cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable

Can I get traffic from different policy-classes to NAT out different interfaces?

Hi,

Using a netvanta 3458 I've got a setup roughly like the WAN link failover app note on this site where I've got two WAN uplinks on eth 0/1 and 0/2, traffic coming in from the LAN on various VLANs via the switch ports.  The wrinkle I'm trying to add to that scheme is to have the traffic from our GUEST VLAN prefer the opposite WAN link.  i.e. When both uplinks are up, guest traffic routes out the secondary by default and fails overt to the primary.

I've tried to do this with PBR and with VRFs but it seems that at the end of the day the administrative cost of the default routes trump everything and I can only ever nat traffic out the winning route's interface.

What am I missing?

Thanks for you insights!

scott

Labels (2)
0 Kudos
3 Replies
Anonymous
Not applicable

Re: Can I get traffic from different policy-classes to NAT out different interfaces?

Scott,

You should be able to use PBR to have the NetVanta 3458 to act as you want. The configured route-map should overrule the active route in the route table allowing you to control which path the GUEST VLAN traffic takes outbound to the internet.

It would be helpful to see your current configuration. Please remember to remove any information that may be sensitive to your network.

You may also find the document below, particularly Example #2, helpful. In the example, employee traffic needs to be routed to a cache server while guest traffic can be routed out the internet directly:

Configuring Policy Based Routing in AOS

Please do not hesitate to let us know if you have any questions.

Thanks,

Noor

Anonymous
Not applicable

Re: Can I get traffic from different policy-classes to NAT out different interfaces?

Scott - I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

Thanks,

Noor

Anonymous
Not applicable

Re: Can I get traffic from different policy-classes to NAT out different interfaces?

Hi Noor,

Thank you for your response, unfortunately I haven't had another maintenance window yet to fully work this out.  It seems that example 5 of the firewall configuration guide (nat mail traffic out a second ISP) as recommended in this thread: Configuring the Firewall (IPv4) AOS may also be quite relevant.

Thanks,

scott