Isolating a VLAN

Unanswered Question
Jan 5th, 2010
User Badges:

I have an access controller called an IP3.  The device is used to control user access to the Internet.  It is a typical device you would find in a hotel to give user’s access to the Internet.  When you attempt to access Google or another site you would get a welcome page and have to complete a logon.  I heavily use VLAN’s in my network and I have a specific VLAN I use just for guest Internet access.  The VLAN is with a subnet mask of   I have 20+ remote locations and in each location they have a guest VLAN just for Internet access.  Examples:,,, etc…   By using ACL’s I have isolated this traffic so it does not cross onto the corporate network.  Internet access is via my main corporate office for all remote locations.  The access controller is designed to be an inline device.  The problem I am trying to solve is how can I deploy this access controller in my main corporate office so all guest Internet traffic will pass through it for authentication without interfering with corporate traffic.  I thought perhaps using GRE tunnels might allow me to achieve this?

Any suggestions anyone would have would be greatly appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Giuseppe Larosa Tue, 01/05/2010 - 08:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello HMidkiff,

you can use policy based routing to divert traffic from guest IP subnets to the web controller.

PBR works inbound on the interface that receives traffic. So you may need to apply it on multiple interfaces on central site router.

access-list 101 permit ip 10.100.0

route-map pbrguest permit 10

match ip address 101

set ip next-hop I3-ipaddress

int type x/y

ip policy route-map pbrguest

constraint: the IP3-ipaddress has to be on a connected interface for PBR to work

Hope to help



This Discussion