Yes, the point of this is vlan select VLANS to go to Internet A and the other select VLANS to go to Internet B

10.15.x.x and 10.14.x.x networks go out firewall A.

Rest (10.39.x.x) goes out firewall B.

Router for both networks is a 4510
 

You are basically trying to force a user coming from vlan.10-100 one way and vlans 200-300 a different way. it is difficult to do PBR, as you don't know where the destinations are on the Internet. It also depend on what firewall is performing NAT.

You can do this with PBR but there are a few caveats.

The issue is, as Reza mentions, for the internet the destination IP could be any.

So do you need all vlans to be able to route between each other internally ?

If you do then you need to account for that in your PBR acl ie. deny PBR for internal routing then allow PBR for internet.

You usually do this using deny lines in your acl followed by a permit any but that can cause issues with some switches in terms of CPU usage. There are ways around that but even then it can still cause a problem so you need to be aware of that and monitor CPU usage on the switch.

So if both firewalls are connected to the 4510 can you be precise in what you want to go where ?

And also if some of the vlans are on the 4506 how does that switch connect to the 4510 ?

Edit - can you also confirm that you do what routing between all vlans or do the set of vlans using one firewall not need to communicate with vlans using the other firewall ?

Jon

So, are both 4510 and 4506 connect to Internet?

Do you have the proper license to do PBR?

What is the network setup looks like?

HTH

Both of them are connected to the internet.

Yes I am running Enterprise Services.