PBR and Cat3560

Answered Question
Aug 7th, 2009
User Badges:

I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.


I cannot wrap my head around the PBR to get this to work

!

Interface VLAN1

ip address 10.0.0.254 /24

desc Corp LAN

!

Interface Vlan2

ip address 192.168.1.1 /24

desc Public Wireless

ip policy route-map PBR

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map PBR 10

match ip address 101

set interface null 0

!

route-map PBR 20

!

I get the error:

PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing

when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?

Correct Answer by Jon Marshall about 7 years 9 months ago

Phillip


Yes that was quite an important bit :-).


PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.


access-list 102 permit ip 192.168.1.0 0.0.0.255 any


route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1


int vlan 2

ip policy route-map PBR


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Fri, 08/07/2009 - 14:18
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

Apply an incoming ACL on the Corp Vlan (Vlan 1).


access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any


interface vlan 1

ip access-group 101 in


HTH,


__


Edison.

Jon Marshall Fri, 08/07/2009 - 14:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Should i just leave you to it tonight :-)

Edison Ortiz Fri, 08/07/2009 - 14:31
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

nope, I'm leaving soon :)

Jon Marshall Fri, 08/07/2009 - 14:20
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Phillip


Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -


access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any


int vlan 2

ip access-group 101 in


Jon

Phil Williamson Fri, 08/07/2009 - 14:25
User Badges:

Jon,

I left out one important piece.

I need to route 192.168.1.0/24 out a specific ISP firewall.


route-map PBR 20

set ip next-hop 10.0.0.1


Where default-route for all traffic is to 10.0.0.2

Correct Answer
Jon Marshall Fri, 08/07/2009 - 14:30
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Phillip


Yes that was quite an important bit :-).


PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.


access-list 102 permit ip 192.168.1.0 0.0.0.255 any


route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1


int vlan 2

ip policy route-map PBR


Jon

Phil Williamson Tue, 08/11/2009 - 04:53
User Badges:

Jon and Edison,

Thx for the help. That did the trick.

I had completely forgotten about the order of packet inspection on an interface.


As I heard some time ago - "You have to think like a packet".


Phil

Edison Ortiz Fri, 08/07/2009 - 14:30
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

Actions

This Discussion