04-25-2010 04:32 PM - edited 03-06-2019 10:47 AM
High-level current topology layout
Two layer 3 3560 switches and two Cisco ASA 5510 firewalls.
All four devices run OSPF.
One firewall is the primary internet for outbound traffic
The other firewall is the primary internet for inbound traffic such as SMTP, WEB, etc.
All servers are on one vlan 10.0.5.0/24
The primary outbound firewall is on its own vlan 192.168.19.0/24 and the secondary firewall for inbound traffic is on 192.168.18.0/24.
The servers use the 10.0.5.1 for its default gateway which is the Layer 3 switch a Cisco 3560 with the enhanced image.
The firewalls are Cisco ASA. The primary FW advertises the default route with its default metric and the secondary advertises the default route with its metric higher so it is never used.
I create a route MAP for the handful of servers that need to send their internet traffic to the inbound firewall
route-map inbound-internet permit 11
match ip address 11
set ip next-hop 192.168.18.2 (the firewall IP Address)
!
standard IP access list
20 permit 10.0.5.41
10 permit 10.0.5.40
40 permit 10.0.5.49
30 permit 10.0.5.221
This works fine but the problem is that now the handful of servers can’t communicate with the internal network because the Cisco ASA is its default gateway and the ASA has its own rules when it comes to uturn traffic. I want all internet traffic to go to the ASA but internal traffic to stay on the L3 switch.
The internal networks are on other subnets outside of the server network 10.1.1.x/24.
I tried creating this route-map but when I applied it the switch generated a log stating it did not support this route-map.
The access-list 101 is the handful of servers with deny to the internal subnets.
route-map inbound-internet deny 10
match ip address 101
!
route-map inbound-internet permit 11
match ip address 11
set ip next-hop 192.168.18.2
!
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map inbound-internet not supported for Policy-Based Routing
Is this a limitation on this platform or am I missing something?
Thanks for everyone’s participation on this post.
Regards,
Juan
Solved! Go to Solution.
04-25-2010 11:57 PM
High-level current topology layout
Two layer 3 3560 switches and two Cisco ASA 5510 firewalls.
All four devices run OSPF.
One firewall is the primary internet for outbound traffic
The other firewall is the primary internet for inbound traffic such as SMTP, WEB, etc.
All servers are on one vlan 10.0.5.0/24
The primary outbound firewall is on its own vlan 192.168.19.0/24 and the secondary firewall for inbound traffic is on 192.168.18.0/24.
The servers use the 10.0.5.1 for its default gateway which is the Layer 3 switch a Cisco 3560 with the enhanced image.
The firewalls are Cisco ASA. The primary FW advertises the default route with its default metric and the secondary advertises the default route with its metric higher so it is never used.
I create a route MAP for the handful of servers that need to send their internet traffic to the inbound firewall
route-map inbound-internet permit 11
match ip address 11
set ip next-hop 192.168.18.2 (the firewall IP Address)
!
standard IP access list
20 permit 10.0.5.41
10 permit 10.0.5.40
40 permit 10.0.5.49
30 permit 10.0.5.221
This works fine but the problem is that now the handful of servers can’t communicate with the internal network because the Cisco ASA is its default gateway and the ASA has its own rules when it comes to uturn traffic. I want all internet traffic to go to the ASA but internal traffic to stay on the L3 switch.
The internal networks are on other subnets outside of the server network 10.1.1.x/24.
I tried creating this route-map but when I applied it the switch generated a log stating it did not support this route-map.
The access-list 101 is the handful of servers with deny to the internal subnets.
route-map inbound-internet deny 10
match ip address 101
!
route-map inbound-internet permit 11
match ip address 11
set ip next-hop 192.168.18.2
!
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map inbound-internet not supported for Policy-Based Routing
Is this a limitation on this platform or am I missing something?
Thanks for everyone’s participation on this post.
Regards,
Juan
Hi Juan,
As per the error messages it says
Error Message PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map [chars] not supported for Policy-Based Routing
Explanation This message means that the route-map attached to an interface for policy routing contains an action that is not supported on this platform. This is a hardware limitation. [chars] is the route-map.
Recommended Action Reconfigure the route-map to use permit entries and set ip next-hop actions only.
Check out the below link for more information
Hope to Help !!
Remember to rate the helpful post
Ganesh.H
04-26-2010 12:14 AM
Juan
PBR on the 3750 does not allow a deny statement with a route-map. However you can use deny statements in the acl so -
access-list 101 deny ip host
where subnet is one of your internal subnets. For all traffic you want to not be policy routed you need to add a line in acl 101. Then just add the ones you do want to be policy routed at the end eg.
you have a server 192.168.5.1 and 3 other internal vlans
vlan 10 = 192.168.6.0/24
vlan 11 = 192.168.7.0/24
vlan 12 = 192.168.8.0/24
you want the server not to be policy routed for the above vlans but policy routed for everything else -
access-list 101 deny ip host 192.168.5.1 192.168.6.0 0.0.0.255
access-list 101 deny ip host 192.168.5.1 192.168.7.0 0.0.0.255
access-list 101 deny ip host 192.168.5.1 192.168.8.0 0.0.0.255
access-list 101 permit ip host 192.168.5.1 any
route-map PBR1 permit 10
match ip address 101
set ip next-hop x.x.x.x
so you can do all you want with one route-map statement. Anything you want not to be policy routed just put it first in the acl as a deny.
Edit - a word of warning though. Any denies in the acl cause the traffic to be processed switched as opposed to hardware switched which can have a significant impact on the switch resources so you need to keep an eye on the switch CPU once you apply the route-map.
Jon
04-25-2010 11:57 PM
High-level current topology layout
Two layer 3 3560 switches and two Cisco ASA 5510 firewalls.
All four devices run OSPF.
One firewall is the primary internet for outbound traffic
The other firewall is the primary internet for inbound traffic such as SMTP, WEB, etc.
All servers are on one vlan 10.0.5.0/24
The primary outbound firewall is on its own vlan 192.168.19.0/24 and the secondary firewall for inbound traffic is on 192.168.18.0/24.
The servers use the 10.0.5.1 for its default gateway which is the Layer 3 switch a Cisco 3560 with the enhanced image.
The firewalls are Cisco ASA. The primary FW advertises the default route with its default metric and the secondary advertises the default route with its metric higher so it is never used.
I create a route MAP for the handful of servers that need to send their internet traffic to the inbound firewall
route-map inbound-internet permit 11
match ip address 11
set ip next-hop 192.168.18.2 (the firewall IP Address)
!
standard IP access list
20 permit 10.0.5.41
10 permit 10.0.5.40
40 permit 10.0.5.49
30 permit 10.0.5.221
This works fine but the problem is that now the handful of servers can’t communicate with the internal network because the Cisco ASA is its default gateway and the ASA has its own rules when it comes to uturn traffic. I want all internet traffic to go to the ASA but internal traffic to stay on the L3 switch.
The internal networks are on other subnets outside of the server network 10.1.1.x/24.
I tried creating this route-map but when I applied it the switch generated a log stating it did not support this route-map.
The access-list 101 is the handful of servers with deny to the internal subnets.
route-map inbound-internet deny 10
match ip address 101
!
route-map inbound-internet permit 11
match ip address 11
set ip next-hop 192.168.18.2
!
%PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map inbound-internet not supported for Policy-Based Routing
Is this a limitation on this platform or am I missing something?
Thanks for everyone’s participation on this post.
Regards,
Juan
Hi Juan,
As per the error messages it says
Error Message PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map [chars] not supported for Policy-Based Routing
Explanation This message means that the route-map attached to an interface for policy routing contains an action that is not supported on this platform. This is a hardware limitation. [chars] is the route-map.
Recommended Action Reconfigure the route-map to use permit entries and set ip next-hop actions only.
Check out the below link for more information
Hope to Help !!
Remember to rate the helpful post
Ganesh.H
04-26-2010 11:29 AM
Thank you for your response.
It was very helpful.
Regards,
Juan
04-26-2010 12:14 AM
Juan
PBR on the 3750 does not allow a deny statement with a route-map. However you can use deny statements in the acl so -
access-list 101 deny ip host
where subnet is one of your internal subnets. For all traffic you want to not be policy routed you need to add a line in acl 101. Then just add the ones you do want to be policy routed at the end eg.
you have a server 192.168.5.1 and 3 other internal vlans
vlan 10 = 192.168.6.0/24
vlan 11 = 192.168.7.0/24
vlan 12 = 192.168.8.0/24
you want the server not to be policy routed for the above vlans but policy routed for everything else -
access-list 101 deny ip host 192.168.5.1 192.168.6.0 0.0.0.255
access-list 101 deny ip host 192.168.5.1 192.168.7.0 0.0.0.255
access-list 101 deny ip host 192.168.5.1 192.168.8.0 0.0.0.255
access-list 101 permit ip host 192.168.5.1 any
route-map PBR1 permit 10
match ip address 101
set ip next-hop x.x.x.x
so you can do all you want with one route-map statement. Anything you want not to be policy routed just put it first in the acl as a deny.
Edit - a word of warning though. Any denies in the acl cause the traffic to be processed switched as opposed to hardware switched which can have a significant impact on the switch resources so you need to keep an eye on the switch CPU once you apply the route-map.
Jon
04-26-2010 11:30 AM
Thank you for your response.
It was very helpful.
Regards,
Juan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide