08-07-2009 02:08 PM - edited 03-06-2019 07:09 AM
I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.
I cannot wrap my head around the PBR to get this to work
!
Interface VLAN1
ip address 10.0.0.254 /24
desc Corp LAN
!
Interface Vlan2
ip address 192.168.1.1 /24
desc Public Wireless
ip policy route-map PBR
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map PBR 10
match ip address 101
set interface null 0
!
route-map PBR 20
!
I get the error:
PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing
when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?
Solved! Go to Solution.
08-07-2009 02:30 PM
Phillip
Yes that was quite an important bit :-).
PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map PBR permit 10
match ip address 102
set ip next-hop 10.0.0.1
int vlan 2
ip policy route-map PBR
Jon
08-07-2009 02:18 PM
Apply an incoming ACL on the Corp Vlan (Vlan 1).
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
interface vlan 1
ip access-group 101 in
HTH,
__
Edison.
08-07-2009 02:20 PM
Should i just leave you to it tonight :-)
08-07-2009 02:31 PM
nope, I'm leaving soon :)
08-07-2009 02:20 PM
Phillip
Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
int vlan 2
ip access-group 101 in
Jon
08-07-2009 02:25 PM
Jon,
I left out one important piece.
I need to route 192.168.1.0/24 out a specific ISP firewall.
route-map PBR 20
set ip next-hop 10.0.0.1
Where default-route for all traffic is to 10.0.0.2
08-07-2009 02:30 PM
Phillip
Yes that was quite an important bit :-).
PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map PBR permit 10
match ip address 102
set ip next-hop 10.0.0.1
int vlan 2
ip policy route-map PBR
Jon
08-11-2009 04:53 AM
Jon and Edison,
Thx for the help. That did the trick.
I had completely forgotten about the order of packet inspection on an interface.
As I heard some time ago - "You have to think like a packet".
Phil
08-07-2009 02:30 PM
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide