Solved: Re: using two ISP internet on a router to achieve load sharing and fail-over.with port forwarding fo...

okoroji80 · ‎10-25-2017

Hello Community Members.,

I have a requirement to setup internet connection from two different ISPs.

the two links from the ISPs are expected to be up at the-same time sharing the internet connectivity load .

In addition to this its expected that at any point when one of the links fail the other should be able to carry all the traffic put together.

Also in addition to normal internet users, there are web servers with public presence on the internet and the servers are not expected to go down because one of the ISP is down.

How can i achieve the above ?

thanks.

Georg Pauwen · ‎11-01-2017

Hello,

for the static NAT failover you need a different route map, once that only matches the interface. Also, I would add an EEM script to clear the NAT translations in case one of the link fails. So here is what I think should work:

track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0.200
description CONNECTION_TO_ISP2
encapsulation dot1Q 200
ip address xxx.yyy.69.83 255.255.255.240
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.300
description CONNECTION_TO_ISP1
encapsulation dot1Q 300
ip address sss.zzz.16.42 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description CONNECTION_TO_INTERNAL_NETWORK
ip address 172.16.50.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source route-map ISP1DIGITAL_NAT interface GigabitEthernet0/0.300 overload
ip nat inside source route-map ISP2ANALOG_NAT interface GigabitEthernet0/0.200 overload
ip nat inside source static 172.16.50.30 sss.zzz.16.45 route-map ISP1_STATIC_NAT
ip nat inside source static 172.16.50.40 sss.zzz.16.46 route-map ISP1_STATIC_NAT
ip nat inside source static 172.16.50.30 xxx.yyy.69.85 route-map ISP2_STATIC_NAT
ip nat inside source static 172.16.50.40 xxx.yyy.69.86 route-map ISP2_STATIC_NAT

!

ip route 0.0.0.0 0.0.0.0 sss.zzz.16.41 track 1
ip route 0.0.0.0 0.0.0.0 xxx.yyy.69.81 2 track 2
!
ip access-list extended INTERNET-ACCESS
permit ip 172.16.50.0 0.0.0.255 any
!
ip sla auto discovery
!
ip sla 1
icmp-echo sss.zzz.16.41 source-ip sss.zzz.16.42
frequency 5
ip sla schedule 1 life forever start-time now

!
ip sla 2
icmp-echo xxx.yyy.69.81 source-ip xxx.yyy.69.83
ip sla schedule 2 life forever start-time now
!
route-map ISP1DIGITAL_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.300
!
route-map ISP2ANALOG_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.200
!
route-map ISP1_STATIC_NAT permit 10
match interface GigabitEthernet0/0.300
!
route-map ISP2_STATIC_NAT permit 10
match interface GigabitEthernet0/0.200
!
event manager applet ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
!
event manager applet ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"

View solution in original post

Georg Pauwen · ‎10-25-2017

Hello,

the first question is: how are you connected to both ISPs ? Are you using BGP, or static routing ?

okoroji80 · ‎10-25-2017

I am connected to them using static route.

Georg Pauwen · ‎10-25-2017

Hello,

if you use two static routes (and provided CEF is enabled, which is the default), the below should provide for redundancy and load balancing. You can verify if that works with the command 'show ip cef':

interface GigabitEthernet0/0
description Link to ISP1
ip nat outside
!
interface GigabitEthernet0/1
description Link to ISP2
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/1 overload
!
route-map ISP1_NAT permit 10
match ip address 1
match interface GigabitEthernet0/0
!
route-map ISP2_NAT permit 10
match ip address 1
match interface GigabitEthernet0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255

okoroji80 · ‎10-25-2017

Thanks Very much Paul ., you are right.

though my internal LAN is just one leg into the internet Router.

However there's need to do port forwarding for the Server Farm ..

The Web servers are assigned internal IP that are statically nated to Public IP making open for remote connection

....

what i intend to achieve is this :

1. the two links are to be active at the-same time

2.the users are grouped into A & B

User A is to be placed on ISP1

User B is to be placed On ISP2

3. In the event of the failure of either ISP1 or ISP2

all traffic will be directed to the active link

4. At the point the servers are using ISP1, they are to be nated with public IP from ISP1 same Goes for ISP2

isaiahchikuse · ‎11-15-2022

Hi George,

can you share how i can achieve this using BGP?

How can i go about it to achieve load balance?

I have one connection on BGP and other on static.

Thanks

paul driver · ‎10-25-2017

Hello

It seems to suggest IP SLA with object tracking would be applicable which will track an active route/host on the primary ISP path and fallover to the secondary on failure, nat and PBR on specific internal lan subnets.

Possible example:

In X/1
description ISP1 Interface

In X/2
description ISP2 Interface

int Y/Y
description LAN Interface
ip policy route-map PBR

access-list 1 permit 10.10.10.0
access-list 2 permit 10.20.20.0

track 3 list boolean and
object 1
object 2

ip sla 1
icmp-echo (primary wan ip source-ip (Primary wan interface of router)
frequency 5

ip sla 2
icmp-echo (seconday wan ip source-ip (secondary wan interface of router)
frequency 5

ip sla schedule 1 start-time now life forever
ip sla schedule 2 start-time now life forever

track 1 ip sla 1 reachability
track 2 ip sla 2 reachability

route-map PBR permit 10
match ip address 1
set ip next-hop (prmary link) (seconady link)
set ip next-hop verify-availability (prmary link) 1 track 1
set ip next-hop verify-availability (secondary link) 2 track 2

route-map PBR permit 10
match ip address 2
set ip next-hop (secondary link) (prmary link)
set ip next-hop verify-availability (secondary link) 1 track 2
set ip next-hop verify-availability (prmary link) 2 track 1

ip route 0.0.0.0 0.0.0.0 x.x.x.x name Primary track 3
ip route 0.0.0.0 0.0.0.0 y.y.y.y. 200

access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 100 permit ip 10.20.0.0 0.0.0.255 any

route-map LAN permit 10
match ip address 100
match interface Y/Y

route-map LAN2 permit 10
match ip address 100
match interface Y/Y

ip nat inside source route-map LAN interface X/1 overload
ip nat inside source route-map LAN2 interface X/2 overload

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

okoroji80 · ‎10-25-2017

Thanks Very much Paul ., you are right.

though my internal LAN is just one leg into the internet Router.

However there's need to do port forwarding for the Server Farm ..

The Web servers are assigned internal IP that are statically nated to Public IP making open for remote connection

....

what i intend to achieve is this :

1. the two links are to be active at the-same time

2.the users are grouped into A & B

User A is to be placed on ISP1

User B is to be placed On ISP2

3. In the event of the failure of either ISP1 or ISP2

all traffic will be directed to the active link

4. At the point the servers are using ISP1, they are to be nated with public IP from ISP1 same Goes for ISP2

Georg Pauwen · ‎10-25-2017

Hello,

in addition to Paul's post, you could implement an EEM script that also clears the NAT translations. So the entire configuration would look like the one below. The static NAT entries, static routes, and NAT statements will be swapped/deleted if one of the routes fails. If you post your actual configuration, we can fill in the necessary bits and pieces based on you real IP addresses...

interface FastEthernet0/0
description LAN1
ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface FastEthernet0/1
description LAN2
ip address 192.168.2.1 255.255.255.0

ip nat inside

!

interface GigabitEthernet0/0
description Link to ISP1
ip address 10.10.10.1 255.255.255.252
ip nat outside
!
interface GigabitEthernet0/1
description Link to ISP2
ip address 10.10.10.5 255.255.255.252
ip nat outside
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip nat inside source static tcp 192.168.1.11 80 10.10.10.1 80
ip nat inside source static tcp 192.168.2.11 80 10.10.10.5 80
!
ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/0 overload
ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/1 overload
!
route-map ISP1_NAT permit 10
match ip address 1
match interface GigabitEthernet0/0
!
route-map ISP2_NAT permit 10
match ip address 2
match interface GigabitEthernet0/1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255

track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
ip sla 1
icmp-echo 10.10.10.2 source-ip 10.10.10.1
frequency 5
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 10.10.10.6 source-ip 10.10.10.5
frequency 5
ip sla schedule 2 life forever start-time now
!
event manager applet ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
action 3.0 cli command "conf t"
action 4.0 cli command "no ip nat inside source static tcp 192.168.1.11 80 10.10.10.1 80
action 5.0 cli command "ip nat inside source static tcp 192.168.1.11 80 10.10.10.5 80
action 6.0 cli command "no ip route 0.0.0.0 0.0.0.0 10.10.10.2"
action 7.0 cli command "no ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/0 overload"
action 8.0 cli command "no access-list 2"
action 9.0 cli command "access-list 2 permit 192.168.1.0 0.0.0.255"
action 10.0 cli command "access-list 2 permit 192.168.2.0 0.0.0.255"
action 11.0 cli command "end"
action 12.0 cli command 'wr mem"

!

event manager applet ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
action 3.0 cli command "conf t"
action 4.0 cli command "no ip nat inside source static tcp 192.168.2.11 80 10.10.10.5 80
action 5.0 cli command "ip nat inside source static tcp 192.168.2.11 80 10.10.10.1 80
action 6.0 cli command "no ip route 0.0.0.0 0.0.0.0 10.10.10.5"
action 7.0 cli command "no ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/1 overload"
action 8.0 cli command "no access-list 1"
action 9.0 cli command "access-list 1 permit 192.168.1.0 0.0.0.255"
action 10.0 cli command "access-list 1 permit 192.168.2.0 0.0.0.255"
action 11.0 cli command "end"
action 12.0 cli command 'wr mem"

!

event manager applet ISP1_UP
event track 1 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
action 3.0 cli command "conf t"
action 4.0 cli command "no ip nat inside source static tcp 192.168.1.11 80 10.10.10.5 80
action 5.0 cli command "ip nat inside source static tcp 192.168.1.11 80 10.10.10.1 80
action 6.0 cli command "ip route 0.0.0.0 0.0.0.0 10.10.10.2"
action 7.0 cli command "ip nat inside source route-map ISP1_NAT interface GigabitEthernet0/0 overload"
action 8.0 cli command "no access-list 2"
action 9.0 cli command "access-list 2 permit 192.168.2.0 0.0.0.255"
action 10.0 cli command "end"
action 11.0 cli command 'wr mem"

!

event manager applet ISP2_UP
event track 2 state up
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
action 3.0 cli command "conf t"
action 4.0 cli command "no ip nat inside source static tcp 192.168.2.11 80 10.10.10.1 80
action 5.0 cli command "ip nat inside source static tcp 192.168.2.11 80 10.10.10.5 80
action 6.0 cli command "ip route 0.0.0.0 0.0.0.0 10.10.10.5"
action 7.0 cli command "ip nat inside source route-map ISP2_NAT interface GigabitEthernet0/1 overload"
action 8.0 cli command "no access-list 1"
action 9.0 cli command "access-list 1 permit 192.168.1.0 0.0.0.255"
action 10.0 cli command "end"
action 11.0 cli command 'wr mem"

okoroji80 · ‎10-26-2017

Below Is my config .

!
!
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!

!
interface GigabitEthernet0/0.200
description CONNECTION_TO_ISP2
encapsulation dot1Q 200
ip address xxx.yyy.69.83 255.255.255.240
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.300
description CONNECTION_TO_ISP1
encapsulation dot1Q 300
ip address sss.zzz.16.42 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description CONNECTION_TO_INTERNAL_NETWORK
ip address 172.16.50.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

!
ip nat inside source route-map ISP1DIGITAL_NAT interface GigabitEthernet0/0.300 overload
ip nat inside source route-map ISP2ANALOG_NAT interface GigabitEthernet0/0.200 overload
ip nat inside source static 172.16.50.30 sss.zzz.16.45 route-map ISP1DIGITAL_NAT
ip nat inside source static 172.16.50.40 sss.zzz.16.46 route-map ISP1DIGITAL_NAT
ip nat inside source static 172.16.50.30 xxx.yyy.69.85 route-map ISP2ANALOG_NAT
ip nat inside source static 172.16.50.40 xxx.yyy.69.86 route-map ISP2ANALOG_NAT

ip route 0.0.0.0 0.0.0.0 sss.zzz.16.41 track 1
ip route 0.0.0.0 0.0.0.0 xxx.yyy.69.81 2 track 2
!
ip access-list extended INTERNET-ACCESS
permit ip 172.16.50.0 0.0.0.255 any
!
ip sla auto discovery

ip sla 1
icmp-echo sss.zzz.16.41 source-ip sss.zzz.16.42
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo xxx.yyy.69.81 source-ip xxx.yyy.69.83
ip sla schedule 2 life forever start-time now
!
route-map ISP1DIGITAL_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.300
!
route-map LAN_INTERNET_POLICY permit 10
match ip address INTERNET-ACCESS
set ip next-hop verify-availability sss.zzz.16.41 1 track 1
set ip next-hop verify-availability xxx.yyy.69.81 2 track 2
!
route-map ISP2ANALOG_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.200
!
!
!

okoroji80 · ‎10-26-2017

Below is the config on my router :

!
!
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!

!
interface GigabitEthernet0/0.200
description CONNECTION_TO_ISP2
encapsulation dot1Q 200
ip address xxx.yyy.69.83 255.255.255.240
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.300
description CONNECTION_TO_ISP1
encapsulation dot1Q 300
ip address sss.zzz.16.42 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description CONNECTION_TO_INTERNAL_NETWORK
ip address 172.16.50.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto

!
ip nat inside source route-map ISP1DIGITAL_NAT interface GigabitEthernet0/0.300 overload
ip nat inside source route-map ISP2ANALOG_NAT interface GigabitEthernet0/0.200 overload
ip nat inside source static 172.16.50.30 sss.zzz.16.45 route-map ISP1DIGITAL_NAT
ip nat inside source static 172.16.50.40 sss.zzz.16.46 route-map ISP1DIGITAL_NAT
ip nat inside source static 172.16.50.30 xxx.yyy.69.85 route-map ISP2ANALOG_NAT
ip nat inside source static 172.16.50.40 xxx.yyy.69.86 route-map ISP2ANALOG_NAT

ip route 0.0.0.0 0.0.0.0 sss.zzz.16.41 track 1
ip route 0.0.0.0 0.0.0.0 xxx.yyy.69.81 2 track 2
!
ip access-list extended INTERNET-ACCESS
permit ip 172.16.50.0 0.0.0.255 any
!
ip sla auto discovery

ip sla 1
icmp-echo sss.zzz.16.41 source-ip sss.zzz.16.42
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo xxx.yyy.69.81 source-ip xxx.yyy.69.83
ip sla schedule 2 life forever start-time now
!
route-map ISP1DIGITAL_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.300
!
route-map LAN_INTERNET_POLICY permit 10
match ip address INTERNET-ACCESS
set ip next-hop verify-availability sss.zzz.16.41 1 track 1
set ip next-hop verify-availability xxx.yyy.69.81 2 track 2
!
route-map ISP2ANALOG_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.200
!
!
!

Georg Pauwen · ‎11-01-2017

Hello,

for the static NAT failover you need a different route map, once that only matches the interface. Also, I would add an EEM script to clear the NAT translations in case one of the link fails. So here is what I think should work:

track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/0.200
description CONNECTION_TO_ISP2
encapsulation dot1Q 200
ip address xxx.yyy.69.83 255.255.255.240
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.300
description CONNECTION_TO_ISP1
encapsulation dot1Q 300
ip address sss.zzz.16.42 255.255.255.248
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description CONNECTION_TO_INTERNAL_NETWORK
ip address 172.16.50.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip nat inside source route-map ISP1DIGITAL_NAT interface GigabitEthernet0/0.300 overload
ip nat inside source route-map ISP2ANALOG_NAT interface GigabitEthernet0/0.200 overload
ip nat inside source static 172.16.50.30 sss.zzz.16.45 route-map ISP1_STATIC_NAT
ip nat inside source static 172.16.50.40 sss.zzz.16.46 route-map ISP1_STATIC_NAT
ip nat inside source static 172.16.50.30 xxx.yyy.69.85 route-map ISP2_STATIC_NAT
ip nat inside source static 172.16.50.40 xxx.yyy.69.86 route-map ISP2_STATIC_NAT

!

ip route 0.0.0.0 0.0.0.0 sss.zzz.16.41 track 1
ip route 0.0.0.0 0.0.0.0 xxx.yyy.69.81 2 track 2
!
ip access-list extended INTERNET-ACCESS
permit ip 172.16.50.0 0.0.0.255 any
!
ip sla auto discovery
!
ip sla 1
icmp-echo sss.zzz.16.41 source-ip sss.zzz.16.42
frequency 5
ip sla schedule 1 life forever start-time now

!
ip sla 2
icmp-echo xxx.yyy.69.81 source-ip xxx.yyy.69.83
ip sla schedule 2 life forever start-time now
!
route-map ISP1DIGITAL_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.300
!
route-map ISP2ANALOG_NAT permit 10
match ip address INTERNET-ACCESS
match interface GigabitEthernet0/0.200
!
route-map ISP1_STATIC_NAT permit 10
match interface GigabitEthernet0/0.300
!
route-map ISP2_STATIC_NAT permit 10
match interface GigabitEthernet0/0.200
!
event manager applet ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
!
event manager applet ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"

okoroji80 · ‎11-02-2017

Hello Georg.,

The solution is ok. However i noticed that once the connection fails over to a particular ISP ie

A user that's using 1SP1 as the primary link had to failover to ISP2 after the primary link failed.

the user could not return back to ISP1 when the link is restored back.

the overal aim of the solution is to achieve an ACTIVE/ACTIVE FAILOVER on two ISPs.

thanks.

collinks2 · ‎06-15-2019

Hello Georg,

In my own case ,i would like to achieve the following

.ISP1 is MTN --------20mbps

ISP2 is uspf---------------2mbps

I want to allow only http and https traffic to go through ISP2 which has a slower link while other traffic should go through isp1,. If either isp1 or isp2 is down, all traffic should go through the active link .

Here is my script

track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
interface GigabitEthernet0/1.137
description CONNECTION_TO_MTN_ISP
encapsulation dot1Q 137
ip address 197.210.105.230 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.136
description CONNECTION_TO_ISP2
encapsulation dot1Q 136
ip address 169.101.69.83 255.255.255.248
ip nat outside

interface GigabitEthernet0/2.14
encapsulation dot1Q 136
ip address 192.168.x.x 255.255.255.0
ip nat inside * won't PBR be enabled on this internal interface ?*

ip nat inside source route-map NAT_MTNISP2 interface GigabitEthernet0/1.137 overload
ip nat inside source route-map NAT_USPFISP interface GigabitEthernet0/1.136 overload

!
ip route 0.0.0.0 0.0.0.0 197.210.105.229 track 1
ip route 0.0.0.0 0.0.0.0 169.101.69.81 2 track 2
!
ip access-list ext extended web_traffic
permit tcp 172.16.0.0 0.0.255.255 any eq 80
permit tcp 10.108.0.0 0.0.255.255 any eq 80
permit tcp 192.168.0.0 0.0.255.255 any eq 80
permit tcp 172.17.0.0 0.0.255.255 any eq 80
permit tcp 172.16.0.0 0.0.255.255 any eq 443
permit tcp 10.108.0.0 0.0.255.255 any eq 443
permit tcp 192.168.0.0 0.0.255.255 any eq 443
permit tcp 172.17.0.0 0.0.255.255 any eq 443

ip access-list ext other_traffic
permit ip 172.16.0.0 0.0.255.255 any any
permit ip 10.108.0.0 0.0.255.255 any any
permit ip 192.168.0.0 0.0.255.255 any any
permit ip 172.17.0.0 0.0.255.255 any any

ip sla auto discovery
!
ip sla 1
icmp-echo 197.210.105.229 source-ip 197.210.105.230
frequency 5
ip sla schedule 1 life forever start-time now
!
ip sla 2
icmp-echo 169.101.69.81 source-ip 169.101.69.83
ip sla schedule 2 life forever start-time now
!
route-map NAT_USPFISP permit 10
match ip address web_traffic
match interface GigabitEthernet0/1.136

route-map NAT_MTNISP2 permit 10
match ip address other_traffic
match interface GigabitEthernet0/1.137
!

!
event manager applet ISP1_DOWN
event track 1 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"
!
event manager applet ISP2_DOWN
event track 2 state down
action 1.0 cli command "enable"
action 2.0 cli command "clear ip nat translation forced"

Is there any other thing to add?

collinks2 · ‎10-31-2017

Hi Paul driver,

int Y/Y
description LAN Interface
ip policy route-map PBR (the policy routing is only enabled one lan interface, what of the other interface)

access-list 1 permit 10.10.10.0(this corresponds to lan 1 interface, right?)
access-list 2 permit 10.20.20.0 (corresponds to lan 2,right)

track 3 list boolean and (track 3 references the object in track 1 and track 2,right)
object 1
object 2

In another scenario, where u want to allow http and https traffic to use isp2 which is slower and all other traffic to use isp1 which is faster, all the config will be the same except that the access-list needs to be modified.

Example

access-list 100, permit tcp10.10.10.0 any eq 80

access-list 100 permit tcp 10.10.10.0 any eq 443

access-list 100, permit tcp 10.20.20.0 any eq 80

access-list 100, permit tcp 10.20.20.0 any eq 443

access-list 101 permit ip 10.10.10.0 any

access-list 101 per it ip 10.20.20.0 any

access-list 1 permit 10.10.10.0

access - list 1 permit 10.20.20.0

Pls advise

using two ISP internet on a router to achieve load sharing and fail-over.with port forwarding for WEB servers