Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PBR and Cat3560

I'm configuring public wireless access and want to keep it off the corp network. I have a wireless LAN contoller trunked to the Cat3560 also.

I cannot wrap my head around the PBR to get this to work

!

Interface VLAN1

ip address 10.0.0.254 /24

desc Corp LAN

!

Interface Vlan2

ip address 192.168.1.1 /24

desc Public Wireless

ip policy route-map PBR

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

!

route-map PBR 10

match ip address 101

set interface null 0

!

route-map PBR 20

!

I get the error:

PLATFORM_PBR-3-UNSUPPORTED_RMAP: Route-map RoutePubWireless not supported for Policy-Based Routing

when I try to set the null0 interface. So if I cannot route to a black-hole how do I drop this traffic?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: PBR and Cat3560

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

8 REPLIES
Hall of Fame Super Bronze

Re: PBR and Cat3560

Apply an incoming ACL on the Corp Vlan (Vlan 1).

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

interface vlan 1

ip access-group 101 in

HTH,

__

Edison.

Hall of Fame Super Blue

Re: PBR and Cat3560

Should i just leave you to it tonight :-)

Hall of Fame Super Bronze

Re: PBR and Cat3560

nope, I'm leaving soon :)

Hall of Fame Super Blue

Re: PBR and Cat3560

Phillip

Why do you need PBR here ie. why not just use a normal acl on vlan 2 interface -

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

int vlan 2

ip access-group 101 in

Jon

New Member

Re: PBR and Cat3560

Jon,

I left out one important piece.

I need to route 192.168.1.0/24 out a specific ISP firewall.

route-map PBR 20

set ip next-hop 10.0.0.1

Where default-route for all traffic is to 10.0.0.2

Hall of Fame Super Blue

Re: PBR and Cat3560

Phillip

Yes that was quite an important bit :-).

PBR happens after checking any acl on the vlan interface so use the acl as per previous post and then just use a route-map for the rest of the traffic ie.

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

route-map PBR permit 10

match ip address 102

set ip next-hop 10.0.0.1

int vlan 2

ip policy route-map PBR

Jon

New Member

Re: PBR and Cat3560

Jon and Edison,

Thx for the help. That did the trick.

I had completely forgotten about the order of packet inspection on an interface.

As I heard some time ago - "You have to think like a packet".

Phil

Hall of Fame Super Bronze

Re: PBR and Cat3560

access-list 101 permit ip 192.168.1.0 0.0.0.255 host 10.0.0.1

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip any any

252
Views
5
Helpful
8
Replies