How to set up multiple VLANs and multiple ISP's on Cisco 2811 - not for redundancy

Posted on 2011-05-02
Last Modified: 2012-05-11
I have a cisco 2811 with 4 VLAN's on it
VLAN 1 = data vlan
VLAN 10 = Voice VLAN
Vlan 250 = partner company
VLAN 254 = guest

Currently this all works beautifully with one ISP, everyone goes out same interface (FE 0/0), VLAN 254 is rate limited, VLAN 250 is restricted to only certain parts of network, like one server for File/print sharing.

The partner company on VLAN 250 is complaining about our websense so they wanted their own connection.  I ordered a completely separate circuit (on FE 0/1) with 5 static IPs and want to now route VLAN 250 and VLAN 254 over this connnection.  With VLAN 250 being still able to connect to certain resources on VLAN 1.

My boss says this is not possible unless I put in complicated policy routing statements and I should just use a linksys router for this new connection.  He says that I cannot have two default routes but I thought I could use route-maps.  I think he's wrong but I'd like ammo to back it up before I go to bat.  Wouldn't I just set up a route-map like

access-list 100 permit ip host any
route-map VLAN-250 permit 10
match ip address 100
set ip default next-hop <new static IP>

Obvioulsy I would also set up an ACL on FE 0/0 to deny to any resources (via ports) except the ones they need, like file/print sharing and I would think an ACL on FE 0/1 to deny VLAN 1 and VLAN 10 from accessing but my boss says that these get applied after the route is set up.

Please experts - HELP!

Would there be an issue with
Question by:atrevido
    LVL 7

    Expert Comment

    Route maps is a good method for the above.

    Another solution is to use Virtual Routing and Forwarding (VRF) were you run multiple routing tables in the router.

    LVL 3

    Accepted Solution


    I do something similar with a cisco router to route my PBX through one ISP and all other hosts through another.

    I use:
    ip access-list extended MATCH_PBX_ACL
      permit ip host any

    route-map PBX_ROUTE-MAP permit 10
      match ip address MATCH_PBX_ACL
      set interface Dialer2

    I've got a default route out of Dialer1, so it's just the IP address listed above that gets routed differently.
    One thing you might not have thought about is NAT. Since I'm only routing a single IP address out of the second ISP connection it's a simple case of static NAT for me.  You will probably need to define a second NAT pool and make sure it gets used on your second connection.

    There's a good example of using route-maps with NAT here:
    LVL 12

    Author Comment

    Would there be an issue with the default route?  Can you show me more of your config so I can see what you mean by you have a separate default route for your Dialer1
    LVL 1

    Expert Comment

    as you see from previous comments, it's certainly possible w/ the route-map.
    however, there's something to be said of u'r boss's suggestion of another small dedicated
    router for this new line.  as long as you don't expect to have multiple additional routers springing up, the simplicity of 1 additional router may justify it.
    LVL 3

    Expert Comment


    Would there be an issue with the default route?  Can you show me more of your config so I can see what you mean by you have a separate default route for your Dialer1

    Not much to show really.
    The default route is via Dialer1.  This is a normal, as simple as you can get static default route.
    ip route Dialer1

    Open in new window

    Obviously, you also have to make sure you apply your route map to the appropriate inside interface.  In my case, this is connected directly to a separate PIX firewall.
    interface FastEthernet0/1
     ip address
     ip nat inside
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     ip policy route-map PBX_ROUTE-MAP
     speed 100

    Open in new window

    So traffic entering the router on fa0/1 is subject to policy routing.  If the traffic matches my MATCH_PBX_ACL access-list it is routed differently, otherwise nothing special happens and the default route is used instead.

    Hope this helps,

    LVL 12

    Author Closing Comment

    Thanks so much for your help!

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Join & Write a Comment

    Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now