1

I have two 3750s that are routing via SVIs for server subnets.(Core1 and Core2 respectively). On Core1 I have vlan 1100 that has an SVI of x.x.100.1 with a transparent squid proxy on 100.3.

When I do the following on core1:

ip access-list extended lab-filter
 remark ### Force HTTP and HTTPS to Barracuda ###
 deny tcp any any neq www 443
 deny ip any x.x.x.x 0.0.255.255
 permit ip x.x.x.x. 0.0.0.255 any

route-map Barracuda permit 20
 match ip address lab-filter
 set ip next-hop x.x.100.3

interface Vlan1100
description Barracuda VLAN Interface
ip address x.x.100.1 255.255.255.0
no ip redirects
no ip proxy-arp

On Core1
interface Vlan1010
ip address x.x.10.1 255.255.255.0
ip access-group 115 in
ip access-group 116 out
no ip redirects
no ip proxy-arp
ip policy route-map Barracuda

On Core2
interface Vlan1120
ip address x.x.120.1 255.255.255.0
ip access-group 102 in
no ip proxy-arp
ip policy route-map Barracuda

Everything works fine, all web traffic gets kicked over to the filter.

The question comes in when I have the other 3750 that is directly connected to Core1 and try the same thing it doesn't redirect the traffic to 100.3.

core1#sho route-map
route-map Barracuda, permit, sequence 20
  Match clauses:
    ip address (access-lists): lab-filter
  Set clauses:
    ip next-hop x.x.100.3
  Policy routing matches: 138260 packets, 12930735 bytes


core2#sho route-map
route-map Barracuda, permit, sequence 10
  Match clauses:
   ip address (access-lists): lab-filter
  Set clauses:
   ip next-hop x.x.100.3
  Nexthop tracking current: 0.0.0.0
  x.x.100.3, fib_nh:0,oce:0,status:0 
  Policy routing matches: 0 packets, 0 bytes

Basically I am trying to to take everything out of vlan 1010 on Core1 and vlan 1120 out of Core2 and redirect port 80 and 443 to 100.3 which is directly connected to Core1.

Does the next hop IP have to be a connected route, and if not how can I get passed this?

btk_
  • 333
  • 3
  • 11

2 Answers2

3

The next hop should be the next layer 3 address that the traffic will be passed to, so yes, it should be on a networks segment that is directly connected to the 3750 and has a connected route.

Keep in mind that you aren't rewriting the packet's destination address, you're just routing it in a different way. So, the next layer 3 hop should either be the Barracuda (when your router directly touches vlan that the Barracuda is on), or else a next-hop layer 3 router that is also aware (via policy based routing, probably) of where that traffic needs to end up.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
3

Shane's answer regarding the next-hop is correct, but I want to point out one other issue. You currently have deny ACEs in your match ACL. When using PBR on a 3750 you should not have deny ACE in your match ACLs. The 3750 does PBR in the TCAM but can't do so for denys. Denys will be CPU routed and can quickly kill performance on your switch. reference

Since you are are doing PBR you must have the IP services feature set, you may want to consider using WCCP on the 3750 instead. It has a couple of advantages.

  • If your proxy fails the router will not attempt to send traffic to it and will route the traffic normally allowing Internet access to continue uninterrupted. (Depending on why you are proxying this may or may not be the behavior you want.)
  • You can add additional proxies for redundancy.

Keep in mind that WCCP on the 3750 does L2 redirection and return. A lot of the guides for configuring Squid and WCCP are based upon GRE redirection.

TimS
  • 2,166
  • 13
  • 8
  • +1 - great catch on the deny ACL, and good point that WCCP would be a much better idea. – Shane Madden May 07 '11 at 05:42
  • Thanks for the info, I have never done WCCP but I think I will give it a try. I actually did run into the high cpu during periods of peak usage(due to the deny ace) – btk_ May 08 '11 at 18:40