Showing results for 
Search instead for 
Did you mean: 

1 LAN, two ISPs

We're needing to run a testbed with a new ISP, but only want to do it for a certain amount of PCs AND without disturbing the existing LAN/WAN. How can I effectively "split" the traffic without reconfiguring our entire network? The testbed PCs will still need LAN access, but I want to shove all of the testbed web traffic out to the new ISP.

Current setup is:

PC-->Core (3650)-->Firewall1-->Router1 (1811)-->ISP1

Right now, the Core's default gateway is firewall1.

I have another firewall and router to use for the new ISP.

I need it to look similar to this:

Firewall 1 --->Router 1 --->ISP 1
PC --->Core ---<

Firewall 2 --->Router 2 --->ISP 2

I can think of a bunch of oddball ACL setups that could possibly work, but I know there is probably a better way to set this up. In my scribblings, I've come up with this very-simplistic interpretation:

Internal Traffic routed back to core ---v
PC --->New VLAN on Core --->Router 2 subinterface ---<

External traffic out to new firewall --->ISP 2

With, obvoiusly, various ACLs setup. Anyone else have a better/more efficient idea?

Cisco Employee

Are those 2 different ISPs?

You want to load-balance taking into consideration source IPs?

That would be easier for destination IPs, but for source ones I believe PBR would save your problems.


PBR was also something that came to mind, but I don't have too much experience with it (yet). And yes, they are two separate ISPs. I don't want to load-balance, however. I just want to allow, say VLAN 10, to go out the new ISP and the rest of the LAN to continue on the existing ISP. I'm definitely going to look at PBR and see if it's my most viable solution, thanks!



if I understand correctly what you want to achieve, that is some PCs need outside connectivity through second ISP so second firewall and others still continue to use existing gateway( your firewall going to ISP1), then just allocate a different default gateway( firewall) to some PCs via DHCP.



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Wat i suggest

You Can Split Your IP Subnet

Half for isp1 and half for isp2


Create Two access list

Acl1 for subnet 1

acl2 for subnet 2

Create Route MAP

Router-MAP Route-Traffic permit 10

match ip address Acl1

set ip next hope (FW1)

Router-MAP Route-Traffic permit 20

match ip address Acl2

set ip next hope (FW2)

Apply that Route MAP to Core Vlan

Int Vlan 1

ip policy Route-map Route-Traffic


This would work if we didn't have the entire core defaulted to the primary firewall and I didn't have to have these "testbed" PCs still get internal access. If it was a straight shot to the internet, then it wouldn't be a problem.


Still have this problem?

How are your firewalls configured?

If they are in active/standby and the traffic needs to pass through them, I don't think you're gonna achieve what you want without manipulating the router facing ISP.

You have many possibilities there, you should evaluate the one you like the most.

How you're receiving router? BGP? who will be indeed your edge device against ISP? will it be the two routers?

will it be the same router?


Other (broken) things came up that took me away from this project, so I haven't had time to test it out yet. But, thinking about it yesterday and talking with others, I'm wondering if we could get away with either the ACLs/route map that Jawad mentioned or by tricking the core with an extra route statement, similar to ip route 1 . But, will that work when I have that VLAN 15 ( already created on the Core?

I'm hoping today will be slow-enough to do some testing on secondary hardware.


Sure, What he did was to create a PBR.

It will work IF the firewalls are not in standby/active, you need to have firewalls separate from each other or at least a different context in one of them for internet access.

If all firewall facing router's interfaces are L3, I would apply the PBR in outgoing interface, this way, you would need to send traffic to the RP (L3) processor everytime you have intra VLAN communication.

Content for Community-Ad