Hi friend,
You need to create GRE between 2 controllers when you want to redirect the guest traffic to another device ( DMZ ) to get authenticated or to map the policy.
here is the mothod to configure the GRE tunnel.
#interface tunnel 1
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 2
#no trust
#no shut
Once we untrust the port, all the traffic on this port will undergo authentication depending upon the profile configured as following:
Workaround:
We can put different Vlans in different tunnels and untrust the Vlan where we want the authentication.
#interface tunnel 1
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 2
#no trust
#no shut
#interface tunnel 2
#tunnel source 192.168.1.1
#tunnel destination 192.168.1.2
#tunnel vlan 3
#trust
#no shut
Now vlan 2 traffic will undergo authentication and fall in the user role. However, vlan 3 traffic will not undergo any authentication because it is trusted.
we have to execute the same commands on the other controller as well by changing the tunnel source and the destination ip address.
here we can define L2 GRE or L3 GRE by choosing the tunnel protocol. as follow,
tunnel mode gre ip