08-07-2009 02:08 PM - edited 03-06-2019 07:09 AM
I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.
I cannot wrap my head around the PBR to get this to work
!
Interface VLAN1
ip address 10.0.0.254 /24
desc Corp LAN
!
Interface Vlan2
ip address 192.168.1.1 /24
desc Public Wireless
ip policy route-map PBR
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
!
route-map PBR 10
match ip address 101
set interface null 0
!
route-map PBR 20
!
I get the error:
PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing
when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?
Solved! Go to Solution.
08-07-2009 02:30 PM
Phillip
Yes that was quite an important bit :-).
PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map PBR permit 10
match ip address 102
set ip next-hop 10.0.0.1
int vlan 2
ip policy route-map PBR
Jon
08-07-2009 02:18 PM
Apply an incoming ACL on the Corp Vlan (Vlan 1).
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
interface vlan 1
ip access-group 101 in
HTH,
__
Edison.
08-07-2009 02:20 PM
Should i just leave you to it tonight :-)
08-07-2009 02:31 PM
nope, I'm leaving soon :)
08-07-2009 02:20 PM
Phillip
Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
int vlan 2
ip access-group 101 in
Jon
08-07-2009 02:25 PM
Jon,
I left out one important piece.
I need to route 192.168.1.0/24 out a specific ISP firewall.
route-map PBR 20
set ip next-hop 10.0.0.1
Where default-route for all traffic is to 10.0.0.2
08-07-2009 02:30 PM
Phillip
Yes that was quite an important bit :-).
PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
route-map PBR permit 10
match ip address 102
set ip next-hop 10.0.0.1
int vlan 2
ip policy route-map PBR
Jon
08-11-2009 04:53 AM
Jon and Edison,
Thx for the help. That did the trick.
I had completely forgotten about the order of packet inspection on an interface.
As I heard some time ago - "You have to think like a packet".
Phil
08-07-2009 02:30 PM
access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1
access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip any any
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: