if you want to use a virtual-router you have to dig a little bit deeper how it works and some limitation.
PBR with virtual-router in a VSX environment does not fully support all normal PBR features.
some things to decide:
- virtual-router is only supported on VSX HA, no VSLS
- PBR routes are only possible for IP-subnets, not for TCP/UDP-services ( this is available in one of the newest or future releases, I’m not sure at the moment which)
- PBR routes can have only other virtual-systems as gateway, no gateway IP address possible
- you can‘t configure firewalls or NAT rules on a virtual-router, it‘s only a router
- you can attach a virtual-router unnumbered to the virtual systems, you don‘t need to have a network segment or virtual switch for these connection
We had a customer with a similar requirement, we used the virtual-router and PBR. We had one VS as main firewall, and two other VS with the ISP connections. VS1 with ISP1 and VS2 with ISP2. They all are connected via the virtual-router.
The main Firewall has a default-Route pointing to the virtual-router and on the virtual-router there are PBR-routes sending packets out to VS1 or VS2 (ISP1 and ISP2) regarding of the source IP subnets.
On the external VS1 and VS2 we have only limited firewall rules. They are used mainly for NAT to the ISPs and VPN entry point. Using of these scenario has some overhead and has to be really good developed before going in production.
The requirement for the two external VS is the limitation of not having the possibility to define an IP-address as gateway in a PBR-route.