PBR and Cat3560

Answered Question
Aug 7th, 2009

I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.

I cannot wrap my head around the PBR to get this to work

!

Interface VLAN1

ip address 10.0.0.254 /24

desc Corp LAN

!

Interface Vlan2

ip address 192.168.1.1 /24

desc Public Wireless

ip policy route-map PBR

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map PBR 10

match ip address 101

set interface null 0

!

route-map PBR 20

!

I get the error:

PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing

when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 7 years 5 months ago

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Fri, 08/07/2009 - 14:18

Apply an incoming ACL on the Corp Vlan (Vlan 1).

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

interface vlan 1

ip access-group 101 in

HTH,

__

Edison.

Jon Marshall Fri, 08/07/2009 - 14:20

Phillip

Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

int vlan 2

ip access-group 101 in

Jon

Phil Williamson Fri, 08/07/2009 - 14:25

Jon,

I left out one important piece.

I need to route 192.168.1.0/24 out a specific ISP firewall.

route-map PBR 20

set ip next-hop 10.0.0.1

Where default-route for all traffic is to 10.0.0.2

Correct Answer
Jon Marshall Fri, 08/07/2009 - 14:30

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

Phil Williamson Tue, 08/11/2009 - 04:53

Jon and Edison,

Thx for the help. That did the trick.

I had completely forgotten about the order of packet inspection on an interface.

As I heard some time ago - "You have to think like a packet".

Phil

Edison Ortiz Fri, 08/07/2009 - 14:30

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

Actions

This Discussion