ip route metric

Posted on 2014-11-14
Last Modified: 2014-11-18

I'm looking to add a second firewall to my existing setup, retaining the current firewall as a alternative route to the internet.

I have a HP Procurve 5406zl as my core switch

I have my network segmented with vlans like the example in the attachment.

My current firewall is on vlan100 and is the default route for all internet traffic

ip route

When I add my second firewall, is it possible to use a metric to force all traffic to use the new firewall as a default route, failing back onto the existing firewall if the route is unreachable?

And should I create a new vlan for the new firewall or is it ok in the same vlan as the existing firewall?



Question by:Tech Man
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
LVL 29

Expert Comment

by:Jan Springer
ID: 40443480

Depending on the vendor, the syntax might be slightly different but:

LVL 50

Expert Comment

by:Don Johnston
ID: 40443740
is it possible to use a metric to force all traffic to use the new firewall as a default route, failing back onto the existing firewall if the route is unreachable?
Kind of. You can specify the administrative distance with your default route.

ip route ! preferred firewall
ip route 10 ! backup firewall

But... and this is important, the default route to the backup firewall will only be used if the interface to the preferred firewall goes down.  Which means if the firewall's outside interface fails, or the link to the ISP fails, the switch will continue sending packets to the primary firewall.

One way around this is to have your switch do object tracking with route maps.  But unfortunately, the 5400's don't support this.

You don't say what firewall you have, but some firewall's have a failover feature.  Or a first hop routing protocol like HSRP or VRRP.  In which case you define a virtual IP for the two firewalls and the active firewall handles the traffic.

Or you could use a routing protocol like OSPF and have the firewalls advertise the default route to the switch.

So there's a number of possible solutions.

Author Comment

by:Tech Man
ID: 40443776
Ok, the goal posts have moved now.

I am installing two Sonicwall 2600s in high availability now. They work as a active/standby setup with both firewalls sharing a virtual IP.

So in effect, the procurve 5406zl will on see one firewall.

Now I would like to setup these new firewalls in parallel with the exsisting firewall.

Is it best to setup a new vlan for the new firewalls and when it's ready, just change the default route to the new virtual IP?
Also, I would like to maybe test one vlan on the new firewalls, can this been done?
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 50

Accepted Solution

Don Johnston earned 250 total points
ID: 40443787
Ah yes... the old "moving goal posts" scenario.  :-D

If you're going to operate them in parallel, there's no benefit to creating a separate VLAN for each firewall. But you can.  There' s just no advantage.
LVL 29

Assisted Solution

by:Jan Springer
Jan Springer earned 250 total points
ID: 40443833
I usually just configure the new firewalls to mimic the existing firewall(s) and insert them during a maintenance window (of low utilization).

Oh, and active passive means that the backup device should assume the configuration so you will have to keep them on the same vlan for the inside interfaces (and outside interfaces too)

Author Closing Comment

by:Tech Man
ID: 40449768
Thanks for your suggestions.

I'm going to configure them in parallel and change the default route when I'm sure everything is working.

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Join Greg Farro and Ethan Banks from Packet Pushers ( and Greg Ross from Paessler ( for a discussion about smart network …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question