking other fields like source, destination or layer 4 information.

However, the URL does not say that they can not be used to feed the "match ip next-hop" clause.

Since my idea did not work in a testbed, I believe you are right, but I would like to double check again. ¿ is there any specific source of documentation that mentions lack of support of the "match ip next-hop" sentence for PBR?

Thank you very much in advance again!

Best regards, rogelio

So I am screwed

thank you very much for your helpful answer. I will have to work this around in some other way.

Best regards, Rogelio

Hi Rogelio,

Maybe we can help if you explain the requirements in details.

Regards

Hello Harold:

The customer is waiting for new (more powerful) Internet firewalls to replace the present ones, but the new ones will arrive in three months. He asked me to insert a 2nd firewall in parallel to the existing Internet firewalls, because the present firewall custer is running out of resources.

He asked me to schedule traffic distribution among the present cluster and the temporary extra firewall, so I am thinking to PBR some of the (many internal segments in the company).

I need my PBR routine to "know" that packets are driven to the Internet in order to make the proper redirection. This is a complex company with besides RFC1918 addresses, they also have lots of internal segments that happen to be public (and legal) IP addresses, so it is quite cumbsersome to get rid of the "next hop" concept and make a list of IP addresses for which i must not redirect.

I also have to take care not to redirect packets to DMZs protected by the current firewall cluster.

The following picture shows (more or less) the topology I have to take care of:

Harold:

I am thinking on a much better and simpler workaround. Let me know please your opinion:

To the former default route, pointing to the former firewall cluster, I should add another default route, pointing to the parallel firewall.

The router should install the new default route in the routing table. And balance the outgoing sessions on a (source,destination) basis with its corresponding FIB. I would not need any PBR whatsoever!

I could also add some tracking capabilities to both default routes to guarantee some availability of the paths across the firewalls

¿Am I right?

Thank you very much again. I will follow this advice.

regards, Rogelio