I have two 3750s that are routing via SVIs for server subnets.(Core1 and Core2 respectively). On Core1 I have vlan 1100 that has an SVI of x.x.100.1 with a transparent squid proxy on 100.3.
When I do the following on core1:
ip access-list extended lab-filter
remark ### Force HTTP and HTTPS to Barracuda ###
deny tcp any any neq www 443
deny ip any x.x.x.x 0.0.255.255
permit ip x.x.x.x. 0.0.0.255 any
route-map Barracuda permit 20
match ip address lab-filter
set ip next-hop x.x.100.3
interface Vlan1100
description Barracuda VLAN Interface
ip address x.x.100.1 255.255.255.0
no ip redirects
no ip proxy-arp
On Core1
interface Vlan1010
ip address x.x.10.1 255.255.255.0
ip access-group 115 in
ip access-group 116 out
no ip redirects
no ip proxy-arp
ip policy route-map Barracuda
On Core2
interface Vlan1120
ip address x.x.120.1 255.255.255.0
ip access-group 102 in
no ip proxy-arp
ip policy route-map Barracuda
Everything works fine, all web traffic gets kicked over to the filter.
The question comes in when I have the other 3750 that is directly connected to Core1 and try the same thing it doesn't redirect the traffic to 100.3.
core1#sho route-map
route-map Barracuda, permit, sequence 20
Match clauses:
ip address (access-lists): lab-filter
Set clauses:
ip next-hop x.x.100.3
Policy routing matches: 138260 packets, 12930735 bytes
core2#sho route-map
route-map Barracuda, permit, sequence 10
Match clauses:
ip address (access-lists): lab-filter
Set clauses:
ip next-hop x.x.100.3
Nexthop tracking current: 0.0.0.0
x.x.100.3, fib_nh:0,oce:0,status:0
Policy routing matches: 0 packets, 0 bytes
Basically I am trying to to take everything out of vlan 1010 on Core1 and vlan 1120 out of Core2 and redirect port 80 and 443 to 100.3 which is directly connected to Core1.
Does the next hop IP have to be a connected route, and if not how can I get passed this?
Best Answer
The next hop should be the next layer 3 address that the traffic will be passed to, so yes, it should be on a networks segment that is directly connected to the 3750 and has a connected route.
Keep in mind that you aren't rewriting the packet's destination address, you're just routing it in a different way. So, the next layer 3 hop should either be the Barracuda (when your router directly touches vlan that the Barracuda is on), or else a next-hop layer 3 router that is also aware (via policy based routing, probably) of where that traffic needs to end up.