Hello @frederick.mercado 

I would suggest VRF-lite is a more elegant way to go to isolate that vlan providing you do not envisage the need to route leak to other global rib networks as it could become administratively complicated, On the flip side of that is  RACL which can also become an administrative burden but much easier to understand 

Seeing how the 9300 allows VRF aware NAT across the global table...do I need a VLANxxx as shown above anymore or do I just apply the IP configuration on the interface? 

Would you be able to assist in verifying the above as a proper config to use?

You can see my other post here for our attempts: Re: Internet for VLAN - Page 3 - Cisco Community

We were attempting to NAT two VLANs. One with internal client traffic  while still maintaining DHCP and heading out to for our ISP. Clients could ping each other, internal servers, and even the GW, but could not get out the GW (209.xx.xx.xx) even without ACL. We figured it was a routing issue, so we implemented route-map, considering we already had a default route listed on the Cores...but even with route-map, it seemed to not hit the GW either so I gave up. I saw where the 9000 series may only support interfaces instead of VLAN: Configure and Verify NAT on Catalyst 9000 Switches - Cisco

VRFs don't remove the need for NAT. 

The NAT translations were clearly being created in your other post so not sure what issue was as it got side tracked with HSRP etc. 

Can you connect a laptop in vlan 126 and do a traceroute to an internet IP and see how far it gets ? 

Jon

I believe he thought it was a HSRP issue. But we tested this, and it does not seem so. It appears to be a routing issue or maybe a limitation to interface NAT vs VLAN? I connected a laptop and performed a tracert. Interesting.

It seems to hit the IP addressfor VLAN for MOBILE clients. But then tries to exit to our MPLS, of course where internet traffic is going to proxy and authenticated. Which is what should not be happening. Its as if it doesn't have a route to VLANxxx out to the ISP? Even with the policy route-map...Perhaps this is because of the default route already established? Do I have to use VRF then?

Ping to ISP GW still successful but fais to 8.8.8.8

Your PBR does not look to be working. 

It seems to be following the routing table. 

Can you post the PBR specific configuration ie. the route map, the acl used and the vlan 126 interface configuration ? 

Jon

Removed

PBR looks fine. 

Are you running the Network Essentials license on your switch ? 

Jon

Removed.

You could run a "debug ip policy" to see what PBR is actually doing but I can't see an issue with your configuration other than the fact it is not working obviously. 

Jon

As a follow up to this I did look at NAT for VRFs and the 9300s do support VRF aware NAT where the vlan on the inside in NAT terms (vlan 126) is in a VRF but the vlan on the outside (vlan 127) is in the global routing table. 

I have done VRFs for a long time but Paul may well be able to point you in the right direction. 

Jon

I am seeing this error with the debug:

May 4 18:01:34.080: IP: s=0.0.0.0 (Vlan126), d=255.255.255.255 (nil), len 328, policy rejected -- normal forwarding