I understand that the 3750 does not support the ip default next-hop command, however still have a need for some of my VLANs to go out a secondary internet connection. Let's say I have 4 VLANs (shown below). Can I effetively deny all local traffic to my route-map and still send internet traffic out the second gateway? Below I am denying the private ranges and then permit anything else. So then in theory, I could just add ip policy route-map PBR to each VLAN that I want to send out my second internet connection
VLAN 10 = 192.168.10.0 /24
VLAN 11 = 192.168.11.0 /24
VLAN 100 = 10.10.0.0 /24
VLAN 106 = 172.20.1.0 /24
access-list 101 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 172.16.0.0 0.15.255.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 172.16.0.0 0.15.255.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 172.16.0.0 0.15.255.255 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 172.16.0.0 0.15.255.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 101 permit ip any any
route-map PBR permit 10
match ip address 101
set ip next-hop [Second-Default-Gateway-IP]
int vlan 10
ip policy route-map PBR
This leads me to my questions
1) Internal traffic (inter-vlan communications) should still function just fine correct? Since the route-map will not match, then internal routes are still used?
2) If the above config example does work correctly is there a way that I can have the PBR route-map essentially shut itself off if my [Second-Default-Gateway-IP] is not available? This way the VLANs would not be denied Internet access, they would go out the gateway of last resort.
The ip default next-hop would be the best way to go if I could do it. Is there anyway that I could get some the similar functionality without killing the CPU? Would vrf-lite be the only way?
I can't think of another way to achieve what you want short of using a separate switch for these vlans.I would try the PBR route and see what happens to the CPU before going down the vrf-lite path.
The only other thing you could do is forward all traffic to the gateway of last resort and then have PBR on that device to redirect traffic from your specific vlans to the second default-gateway. This would remove the processing overhead from the 3750.