Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Isolating a VLAN

I have an access controller called an IP3.  The device is used to control user access to the Internet.  It is a typical device you would find in a hotel to give user’s access to the Internet.  When you attempt to access Google or another site you would get a welcome page and have to complete a logon.  I heavily use VLAN’s in my network and I have a specific VLAN I use just for guest Internet access.  The VLAN is 10.0.255.0 with a subnet mask of 0.255.0.255.   I have 20+ remote locations and in each location they have a guest VLAN just for Internet access.  Examples:  10.2.255.0/24, 10.3.255.0/24, 10.4.255.0/24, etc…   By using ACL’s I have isolated this traffic so it does not cross onto the corporate network.  Internet access is via my main corporate office for all remote locations.  The access controller is designed to be an inline device.  The problem I am trying to solve is how can I deploy this access controller in my main corporate office so all guest Internet traffic will pass through it for authentication without interfering with corporate traffic.  I thought perhaps using GRE tunnels might allow me to achieve this?

Any suggestions anyone would have would be greatly appreciated.

2 REPLIES
Hall of Fame Super Silver

Re: Isolating a VLAN

Hello HMidkiff,

you can use policy based routing to divert traffic from guest IP subnets to the web controller.

PBR works inbound on the interface that receives traffic. So you may need to apply it on multiple interfaces on central site router.

access-list 101 permit ip 10.100.0 0.0.0.255any

route-map pbrguest permit 10

match ip address 101

set ip next-hop I3-ipaddress

int type x/y

ip policy route-map pbrguest

constraint: the IP3-ipaddress has to be on a connected interface for PBR to work

Hope to help

Giuseppe

Hall of Fame Super Blue

Re: Isolating a VLAN

I agree with Giuseppe, PBR is the way to go. Just a quick addition though. If your IOS supports PBR recursive next-hop then the next-hop does not have to be on a connected interface -

https://www.cisco.com/en/US/docs/ios/12_0s/feature/guide/12s_pbr.html

Jon

179
Views
0
Helpful
2
Replies
CreatePlease to create content