Hi,
background : 5900 stack which acts as static router, gateway is a Checkpoint fw (basically internet fw)
We are looking into performing a migration from one internet connection to another one. This is a process which will take some time (due to the public ip's and associated configs with that). So the idea is to 'gradually' migrate to the new internet connection.
So currently : 5900 static routes and 0.0.0.0 going to internet fw (let's say 192.168.1.1)
I thought of using pbr on the 5900 to migrate for example internal subnets one by one to the new internet connection (let's say 192.168.1.2)
The current route table on the 5900 not only has a default route, but also static routes (there are around 256 static routes in total). Example :
0.0.0.0/0 192.168.1.1
10.0.0.0/8 192.168.1.70
10.91.4.0/24 192.168.1.40
This adds complexity. It would have been nice if there was a 'not' statement in the acl, so i could grab trafic going to the internet. The 'not' statement however does not exist...
So to wrap it up, i suspect i need to do something like this :
acl number 3001 name route-to-local
rule 0 permit ip source 172.18.1.0 0.0.0.255 destination 10.0.0.0 0.255.255.255
rule 1 permit ip source 172.18.1.0 0.0.0.255 destination 172.16.0.0 0.15.255.255
rule 2 permit ip source 172.18.1.0 0.0.0.255 destination 192.168.0.0 0.0.255.255
acl number 3002 name route-to-new-internet-fw
rule 0 permit ip source 172.18.1.0 0.0.0.255
#use existing status routes
policy-based-route pbr-test deny node 10
if-match acl 3001
quit
#if it's going to the internet, forward to the new internet fw
policy-based-route pbr-test permit node 11
if-match acl 3002
apply next-hop 192.168.1.2
quit
And then apply the policy to the vlan. Basially do the same for every other vlan we want to migrate. Does this make sense?