Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
310
Views
0
Helpful
2
Replies

Isolating a VLAN

HMidkiff
Level 1
Level 1

‎01-05-2010 07:47 AM - edited ‎03-06-2019 09:09 AM

I have an access controller called an IP3.  The device is used to control user access to the Internet.  It is a typical device you would find in a hotel to give user’s access to the Internet.  When you attempt to access Google or another site you would get a welcome page and have to complete a logon.  I heavily use VLAN’s in my network and I have a specific VLAN I use just for guest Internet access.  The VLAN is 10.0.255.0 with a subnet mask of 0.255.0.255.   I have 20+ remote locations and in each location they have a guest VLAN just for Internet access.  Examples:  10.2.255.0/24, 10.3.255.0/24, 10.4.255.0/24, etc…   By using ACL’s I have isolated this traffic so it does not cross onto the corporate network.  Internet access is via my main corporate office for all remote locations.  The access controller is designed to be an inline device.  The problem I am trying to solve is how can I deploy this access controller in my main corporate office so all guest Internet traffic will pass through it for authentication without interfering with corporate traffic.  I thought perhaps using GRE tunnels might allow me to achieve this?

Any suggestions anyone would have would be greatly appreciated.

Labels:
0 Helpful
2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎01-05-2010 08:03 AM

Hello HMidkiff,

you can use policy based routing to divert traffic from guest IP subnets to the web controller.

PBR works inbound on the interface that receives traffic. So you may need to apply it on multiple interfaces on central site router.

access-list 101 permit ip 10.100.0 0.0.0.255any

route-map pbrguest permit 10

match ip address 101

set ip next-hop I3-ipaddress

int type x/y

ip policy route-map pbrguest

constraint: the IP3-ipaddress has to be on a connected interface for PBR to work

Hope to help

Giuseppe

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame

‎01-05-2010 08:08 AM

I agree with Giuseppe, PBR is the way to go. Just a quick addition though. If your IOS supports PBR recursive next-hop then the next-hop does not have to be on a connected interface -

https://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card