We help IT Professionals succeed at work.

no PBR recursive or PBR

leblanc
leblanc asked
on
9 Comments
2 Solutions
185 Views
Last Modified: 2017-05-22
From the pic below, I'd like to have PC1 DG as FW2 and PC2 DG as FW1. Now from my understanding, this can be done with PBR recursive configured on vlan40 at sw4 and on the transit vlans between the switches on the ring. But the problem is all of my switches are 3750s and according to Cisco TAC, the 3750s do not support next hop recursive or default next hop. Can this be accomplished without PBR or if I move PC1 subnet to another VLAN, how will I configure to have FW2 as the DG for the new VLAN? Thanks

pic
Comment
Watch Question

View Solutions Only

Predrag Jovic
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
The way I see it, you basically have two options:
- use PBR without recursive resolution of next hop
- create separate VLAN for target hosts and extend VLAN through network directly to FW2 and make FW2 default gateway
leblancAccounting

Author

Commented:
Extend VLAN? Does it mean tunnel like L2TPv3 and such?
Predrag Jovic
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
L2TPv3 - no
If i remember correctly VLAN 200 is already on SW5, just extend it to SW4 (and beyond if needed).
And you can configure PBR with firewall IP 10.100.200.1 as the next hop.
Add vlan 200 (10.100.200.0/24) to SW4 and VLAN trunk between SW4 and SW5, on SW4 create SVI for VLAN 200, assign IP address etc
Then you don't need recursive resolution of next hop, VLAN with that IP addrss range is directly connected.
leblancAccounting

Author

Commented:
Yes. But my links between the switches are routed links. So I don't think I can extend the VLANs.
Predrag Jovic
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
If you created routed links than, no... you can't do it that way..
But, according to drawing in post link between SW4 and SW5 is done by VLAN 203 (10.10.200.8/30) that's why I thought it is possible to do it that way..
leblancAccounting

Author

Commented:
That vlan203 /30 is the transit vlan that carries EIGRP.
CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
some oneNetwork Architect
CERTIFIED EXPERT
Top Expert 2014
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION
leblancAccounting

Author

Commented:
Thanks for the suggestions. So it looks like I have 2 solutions here. Correct?
- Allow vlan200 (10.100.200.0/24 - FW2) on the trunks between the switches.
OR
- Use proxy-ARP which requires to manually set the DG on the PCs. Right now my PCs get DHCP IP addresses.

Predrag,
Can you explain your static route, ip route 10.10.40.0 0.0.0.127 <SVI_vlan200_on_SW4>? Are u configuring this on sw4?

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions