Broadband backup for E1 Circuit using Static Routing

Unanswered Question
Jan 29th, 2009

Greetings, we have an E1 leased line that has experienced several outages due to problem at the local exchange within the last 18 months.

Im looking at putting in a cheap cable broadband service that will terminate on the same 1841 ISR used by the E1 circuit, in turn this will be used for web traffic so that the leased line is utilised for more important services, it would also be nice to failover traffic between the two in the event the E1 circuit fails, i dont have the option of using dynamic routing protocol so i was looking at route maps.

This is what i have so far.

interface f0/0

description Connected to ASA Outside Interface

ip address ***.***.***.***

ip policy route-map webTraffic


interface f0/1

description Connected to Cable Broadband Backup

ip address [insert ip address here]


interface Serial0/0/0

description Connected to E1 Circuit

ip unnumbered FastEthernet0/0


ip access-list extended webTraffic

permit tcp any any eq 80

permit tcp any any eq 443


route-map webTrafficRoute permit 10

match ip address name webTraffic

set ip next-hop [broadband_gateway]


route-map webTrafficRoute permit 20

ip route s0/0/0


route-map webTrafficRoute permit 30

ip route f0/1

What i have tried to do here is sent all web traffic out via the cable broadband connection and have a default route for email, sip traffic pointing at the E1 link, in the event it fails would the second default route kick it and send traffic out via the cable broadband connection?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Thu, 01/29/2009 - 04:51


I have implemented something for a customer that is quite close to what you are trying to do. And it works pretty well. There are several issues with the partial config that you have posted. First you have the ip policy route-map on the wrong interface. You have placed it on the outbound interface, which is sort of logical but is actually incorrect. The ip policy route-map command goes on the interface where the traffic enters the router. You have not posted enough of the config to know what that is.

Also your route map only needs the instance 10 where you are matching web traffic and setting the next hop. You do not need instance 20 or 30, and they would not work to accomplish what it looks like you want, which is to provide failover.

To provide failover you need to configure floating static routes. It might look something like this:

ip route s0/0/0

ip route f0/1 250

The 250 in the floating static route is an administrative distance which results in the behavior that as long as s0/0/0 is available the static route over the serial is used. And if the serial fails (goes protocol down) then its static default route is withdrawn and the static default route over f0/0/0 will be put into the routing table to provide failover.

Another possible issue is whether Address Translation is needed. You have not provided enough information about your environment to be sure whether Address Translation is needed. But most of the time when you are going to send traffic over the cable modem you would want to translate that traffic.

[edit] as I re-read your post I realize that I may have been not clear about what your topology is. I took the comment under f0/0 being the outside interface to mean that it was really the path to outside. And on that basis I said that the route map was on the wrong interface. But thinking about the logic of the other interfaces I realize that it might in fact be the interface to your interior network. In that caase the route map is on the correct interface. Perhaps you can provide some clarification about the topology of the network.



exonetinf1nity Thu, 01/29/2009 - 05:44

Thank you for your time Rick, yes F0/0 in this scenario is the inbound interface, F0/1 and S0/0/0 are externally facing although theoretically all interfaces use public addresses in one form or another.

Ideally i would like to utilise the backup connection for web traffic but have it avaliable to handle all traffic in the event the E1 circuit fails.

Please find attatched a sample network diagram of the proposed setup.


Richard Burts Thu, 01/29/2009 - 05:57


The drawing is helpful, and does confirm that the ip policy route-map command is on the correct interface.

My comments about the static routes/floating static is still valid.

From the drawing I would assume that your firewall is translating traffic and that is the reason why you did not do address translation on the router. But you need to think for a minute about what will happen when you send traffic out the cable modem and that traffic has a source address associated with the serial link? How would response traffic for web traffic be routed to you? If you fail over and all traffic goes out the cable modem, how will responses be routed back to you if the source address is in the subnet of the serial link?? I believe that you really do need for the router to do address translation on traffic going out the f0/1 interface.



exonetinf1nity Thu, 01/29/2009 - 09:24

Cheers again Rick yes didnt think about that humm bugger!

How about using a Dynamic Policy NAT rule on the firewall which matches web traffic using the address of the broadband service as the source address?

Richard Burts Thu, 01/29/2009 - 12:54


Since the firewall connects to the router on a single interface, how will the firewall know about the address of the broadband service?

And even if you got that working in normal siutations what would happen if the serial fails and the failover is sending all traffic through the cable modem?

When I did a similar implementation I could not find an alternative that worked well other than to do translation on the router.



exonetinf1nity Fri, 01/30/2009 - 03:39

Cheers guys, ill look at NAT(ing)traffic on the router, the advice is much appreciated.



This Discussion