QOS question

[doctora]

All the IP address are made up to protect the innocent. This is all thery I dont have an actuall configuration file. I could setup a lab if neccessary. We just instituted a new core switch and we are looking for ways to make things more efficient.

We have a few subnets example 10.100.0.0/16, 10.101.0.0/16, ...10.110.0.0/16.

We have two firewalls one with ip 10.100.0.1 and one with 10.100.0.3. The firewalls are connected directly to the core switch.

I would like to route 10.100.0.0/16 default traffic 0.0.0.0 to 10.100.0.1

I would like to route 10.101.0.0/16 - 10.110.0.0/16 through the 10.100.0.3 firewall.

The current default gateway in the core is "ip static-route 0.0.0.0 mask 0.0.0.0 gateway 10.100.0.3 metric 1"

Can I have two default gateways and then configure QOS to allow and/or deny access to certain gateways?

Similar to
policy network group range1 10.100.0.0 mask 255.255.0.0
policy network group range2 10.101.0.0 mask 255.255.0.0 10.102.0.0 mask 255.255.0.0 ......
policy network group firewall1 10.100.0.1
policy network group firewall2 10.100.0.3
policy condition allow_range1 source network group range1 destination network group firewall1
policy condition block_range1 source network group range1 destination network group firewall2
policy condition allow_range2 source network group range1 destination network group firewall2
policy condition block_range2 source network group range1 destination network group firewall1

Then allow and deny the conditions?

Or maybe configure just the first group and force it a different port. Then everything else out the other port?

Any opinion is appreciated.

Thanks in advance
Mark

[silvio]

Hi,
you need PBR - policy based routing (see network guide for more info).

-> policy condition NET-100 source ip 10.100.0.0 mask 255.255.0.0
-> policy action FIREWALL-1 permanent gateway ip 10.100.0.0
-> policy rule NET100-FIREWALL1 condition NET-100 action FIREWALL-1
-> qos apply

regards
Silvio

[doctora]

Thanks, I will read up on it.