PBR with Cisco 3560 using the SDM prefer routing template

Answered Question
Apr 25th, 2010

High-level current topology layout

Two layer 3 3560 switches and two Cisco ASA 5510 firewalls.

All four devices run OSPF.

One firewall is the primary internet for outbound traffic

The other firewall is the primary internet for inbound traffic such as SMTP, WEB, etc.

All servers are on one vlan 10.0.5.0/24

The primary outbound firewall is on its own vlan 192.168.19.0/24 and the secondary firewall for inbound traffic is on 192.168.18.0/24.

The servers use the 10.0.5.1 for its default gateway which is the Layer 3 switch a Cisco 3560 with the enhanced image.

The firewalls are Cisco ASA. The primary FW advertises the default route with its default metric and the secondary advertises the default route with its metric higher so it is never used.

I create a route MAP for the handful of servers that need to send their internet traffic to the inbound firewall

route-map inbound-internet permit 11

match ip address 11

set ip next-hop 192.168.18.2 (the firewall IP Address)

!

standard IP access list

   20 permit 10.0.5.41

   10 permit 10.0.5.40

   40 permit 10.0.5.49

   30 permit 10.0.5.221

This works fine but the problem is that now the handful of servers can’t communicate with the internal network because the Cisco ASA is its default gateway and the ASA has its own rules when it comes to uturn traffic. I want all internet traffic to go to the ASA but internal traffic to stay on the L3 switch.

The internal networks are on other subnets outside of the server network 10.1.1.x/24.

I tried creating this route-map but when I applied it the switch generated a log stating it did not support this route-map.

The access-list 101 is the handful of servers with deny to the internal subnets.

route-map inbound-internet deny 10

match ip address 101

!

route-map inbound-internet permit 11

match ip address 11

set ip next-hop 192.168.18.2

!

%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map inbound-internet not supported for Policy-Based Routing

Is this a limitation on this platform or am I missing something?

Thanks for everyone’s participation on this post.

Regards,
Juan

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 7 months ago

Juan

PBR on the 3750 does not allow a deny statement with a route-map. However you can use deny statements in the acl so -

access-list 101 deny ip host

where subnet is one of your internal subnets. For all traffic you want to not be policy routed you need to add a line in acl 101. Then just add the ones you do want to be policy routed at the end eg.

you have a server 192.168.5.1 and 3 other internal vlans

vlan 10 = 192.168.6.0/24

vlan 11 = 192.168.7.0/24

vlan 12 = 192.168.8.0/24

you want the server not to be policy routed for the above vlans but policy routed for everything else -

access-list 101 deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 deny ip host 192.168.5.1 192.168.7.0 0.0.0.255

access-list 101 deny ip host 192.168.5.1 192.168.8.0 0.0.0.255

access-list 101 permit ip host 192.168.5.1 any

route-map PBR1 permit 10

match ip address 101

set ip next-hop x.x.x.x

so you can do all you want with one route-map statement. Anything you want not to be policy routed just put it first in the acl as a deny.

Edit - a word of warning though. Any denies in the acl cause the traffic to be processed switched as opposed to hardware switched which can have a significant impact on the switch resources so you need to keep an eye on the switch CPU once you apply the route-map.

Jon

Correct Answer by Ganesh Hariharan about 6 years 7 months ago

High-level current topology layout

Two layer 3 3560 switches and two Cisco ASA 5510 firewalls.

All four devices run OSPF.

One firewall is the primary internet for outbound traffic

The other firewall is the primary internet for inbound traffic such as SMTP, WEB, etc.

All servers are on one vlan 10.0.5.0/24

The primary outbound firewall is on its own vlan 192.168.19.0/24 and the secondary firewall for inbound traffic is on 192.168.18.0/24.

The servers use the 10.0.5.1 for its default gateway which is the Layer 3 switch a Cisco 3560 with the enhanced image.

The firewalls are Cisco ASA. The primary FW advertises the default route with its default metric and the secondary advertises the default route with its metric higher so it is never used.

I create a route MAP for the handful of servers that need to send their internet traffic to the inbound firewall

route-map inbound-internet permit 11

match ip address 11

set ip next-hop 192.168.18.2 (the firewall IP Address)

!

standard IP access list

   20 permit 10.0.5.41

   10 permit 10.0.5.40

   40 permit 10.0.5.49

   30 permit 10.0.5.221

This works fine but the problem is that now the handful of servers can’t communicate with the internal network because the Cisco ASA is its default gateway and the ASA has its own rules when it comes to uturn traffic. I want all internet traffic to go to the ASA but internal traffic to stay on the L3 switch.

The internal networks are on other subnets outside of the server network 10.1.1.x/24.

I tried creating this route-map but when I applied it the switch generated a log stating it did not support this route-map.

The access-list 101 is the handful of servers with deny to the internal subnets.

route-map inbound-internet deny 10

match ip address 101

!

route-map inbound-internet permit 11

match ip address 11

set ip next-hop 192.168.18.2

!

%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map inbound-internet not supported for Policy-Based Routing

Is this a limitation on this platform or am I missing something?

Thanks for everyone’s participation on this post.

Regards,
Juan

Hi Juan,

As per the error messages it says

Error Message    PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map [chars] not supported for Policy-Based Routing

Explanation    This message means that the route-map attached to an interface for policy routing contains an action that is not supported on this platform. This is a hardware limitation. [chars] is the route-map.

Recommended Action    Reconfigure the route-map to use permit entries and set ip next-hop actions only.

Check out the below link for more information

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/system/message/msg_desc.html#wp119193

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Ganesh Hariharan Sun, 04/25/2010 - 23:57

High-level current topology layout

Two layer 3 3560 switches and two Cisco ASA 5510 firewalls.

All four devices run OSPF.

One firewall is the primary internet for outbound traffic

The other firewall is the primary internet for inbound traffic such as SMTP, WEB, etc.

All servers are on one vlan 10.0.5.0/24

The primary outbound firewall is on its own vlan 192.168.19.0/24 and the secondary firewall for inbound traffic is on 192.168.18.0/24.

The servers use the 10.0.5.1 for its default gateway which is the Layer 3 switch a Cisco 3560 with the enhanced image.

The firewalls are Cisco ASA. The primary FW advertises the default route with its default metric and the secondary advertises the default route with its metric higher so it is never used.

I create a route MAP for the handful of servers that need to send their internet traffic to the inbound firewall

route-map inbound-internet permit 11

match ip address 11

set ip next-hop 192.168.18.2 (the firewall IP Address)

!

standard IP access list

   20 permit 10.0.5.41

   10 permit 10.0.5.40

   40 permit 10.0.5.49

   30 permit 10.0.5.221

This works fine but the problem is that now the handful of servers can’t communicate with the internal network because the Cisco ASA is its default gateway and the ASA has its own rules when it comes to uturn traffic. I want all internet traffic to go to the ASA but internal traffic to stay on the L3 switch.

The internal networks are on other subnets outside of the server network 10.1.1.x/24.

I tried creating this route-map but when I applied it the switch generated a log stating it did not support this route-map.

The access-list 101 is the handful of servers with deny to the internal subnets.

route-map inbound-internet deny 10

match ip address 101

!

route-map inbound-internet permit 11

match ip address 11

set ip next-hop 192.168.18.2

!

%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map inbound-internet not supported for Policy-Based Routing

Is this a limitation on this platform or am I missing something?

Thanks for everyone’s participation on this post.

Regards,
Juan

Hi Juan,

As per the error messages it says

Error Message    PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map [chars] not supported for Policy-Based Routing

Explanation    This message means that the route-map attached to an interface for policy routing contains an action that is not supported on this platform. This is a hardware limitation. [chars] is the route-map.

Recommended Action    Reconfigure the route-map to use permit entries and set ip next-hop actions only.

Check out the below link for more information

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.1_19_ea1/system/message/msg_desc.html#wp119193

Hope to Help !!

Remember to rate the helpful post

Ganesh.H

juan-ruiz Mon, 04/26/2010 - 11:29

Thank you for your response.

It was very helpful.

Regards,

Juan

Correct Answer
Jon Marshall Mon, 04/26/2010 - 00:14

Juan

PBR on the 3750 does not allow a deny statement with a route-map. However you can use deny statements in the acl so -

access-list 101 deny ip host

where subnet is one of your internal subnets. For all traffic you want to not be policy routed you need to add a line in acl 101. Then just add the ones you do want to be policy routed at the end eg.

you have a server 192.168.5.1 and 3 other internal vlans

vlan 10 = 192.168.6.0/24

vlan 11 = 192.168.7.0/24

vlan 12 = 192.168.8.0/24

you want the server not to be policy routed for the above vlans but policy routed for everything else -

access-list 101 deny ip host 192.168.5.1 192.168.6.0 0.0.0.255

access-list 101 deny ip host 192.168.5.1 192.168.7.0 0.0.0.255

access-list 101 deny ip host 192.168.5.1 192.168.8.0 0.0.0.255

access-list 101 permit ip host 192.168.5.1 any

route-map PBR1 permit 10

match ip address 101

set ip next-hop x.x.x.x

so you can do all you want with one route-map statement. Anything you want not to be policy routed just put it first in the acl as a deny.

Edit - a word of warning though. Any denies in the acl cause the traffic to be processed switched as opposed to hardware switched which can have a significant impact on the switch resources so you need to keep an eye on the switch CPU once you apply the route-map.

Jon

juan-ruiz Mon, 04/26/2010 - 11:30

Thank you for your response.

It was very helpful.

Regards,

Juan

Actions

This Discussion