Limiting bandwidth for a selected VLAN only

I'm looking at setting up VLAN services for our group. The basic layout would be:

LAN:

[ WAN ] <-> [ Router ] <-> [ LAN | AP's ]

VLAN:
(eth0) 100 - Local services
(eth1) 101 - WAN (Internet)
(eth0) 200 - Staff
(eth0) 300 - Guests

The goal is:
Staff: 100% Internet access
Guest: No more than 50% of Internet access so Staff have guaranteed Internet access

From what I understand, Cake should be able to handle bandwidth limiting, but I am unsure if Cake can limit subnets (300) rather than limit interface (eth1).

The other option would be to aquire a dual-NIC card and change the setup:

VLAN:
(eth0) 100 - Local services
(eth2) 101 - WAN (Internet)
(eth1) 200 - Staff
(eth1) 300 - Guests

I currently have the first setup (Dell optiplex with a built-in NIC and a PCI add-on NIC).

I can see the PCI dual-NIC having an easier physical setup, but would like to keep the current PCI single-NIC setup.

Thoughts? Pointers?

You definitely want a VLAN based setup here otherwise there is no real security against guests accessing other privileged parts of the network.

The ethX.300 interface will see only traffic to/from guests, so you can attach an instance of SQM to it and it will only affect guests.