Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Second Internet connection

Hi All,

I will be having a new internet connection in the building soon. I will be replacing the current internet with this one. I would like to do testing on the connection, but I am unsure of how to go about this. Bascially I would like only a select few users to be able to access this internet connection, but is this possible through my current lan? Can I have ip route statements specifying only certain ip addresses to leave this way? If the users did not have to also access the current network resources i would set it up totally separate, but this is not the case. what is the best way to go out about this?




Re: Second Internet connection


you can have it. but it is more easy if you post what kind of addrssing you are using.

if you are having different subnet then you can directly give the static route to access the internet and user which you dontwant to access the internet then you can point that peritcular users to the null0 interface.

you can also use the route maps.

rate the post if it works



New Member

Re: Second Internet connection

What we did was change the users default gateway to internal interface of the firewall for that internet connection. Luckily, most of the resources that use are on the local lan so they did not need the default gateway for email, network shares, etc... For the two resources outside of the local lan, we placed static routes in their profiles to route them over to the real default gateway.

New Member

Re: Second Internet connection

We have vlans on our local lan, so setting the default as the firewall int is pretty much out. still not quite sure how to get these few folks out to the test internet connection without cutting off local lan access, thanks for the replies though.

Re: Second Internet connection

Hi Friend,

Are you running some static routes or default routes for your internet connection on your router?

If yes I think for testing purpose you can configure PBR something like this

route-map Test permit 10

match ip address 100

set ip next-hop <-Old Internet Connection


route-map Test permit 20

match ip address 200

set ip next-hop <-New Internet Connection


access-list 100 permit ip

access-list 200 permit ip

Router(config)interface fa0/1

Router(config-if)# ip policy route-map Test

Now in ACL 100 you can keep define old users but in ACL 200 you can define few folks out to test the internet connection.

Now if you implement this on your router may disrupt your old internet connection for users for few seconds.

HTH, if yes please rate the post.


New Member

Re: Second Internet connection


I am using default routes only right now. This makes sense to me. I do have questions, as I am fairly new to the world of access lists. The address that I need to route to the new connection, they will be single ip address and not whole networks and there are a few of them, do i make a different access list for all of them? like so:

access-list 100 permit ip

access-list 101 permit ip

or can I put them all in one? also, what happens if i just make a route map for the test internet and do not make one for the old? will the default route still not work for all other networks that are not in the route map?

also, you state "interface fa0/1", which interface is this? this will be going on a catalyst 4500 switch with several vlans. which int would this need to be on?

thanks for your help.

New Member

Re: Second Internet connection

You wouldn't cut off local lan access because it wouldn't need the default gateway to talk to those resources because they never need to be routed because they are in the same subnet/lan. That is one lan for example

All machines start are 10.240.1.x and the default gateway is

New Member

Re: Second Internet connection

Also, do you have a spare router with two ethernet interfaces? You could create a layer 2 vlan and place your test users into that vlan, using the spare router ethernet 0/0 interface as the default gateway. Then take the second ethernet interface, assign and place that in the data vlan today, turning on your routing protocol, and then have the gateway of last resort on the spare router pointing to the new firewall. I hope this makes sense.