Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

IP Next Hop to send user out to a different internet connection

I have a 3750 which handles all of my central routing to various subnets through out my building.  Also, I have two internet connections.  My question is, can I use IP Next Hop to direct users out the second internet connection essentially overriding the default gateway for them.  By setting IP next hop however, will this cause my internal static routes to stop functioning or will these have a higher priority

Lei Tian
Cisco Employee


Yes, you can use PBR (policy based routing) to force some traffic use different exist link. PBR will be processed before the routing lookup, so you can force certain traffic use one path and rest traffic use default route. Be aware there are some limitations when using PBR on 3750, please refer the configuration guide for detail configuration


Lei Tian

So if PBR is processed before the routing lookup is there an easy way that I can tell it to ignore anything going to private subnets (ie 10, 172, 192).  This way things aren't sent to the other gateway for internal traffic?

You asked right as I posted

Here is an example of a configuration for a policy route to do just that:

ip access-list extended INET2_ACL

deny ip

permit ip any any

route-map INET2

match ip address INET2_ACL

set ip next-hop

interface vlan 100

ip policy route-map INET2

This of course assumes your internal network is, and notice the deny is before the permit.




You need to create a route-map first, within the route-map need to have an ACL to specific the traffic you want to redirect, then you need to set ip next-hop only for the traffic match the ACL.

See the configuration example

route-map test

match ip address test

set ip next-hop x.x.x.x

ip access test

permit x.x.x.x x.x.x.x (the traffic you want to redirect)


Lei Tian


In addition to what the previous poster linked, make sure you specify that internal traffic should NOT be policy routed, as the policy based route takes precedence over all routing decisions. So if your internal network is, you need to create a deny statement in the ACL you build for your PBR for that network, otherwise things such as internal DNS servers, printers, etc. the router will send out your second internet pop to reach.



Hi Craig,

Deny statement is not supported on 3750' PBR.

Note Do not enter an ACL with a deny ACE or an ACL that permits a packet destined for a local address.


Lei Tian

Ah, good to know! Thanks Lei

As a note here is the limitations when using PBR on 3750:

1) sdm prefer routing must be used
2) ip policy must be placed on a routed interface or an svi
3) ip services software is required, the ip policy command is not available on
ip base
4) only unicast traffic applies to the policy
5) you can not have any route-map deny statements, this causes 100% cpu
6) you can not reference any access-lists that contain deny statements, this
causes 100% cpu utilization
7) you can not use set interface, set default next hop or set default interface
within the route-map
8) you can not use WCCP and PBR on the same interface

They all document on the link I posed. I recommend you go over the document before implement.


Lei Tian