Omada Pro Logo official website Vigi Logo official website
Contact Us
India / English

How do to configure Policy-Based Routing (PBR) on the TP-Link SG6428X

Knowledgebase
Configuration Guide
BookmarksCopy Link
05-04-2026
16

Overview

Policy-Based Routing (PBR) is an advanced routing technique that allows network devices to make forwarding decisions based on predefined policies rather than relying solely on the destination IP address in the routing table.

In traditional routing, packets are forwarded based on the best match in the routing table (longest prefix match). However, PBR overrides this behavior by inspecting additional

parameters such as source IP address, destination IP, protocol, or application type, and then directing traffic through a specific path.

This enables granular control over how traffic flows through the network. For example,

traffic from one subnet can be sent through a particular gateway, while another subnet uses a different path—even if both are trying to reach the same destination.

PBR is commonly used for:

  • Traffic engineering
  • Load distribution across multiple links
  • Policy enforcement (e.g., sending specific traffic through a firewall or secure gateway)
  • Multi-ISP environments

In essence, PBR gives administrators the flexibility to control routing decisions based on business or technical requirements, rather than being restricted to standard destination-based routing logic.

Topology Explanation

  • SG6428X (L3 Switch)
    • Acts as the default gateway for all user VLANs
    • Performs inter-VLAN routing
    • Applies PBR policies
  • ER8411 Router (ISP 1)
    • Connected via VLAN 1 (Transit Network)
    • Switch IP: 10.56.1.234
    • ER8411 IP (Next-Hop): 10.56.1.1
  • ER605 Router (ISP 2)
    • Connected via VLAN 249 (Transit Network)
    • Switch IP: 11.56.1.5
    • ER605 IP (Next-Hop): 11.56.1.1

  • VLAN250 traffic → Routed via ER8411 (ISP 1)
  • VLAN251 traffic → Routed via ER605 (ISP 2)

Key Concept (Very Important)

  • ACL = Traffic Matching (WHO to match)
  • Redirect Next Hop = Forwarding Decision (WHERE to send traffic)

Step-by-Step Configuration

  1. Configure VLAN Interfaces (SVI on Switch)

Navigate to:

L3 Features → Interface

Create/Verify:

    • VLAN1 → 10.56.1.234/24
    • VLAN249 → 11.56.1.5/24
    • VLAN250 → 192.168.250.1/24
    • VLAN251 → 192.168.251.1/24

✔ Ensure all interfaces are UP

SG6428X must be the default gateway for VLAN250 & VLAN251

  1. Create IP ACLs (Traffic Matching)

Navigate to:

Security → ACL → ACL Config

ACL for VLAN250 (ER8411 Traffic)

    • ACL ID: 500
    • Operation: Permit
    • Source IP: 192.168.250.0
    • Mask: 255.255.255.0
    • Destination: Any (leave blank)

ACL for VLAN251 (ER605 Traffic)

    • ACL ID: 501
    • Operation: Permit
    • Source IP: 192.168.251.0
    • Mask: 255.255.255.0
    • Destination: Any (leave blank)

  1. Configure Redirect Next Hop (PBR Action)

Inside ACL → Edit Rule → Policy Section

VLAN250 → ER8411 (via VLAN1)

Enable:

✔ Redirect Next Hop Set:

    • Traffic: Unicast
    • Next Hop Type: Standby
    • Redirect Next Hop: 10.56.1.1 (ER8411)

VLAN251 → ER605 (via VLAN249)

Enable:

✔ Redirect Next Hop Set:

    • Traffic: Unicast
    • Next Hop Type: Standby
    • Redirect Next Hop: 11.56.1.1 (ER605)

  1. Bind ACL to VLANs

Navigate to:

Security → ACL → ACL Binding → VLAN Binding

Bind:

ACL ID

VLAN

Direction

500

VLAN250

Ingress

501

VLAN251

Ingress

✔ Direction must be Ingress

  1. Enable ACL Mode

Navigate to:

Security → ACL

    • Set ACL Mode = Whitelist
    • Click Apply

Traffic Flow Explanation

VLAN250 → ISP 1 (ER8411 Path)

Client (192.168.250.x)

→ SG6428X (GW: 192.168.250.1)

→ ACL Match

→ Redirect → 10.56.1.1 (ER8411 via VLAN1)

→ ISP 1 → Internet

VLAN251 → ISP 2 (ER605 Path)

Client (192.168.251.x)

→ SG6428X (GW: 192.168.251.1)

→ ACL Match

→ Redirect → 11.56.1.1 (ER605 via VLAN249)

→ ISP 2 → Internet

Critical Requirements

    • Switch must be default gateway
    • Next-hop must be in directly connected VLAN
    • Routers must have return routes

VLAN & IP Addressing Plan

VLAN

Purpose

Subnet

Switch IP (Gateway)

Next Hop Device

VLAN1

Transit to ER8411

10.56.1.0/24

10.56.1.234

ER8411 (10.56.1.1)

VLAN249

Transit to ER605

11.56.1.0/24

11.56.1.5

ER605 (11.56.1.1)

VLAN250

User VLAN

192.168.250.0/24

192.168.250.1

ER8411

VLAN251

User VLAN

192.168.251.0/24

192.168.251.1

ER605

Best Practices

✔ Use dedicated transit VLANs (VLAN1 & VLAN249)

✔ Apply ACL in Ingress direction

✔ Keep rules simple (source-based)

✔ Ensure return path exists

Validate with traceroute

Common Mistakes

Wrong next-hop IP

❌ Missing return route

❌ ACL applied on wrong VLAN

❌ Switch not acting as gateway

❌ Using unnecessary destination filters

Conclusion

This design makes the SG6428X a central L3 gateway, enabling:

  • Dual ISP routing
  • VLAN-based traffic steering
  • Efficient use of ER8411 + ER605

Traffic separation:

  • VLAN250 → ER8411 → ISP 1
  • VLAN251 → ER605 → ISP 2
Please Rate this Document

Related Documents

How to configure Policy Routing on Omada Gateway

Configuration Guide
Online
11-06-2024
35560

How to configure Policy Routing on Dual WAN Router using the new GUI

Configuration Guide
12-27-2023
13592

Troubleshooting guide of PBR Not Taking Effect

Troubleshooting Guide
ACL
10-25-2024
15780

How to configure free authentication policy on EAP Controller

Configuration Guide
06-09-2015
15173

Suggested configurations for AVoIP protocols on Omada Switches

Configuration Guide
09-13-2024
31409

Sign up for news & offersTP-Link takes your privacy seriously. For further details on TP-Link's privacy practices, see TP-Link's Privacy Policy.

Email Error

Follow Us

About
Press
Partners
Learning Center
TP-Link Omada Omada Pro VIGI
India / English

©2026 TP-Link India Private Limited. and its affiliated companies. All rights reserved.

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Your Privacy Choices

This website uses cookies to improve website navigation, analyze online activities and have the best possible user experience on our website. You can object to the use of cookies at any time. You can find more information in our privacy policy . Don’t show again

Basic Cookies

These cookies are necessary for the website to function and cannot be deactivated in your systems.

TP-Link

SESSION, JSESSIONID, accepted_local_switcher, tp_privacy_banner, tp_privacy_base, tp_privacy_marketing, tp_top-banner, tp_popup-bottom, tp_popup-center, tp_popup-right-middle, tp_popup-right-bottom, tp_productCategoryType

Youtube

id, VISITOR_INFO1_LIVE, LOGIN_INFO, SIDCC, SAPISID, APISID, SSID, SID, YSC, __Secure-1PSID, __Secure-1PAPISID, __Secure-1PSIDCC, __Secure-3PSID, __Secure-3PAPISID, __Secure-3PSIDCC, 1P_JAR, AEC, NID, OTZ

Zendesk

OptanonConsent, __cf_bm, __cfruid, _cfuvid, _help_center_session, _pendo___sg__.<container-id>, _pendo_meta.<container-id>, _pendo_visitorId.<container-id>, _zendesk_authenticated, _zendesk_cookie, _zendesk_session, _zendesk_shared_session, ajs_anonymous_id, cf_clearance

Analysis and Marketing Cookies

Analysis cookies enable us to analyze your activities on our website in order to improve and adapt the functionality of our website.

The marketing cookies can be set through our website by our advertising partners in order to create a profile of your interests and to show you relevant advertisements on other websites.

Google Analytics & Google Tag Manager

_gid, _ga_<container-id>, _ga, _gat_gtag_<container-id>

Google Ads & DoubleClick

test_cookie, _gcl_au