I have a office 1812 router with 12.4T. The router has an GRE tunnel into the corporate intranet. Multiple static routes send some destinations into the VPN tunnel.
For guests there is a separated guest VLAN on the router. Guests are supposed to get internet access only. They are not allowed to send traffic into the VPN tunnel nor access the office VLAN. The latter is easy set up with ACLs.
I could also set up ACLs to block traffic for destinations routed into the VPN tunnel. However, that is a list of some 20+ static routes and the list changes at times. If I used ACLs I would have to adjust the ACL each time I make changes to the VPN tunnel routing.
Is it possible to "force" routing of a VLAN into the internet only, ignoring any other static route which may exist?
ip address 10.10.10.10 255.255.255.252
tunnel source Dialer0
tunnel destination 188.8.131.52
no ip address
pppoe-client dial-pool-number 1
description Guest VLAN
ip address 192.168.99.254 255.255.255.0
ip nat inside
description Main VLAN
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip address 184.108.40.206 255.255.255.252
ip nat outside
dialer pool 1
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 220.127.116.11 255.255.255.0 10.0.0.9
ip route 18.104.22.168 255.255.255.192 10.0.0.9
The guests are not supposed to access the VPN tunnel destinations like 22.214.171.124. Guest traffic should always be routed to the default gateway through Dialer0. Is this possible other then by setting up and maintaining ACLs?