Load Balancing/Failover on 1811 w/ 2 ISPs

Answered Question
Sep 5th, 2007

I am trying to setup load balacning and failover over two WAN links on my 1811. One provider is cable and the other is dsl. Each has a modem and no pppoe/authentication is required. Also I have a single static IP from each ISP. I have a vlan that is natted on the 8 port switch portion of the router. So far I have setup 2 static default routes, one for each isp and 2 ip nat inside sources, one for each interface. However, when one link goes down the traffic routed to that interface doesn't switch over to the other unless the cable from the modem to the router is physically down. What do I need to do to set this up? Also to make things a bit more complicated I need to setup a vpn tunnel that will failover from one isp to the other if one goes down. I have read that oer is one way to do this, but I am a bit lost on how. Or would it be possible to run a routing protocol over the tunnel and have that determine what route is up? I am new to using routing protocols so details on how to do it would help a ton. Any advise would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
markmotors Thu, 09/06/2007 - 06:12

That looks easy enough. Will I be able to use tracking on tunnel interfaces as well for my vpn? Can I setup two tunnels one for each isp interface and then a route that uses tracking for each?

Thanks for the quick response and I will be sure to rate you when I get it work :)

dlandriscinaclg Thu, 10/04/2007 - 16:34

I have the same exact setup as mark, will this setup work with the VPN tunnel in place even though its on its own Virtual Interface and tied to the primary link ?

markmotors Thu, 10/04/2007 - 16:58


I have this setup up and running now. Here is the simplified version of what I did (With the help of a Cisco pro from Freenode irc)...

I setup PBR with next hops to make sure all traffic from each interface was using the correct next hop.

2 default routes at the remote each with tracking (did my icmp-echos to my central router, because an ids would probably pick up the random pings)

2 ip nat rules one for each connection

2 ipsec tunnels using transport mode and ipsec profiles

EIGRP routing over the tunnel, which does vpn load balancing and failover.

Works like a well oiled machine. If you want more info or a sample config let me know. Also, please rate my post if it helped.

dlandriscinaclg Thu, 10/04/2007 - 18:03


Thanks for the response, Your situation is definately more complicated than mine as I am not running any routing protocols over my 1 tunnel. Could you please provide a config so I can see what you did? Thanks in advance.

markmotors Thu, 10/04/2007 - 20:16

I will try to get some configs up tomorrow or Monday... Hopefully this will help others with setting up a cheap redundant remote connection.

sergey.klusov Tue, 12/25/2007 - 22:32


what about promised config?

i'm trying to establish similar config and fail to do so.

markmotors Wed, 12/26/2007 - 10:47

Hey, sorry about that... Slipped my mind. I have each of the configs and a network diagram attached. Hope it helps and let me know if it works for ya.

sergey.klusov Wed, 12/26/2007 - 20:34

Tell me, please, are tunnel destinations fow both tunnels are the same or different?

And did you set up static route for each destination separately?

markmotors Wed, 12/26/2007 - 21:09

What do you mean? At my main location there is only one internet connection, so the tunnel destination on both tunnel interfaces at the remote are the same. However, at the main location tunnel0 goes to one connection and tunnel1 goes to the other. I have 2 static default routes and I had to setup the route-maps so the correct first hop would be used.

sergey.klusov Wed, 12/26/2007 - 21:18

Well, if you have two default routes and two ISPs on one router, there is no way to make two tunnels to one destination IP to work over different routes. I have discoverd that bug after week googling about my problems.

CSCds24740 Bug Details

GRE packets are not subject to local policy routing

Symptom and conditions:

GRE packets are not subject to local policy routing though they are

originated by router itself. I.e. it is expected that in this configuration:


interface Tunnel0

ip address

tunnel source Loopback0

tunnel destination


ip local policy route-map dev


route-map dev permit 10

set ip precedence critical

set ip next-hop


GRE packets will receive higher priority and deviate from normal routing path.

But currently GRE-encapsulated packets ignore this policy routing map.

So local policy doesn't work for GRE packets.

Maybe your ISP for some reason doesn't filter foreign source IP and packets got delivered to correct destination but over wrong interface and ISP.

markmotors Wed, 01/02/2008 - 11:46

I just talked with my CCIE friend, who gave me some insight on why mine is working. I am using IPSec to protect the tunnel, so the PBR can work. Without the IPSec to go over the GRE I would see this problem.


This Discussion