Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Using Policy-Based routing on a VLAN interface


We have an open wireless network which requires use of a VPN in order to authenticate and then connect anywhere.

Many folks are unaware of the VPN requirement, and don't understand that they need to use the VPN.

Therefore, we are trying to redirect all web traffic on our wireless VLAN to a specific web page with information on the VPN and how to get it.

We are using Policy-Based routing on the VLAN interface for the Wireless subnet in order to redirect all web traffic to this web page, which is set up to capture this traffic and display the information.

However it is not working; we see hits on the access-list but the redirect does not work.

Here's the config we are using:

access-list 156 deny tcp any any neq www

access-list 156 permit tcp any any


route-map redirect permit 10

match ip address 156

set ip next-hop

int vlan 155

description wireless network

ip address

ip policy route-map redirect

Does PBR not work on VLAN interfaces?

FWIW the Vlan interface is on a 6513 running hybrid mode.

We can connect to the web page at if we enter that URL manually, so we know we've got connectivity.

Thanks for any suggestions!



Re: Using Policy-Based routing on a VLAN interface

i think ur acl should looks like

access-list 156 permit tcp any any eq www

and if u can get a wireless controlar or do this web authentication or instraction through the wireless device will be better

good luck

New Member

Re: Using Policy-Based routing on a VLAN interface

Thanks for your feedback.

I think the acl is ok, since we first deny any traffic that is NOT web, the only traffic left should be web. But we can give it a try.

We had looked into doing the redirect with the LWAPP controllers. However, we don't want to do web authentication instead of the VPN since it is not a secure connection, and the controller will only let you use a web redirect IF you are doing 802.1x or web authentication...