cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
795
Views
5
Helpful
8
Replies

PBR and Cat3560

Phil Williamson
Level 1
Level 1

I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.

I cannot wrap my head around the PBR to get this to work

!

Interface VLAN1

ip address 10.0.0.254 /24

desc Corp LAN

!

Interface Vlan2

ip address 192.168.1.1 /24

desc Public Wireless

ip policy route-map PBR

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map PBR 10

match ip address 101

set interface null 0

!

route-map PBR 20

!

I get the error:

PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing

when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?

1 Accepted Solution

Accepted Solutions

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

View solution in original post

8 Replies 8

Edison Ortiz
Hall of Fame
Hall of Fame

Apply an incoming ACL on the Corp Vlan (Vlan 1).

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

interface vlan 1

ip access-group 101 in

HTH,

__

Edison.

Should i just leave you to it tonight :-)

nope, I'm leaving soon :)

Jon Marshall
Hall of Fame
Hall of Fame

Phillip

Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

int vlan 2

ip access-group 101 in

Jon

Jon,

I left out one important piece.

I need to route 192.168.1.0/24 out a specific ISP firewall.

route-map PBR 20

set ip next-hop 10.0.0.1

Where default-route for all traffic is to 10.0.0.2

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

Jon and Edison,

Thx for the help. That did the trick.

I had completely forgotten about the order of packet inspection on an interface.

As I heard some time ago - "You have to think like a packet".

Phil

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: