
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2021 08:09 PM
I've setup dual ISP failover to extend support into the following situation - as opposed to the interface simply going "DOWN".
- If ISP-PRIMARY is having issues but the primary interface Ethernet0/3/0 is still "UP" use IP SLA and tracking to perform failover and failback once ISP-PRIMARY resolves their issue.
I'd appreciate feedback about the configuration below and have the following statements and question(s):
- When PRIMARY is active I cannot ping from BACKUP as a source interface and visa versa due to static routing (I think).
- Because of point 1, when the PRIMARY is down and comes back online, ip sla ping from the source interface Ethernet0/3/0 doesn't work and therefore failback never happens... That was until I added ip local policy route-map POLICY-IPSLA-IFACE to force icmp echo to the monitored IP's via Ethernet0/3/0.
- Is there a better way to allow the router to source pings from both WAN interfaces all the time or is using the local policy map the only option here? Ideally since the PRIMARY link is DHCP I'd prefer not to have ACL4-IPSLA-IFACE which references hard coded source IP addresses (123.213.132.112) - obviously if the WAN IP ever changed it would break failover.
- I have dialer watch-list which suffers the same issue - presumably I'd have to set-up another local policy map to help the celluar0/2/0 maintain its online state since it loses connectivity (presumably on purpose by the ISP when it's idle) - this is not a huge problem since the interface activates quickly when interesting traffic traverses it, but it would be good to reduce the configuration.
BTW, I'm sure there will be opinions on using Cloudflare and Google DNS for ip sla and I'm happy to update that. I've read that it's suggested to use the gateway's of the ISP's but since they are both dynamically assigned I'm not sure I can reliably set them?
object-group network OBJ-NETW-VLAN-DATA 10.39.99.0 255.255.255.0 ! interface Ethernet0/3/0 description ISP-PRIMARY ip dhcp client route track 3 ! MUST BE ADDED BEFORE "ip address dhcp"!!! ip address dhcp client-id Ethernet0/3/0 ip nat outside ! interface Cellular0/2/0 description ISP-BACKUP ip address negotiated ip nat outside ! interface Vlan1 ip address 10.39.99.254 255.255.255.0 ip nat inside ! ip local policy route-map POLICY-IPSLA-IFACE ! ip nat inside source route-map ISP-PRIMARY interface Ethernet0/3/0 overload ip nat inside source route-map ISP-BACKUP interface Cellular0/2/0 overload! ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 128 ip route 0.0.0.0 0.0.0.0 Ethernet0/3/0 dhcp ! ip access-list extended ACL4-IPSLA-IFACE permit icmp host 123.213.132.112 host 1.1.1.1 echo permit icmp host 123.213.132.112 host 8.8.8.8 echo ip access-list extended NAT-CONTROL permit ip object-group OBJ-NETW-VLAN-DATA any ! ip sla 1 icmp-echo 8.8.8.8 source-interface Ethernet0/3/0 frequency 5 ip sla schedule 1 life forever start-time now ip sla 2 icmp-echo 1.1.1.1 source-interface Ethernet0/3/0 frequency 5 ip sla schedule 2 life forever start-time now ! track 1 ip sla 1 reachability delay down 10 up 30 ! track 2 ip sla 2 reachability delay down 10 up 30 ! track 3 list boolean or object 1 object 2 ! dialer watch-list 1 ip 1.1.1.1 255.255.255.255 ! route-map POLICY-IPSLA-IFACE permit 10 match ip address ACL4-IPSLA-IFACE set ip next-hop dynamic dhcp set interface Ethernet0/3/0 ! route-map ISP-PRIMARY permit 10 match ip address NAT-CONTROL match interface Ethernet0/3/0 ! route-map ISP-BACKUP permit 10 match ip address NAT-CONTROL match interface Cellular0/2/0
Solved! Go to Solution.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2021 09:16 PM
Hi
You have 2 default routes with different AD and that's fine.
However instead of using PBR, i will define a static route going through isp1 for its own ip sla and another static route going through isp2 for its own sla.
For example, if you use 1.1.1.1 and 8.8.8.8 for sla on isp1, i would add static routes for those 2 hosts going alway through isp1.
Then you can use 2 other IPs to test isp2 (1.0.0.1 and 8.8.4.4 for example) and add a static route for those through isp2.
If you use Google as your dns you would need to pick other IPs to avoid issues when a failover occurs.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2021 05:47 AM - edited 01-31-2021 05:50 AM
Hello
You could use ipsla tracking with embedded event manager for a possible alternative solution
Example:
int eth0/3/0
no ip dhcp client route track 3
ip route 8.8.8.8 255.255.255.255 Null0 2 < to negate tracked ip from being reached via backup isp
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 dhcp specific static route for tracked ip via primary isp
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
track 10 rtr 1 reachability
event manager applet default-route-up
event track 10 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 1.4 cli command "end"
event manager applet default-route-down
event track 10 state down
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "no ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 2.3 cli command "ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 2.4 cli command "end"
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2021 09:16 PM
Hi
You have 2 default routes with different AD and that's fine.
However instead of using PBR, i will define a static route going through isp1 for its own ip sla and another static route going through isp2 for its own sla.
For example, if you use 1.1.1.1 and 8.8.8.8 for sla on isp1, i would add static routes for those 2 hosts going alway through isp1.
Then you can use 2 other IPs to test isp2 (1.0.0.1 and 8.8.4.4 for example) and add a static route for those through isp2.
If you use Google as your dns you would need to pick other IPs to avoid issues when a failover occurs.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2021 09:53 PM
Thanks Francesco,
I'd done this previously.
ip route 1.1.1.1 255.255.255.255 Ethernet0/3/0 name CLOUDFLARE-DNS ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 name GOOGLE-DNS
As you mention, the issue here is being unable to use them from BACKUP ISP and using 1.0.0.1 and 8.8.4.4 elsewhere in the config works around that. When I use the local policy route-map it doesn't have that problem.
I'd love someone to chime in and say their is some command that simply allows the router to override routing for the IP SLA or some way to allow the router originated traffic to use both gateways similtaneously.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2021 10:00 PM
You can have both isp working at they same time if you put each of them in a dedicated front vrf.
Then you'll update the default route of your global routing table (your LAN) based on SLA results.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-30-2021 10:44 PM
Thanks again, I think I'd be making it more difficult for myself using vrf.
So looks like using local policy route-map is the way I achieve this. Do you have anything to suggest to avoid having to set the interface IP in the ACL?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2021 05:47 AM - edited 01-31-2021 05:50 AM
Hello
You could use ipsla tracking with embedded event manager for a possible alternative solution
Example:
int eth0/3/0
no ip dhcp client route track 3
ip route 8.8.8.8 255.255.255.255 Null0 2 < to negate tracked ip from being reached via backup isp
ip route 8.8.8.8 255.255.255.255 Ethernet0/3/0 dhcp specific static route for tracked ip via primary isp
ip sla 1
icmp-echo 8.8.8.8 source-interface Ethernet0/3/0
timeout 1000
frequency 5
ip sla schedule 1 life forever start-time now
track 10 rtr 1 reachability
event manager applet default-route-up
event track 10 state up
action 1.0 cli command "enable"
action 1.1 cli command "config t"
action 1.2 cli command "no ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 1.3 cli command "ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 1.4 cli command "end"
event manager applet default-route-down
event track 10 state down
action 2.0 cli command "enable"
action 2.1 cli command "config t"
action 2.2 cli command "no ip route 0.0.0.0 0.0.0.0 eth0/3/0 dhcp 1"
action 2.3 cli command "ip route 0.0.0.0 0.0.0.0 Cellular0/2/0 dhcp 3"
action 2.4 cli command "end"
Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.
Kind Regards
Paul

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2021 10:38 PM
Thanks Paul,
I'll try this out. For now though I've marked you and Francesco's posts as the accepted solution as this looks like the only option for services that are dynamically assigned (not static via dhcp) that avoids the ip in an ACL albeit with different caveats.
Appreciate the help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2021 11:57 PM
Dear Sir,
please help for how to configure dual ILL connection in one Cisco ISR4331/K9 router, Cisco IOS XE Software, Version 16.06.04.
Router LAN IP 192.168.14.1 (Static)
1> ISP BSNL ILL ip details:
WAN IP 172.24.159.241
NIB WAN IP (Default Gateway) 172.24.159.242
Subnet Mask-255.255.255.252
LAN IP-117.197.102.216 to 223
Subnet Mask- 255.255.255.248
2>ISp JIO ILL ip details:
WAN ip pool:136.232.82.196 (customer End WAN IP: 136.232.82.255.255.255.252 with Default Gateway-136.232.82.197)
LAN ip pool: 136.233.106.216( usable ip range136.233.106.217 to 222 with Subnet mask:255.255.255.248) DNS:49.45.0.4
Thank You
Jagannath
jagannath.cmcltd@gmail.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2021 12:02 AM
Dear Sir,
please help for how to Auto Failover configure Dual ISP ILL connection in one Cisco ISR4331/K9 router, Cisco IOS XE Software, Version 16.06.04.
Router LAN IP 192.168.14.1 (Static)
1> ISP BSNL ILL ip details:
WAN IP 172.24.159.241
NIB WAN IP (Default Gateway) 172.24.159.242
Subnet Mask-255.255.255.252
LAN IP-117.197.102.216 to 223
Subnet Mask- 255.255.255.248
2>ISp JIO ILL ip details:
WAN ip pool:136.232.82.196 (customer End WAN IP: 136.232.82.255.255.255.252 with Default Gateway-136.232.82.197)
LAN ip pool: 136.233.106.216( usable ip range136.233.106.217 to 222 with Subnet mask:255.255.255.248) DNS:49.45.0.4
Thank You
Jagannath
jagannath.cmcltd@gmail.com
