I have a project to complete and need some help on the possible solution I can use.
Basically we have ospf area 0 and the users in question are in ospf area 7 and is a stub.
I need to route the traffic from these users out through area 0 through 3 core devices, onto an external firewall interface to be placed onto the vpn that sits on it. The firewall is not included in the ospf domain.
My thinking was that the firewall has a default route back into the ospf domain so dont need to worry about traffic coming in, however my job is to segregate these users and take them out of our core network and place them onto an external network via this vpn.
Not sure how to achieve this apart from static routing redistributed but surely this does not seperate their traffic only points the route to ospf?!
I was thinking I might have to use private vlans or policy routing but when I try policy routing the policy gets ignored due to normal forwarding.
Any help and advice would be greatly appreciated.
Please don't take this the wrong way but you need to read my answers more carefully ie.
1) you need to use "set ip next-hop recursive x.x.x.x" because the next hop is not directly connected. That is assuming the recursive next hop feature is supported on the 4500.
2) if this is for traffic to the firewall then unless you were using dummy IPs in your initial posts the source IPs should be the area 7 user subnet ie. 10.2.1.0/24 but they aren't in your example (although they were in a previous example).
What is int gi3/12 connecting to. If it is the 6500 then you are applying the PBR to the wrong interface as well as the interface acl and could well affect other traffic.
If this is traffic to the firewall this config should be -
1) applied to interface connecting the 4500 to the 3550
2) the source subnets should be 10.2.1.x and what you have as the source subnets should presumably be the destination subnets.
If the gi3/12 interface is the one connecting to the 6500 and the 4500 is used by other people within your network if you had applied that configuration you would have effectively cut off all users that go via the 4500 to area 0.