Automatic switching of traffic to secondary link

Unanswered Question
Dec 18th, 2007

Hi Experts,

In one of our branch office situated in a different country, we have a primary link which is through the satellite. Our secondary link is a vpn tunnel.

This branch office has a different firewall to that of the head office firewall in which they have their own ISP. The Primary link (VSAT) is through a service provider of satellite links back to our headoffice. At this branch office we have a router that connects to a DTU through the serial interface which connects a 128Kbps LL back to the Service provider which then gets on to the Satellite router to go out to our headoofice. One of the Fast Ethernet interface connects up the LAN switch. The LAN switch then has the Firewall connected to it.

Problem: When there is a failure with the primary link we expect the traffic to switch automatically to the VPN tunnel which is currently configured on the firewall. This does not happen and as such we have to unplug the cable between the router and the DTU for the primary link. When this cable is unplugged then traffic starts diverting to the VPN tunnel through the Firewall out to the internet. The traffic is actually between the headoffice and the branch office. This problem is taking us too long to resolve and it's been around for a year now. I need urgent help from you guys.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ccbootcamp Wed, 12/19/2007 - 00:00

Have you looked at OER and object tracking? (optmized edge routing). Depending on the model# router you have and the version of IOS it's running, that might do the trick for you. Here's some more information on OER:

Here's a dual ISP type config with OER and object based tracking which will give you some insight into the configuration you will need:


(please rate the post if this helps!)

bericaleb Tue, 01/22/2008 - 15:25

thanks for the info.

The router version I have is Cisco IOS Software, 1841 Software (C1841-IPBASE-M), Version 12.4(1c), RELEFTWARE (fc1) with System image file is "flash:c1841-ipbase-mz.124-1c.bin"

The primary link I use is a Telecom serial link. THe VPN tunnel is the secondary link. Is it possible for automatic switching between these two links.


This Discussion