Multiple Routes on 5412zl Router/Switches? Argh!

Afternoon all,

We have recently had a completely new infrastructure put in place at our offices which myself and another colleague are maintaining.

Equipment-wise, it is all 5412zl and 3500yl switches running 10gbit fiber everywhere round the building.

We have multiple VLANs and two core (5412zl's) switches performing all the routing.

We have a default route of set to point to our existing firewall but I have come upon a problem with regards to moving onto out new internet line and associated firewall.

Basically, I need to know whether it is possible to specify more than one route for traffic for incoming requests (internet-side) so I can seamlessly migrate our external services. Obviously, I cannot perform this easily without this as the core switches 'Default Gateway' is set to our old firewall and ports forwarded from the new firewall do not reach their destination through the core switches until the default route on the core switches is changed.

Does anyone know if there is a way round this? Ideally, we'd like to configure an additional route out on the core switches (which would allow port-forwarded requests from both firewalls to reach all VLANs), which will probably be on a temporary basis but would be even better if we could retain the setting to allow a rudimentary fail-over solution should one of the internet connections go down.

Both old and new firewalls reside on the same VLAN range and they due to be replaced soon for a more enterprise-standard firewall solution as they are pretty basic affairs and not suited to our business requirements. Until that time I could do with having them running at their full potential...

All VLAN machines have their Default Gateway set to the appropriate VLANs gateway (ie. for If the default gateway is changed to the firewall address then it all works fine as expected but we can't afford to do this in our VLAN routed environment now...

Any ideas?

i'm not sure i understand your setup correctly.
you got a network with two firewalls each with it's owne internet connection?

or you got two networks with each a firewall and an internet connection?

basically it's not possible to have two default routes from the internet-side to your network.
but as you mention "internet" i assume you use NAT to public adresses?
if so you can enable/disable selective adresses on the firewall you want to use incomming for a service.
so only the firewall with the public NAT-adress enabled will listen on the internet-side to a specific adress and pass the packets to the local network.

you cannot use one FW incomming and other FW outgoing for same session.
so the hosts that are destination of these packets must be configured to use the same firewall for outgoung packets.
Thanks for your reply. Funnily enough, looking through the manual after I wrote this post suggested as you have, that only one external IP route can be added. I suppose in a bigger environment I may have another hop in the equation, but hey....

Anyhow, I have figured this out and used one firewall for both internet connections now and got a load-balancing/failover solution working nicely with a proper DMZ too. Turns out our rubbish firewall has a provision for 4 WAN connections so the problem has now gone away.

Many thanks for your input.