Showing results for 
Search instead for 
Did you mean: 

Cisco 4000 series possibility of using 2 internet links




We have one 4331 cisco vpn router at a site, we are looking for a back up link to be installed from a different ISP provider, so we will have primary and back up internet links from 2 different providers. Can we configure both of these links on the existing 4331 router? Or is additional features needed such as a network card?


Usually in this case I would just order 2 routers as a dual set up with fail over. But I am just wondering if it is in fact possible to perform on one router?


Thanks in advance

1 Reply 1

Rising star
Rising star


Look like your using the ISP link to build the remote site VPN? And would like to study if you could utilize both ISP links to have a resilience purpose.

Indeed, if you have 2 WAN links, but centralized in 1 router. You still got the single point of failure at your router (even through you are paying for two of WAN links), you should evaluate if you / your company accept the risk or not.

First check if you router 4331 have enough Ethernet port to pick up, or actually you could implement "router on a stick" if you have no enough interfaces;

I assume both ISP links should use the different public IP address space, and you could consider to build 2 VPN tunnel over each ISP to your remote site. So that, the traffic passing through the 1st tunnel will utilize 1st ISP, and vice versa. After that, you may configure IP/SLA or running dynamic routing protocol to control the data traffic flowing to which tunnel. (e.g. when 1st tunnel is down, data should flowing through 2nd tunnel).

That's the idea, and below is the configuration reference for router choosing different ISP to build the VPN:

IP address of Your router's ISP A: A.A.A.A (ISP router/gateway: A.A.A.254)
IP address of your router's ISP B: B.B.B.B (ISP router/gateway: B.B.B.254)
remote site VPN gateway: C.C.C.C

ip access-list extended VPN_over_ISP_A
permit icmp A.A.A.A C.C.C.C
permit esp A.A.A.A C.C.C.C
permit udp A.A.A.A C.C.C.C eq 500
permit udp A.A.A.A eq 500 C.C.C.C

ip access-list extended VPN_over_ISP_B
permit icmp B.B.B.B C.C.C.C
permit esp B.B.B.B C.C.C.C
permit udp B.B.B.B C.C.C.C eq 500
permit udp B.B.B.B eq 500 C.C.C.C

route-map LOCAL_POLICY 10 permit
match ip address VPN_over_ISP_A
set ip next-hop A.A.A.254
route-map LOCAL_POLICY 20 permit
match ip address VPN_over_ISP_B
set ip next-hop B.B.B.254
route-map LOCAL_POLICY 30 permit

ip local policy route-map LOCAL_POLICY

crypto isakmp policy 10
enc aes 128
group 14
hash sha1

crypto isakmp key PSK_PASSCODE address C.C.C.C

crypto ipsec transform-set VPN_PHASE2 esp-aes hmac-sha1
mode tunnel

crypto ipsec profile VPN_PROFILE
transform-set VPN_PHASE2

interface tunnel 1
tunnel protection VPN_PHASE2
tunnel source Gi0/1 (e.g. ISP A)
tunnel destination C.C.C.C
tunnel mode ipsec ipv4
<other VPN config is omitted>

interface tunnel 2
tunnel protection VPN_PHASE2
tunnel source Gi0/2 (e.g. ISP B)
tunnel destination C.C.C.C
tunnel mode ipsec ipv4
<other VPN config is omitted>


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: