Solved: PBR and Cat3560

Phil Williamson · ‎08-07-2009

I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.

I cannot wrap my head around the PBR to get this to work

!

Interface VLAN1

ip address 10.0.0.254 /24

desc Corp LAN

!

Interface Vlan2

ip address 192.168.1.1 /24

desc Public Wireless

ip policy route-map PBR

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map PBR 10

match ip address 101

set interface null 0

!

route-map PBR 20

!

I get the error:

PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing

when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?

Jon Marshall · ‎08-07-2009

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

View solution in original post

Edison Ortiz · ‎08-07-2009

Apply an incoming ACL on the Corp Vlan (Vlan 1).

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

interface vlan 1

ip access-group 101 in

HTH,

__

Edison.

Jon Marshall · ‎08-07-2009

Should i just leave you to it tonight :-)

Edison Ortiz · ‎08-07-2009

nope, I'm leaving soon :)

Jon Marshall · ‎08-07-2009

Phillip

Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

int vlan 2

ip access-group 101 in

Jon

Phil Williamson · ‎08-07-2009

Jon,

I left out one important piece.

I need to route 192.168.1.0/24 out a specific ISP firewall.

route-map PBR 20

set ip next-hop 10.0.0.1

Where default-route for all traffic is to 10.0.0.2

Jon Marshall · ‎08-07-2009

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

Phil Williamson · ‎08-11-2009

Jon and Edison,

Thx for the help. That did the trick.

I had completely forgotten about the order of packet inspection on an interface.

As I heard some time ago - "You have to think like a packet".

Phil

Edison Ortiz · ‎08-07-2009

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any