route traffic based on destination IP and create failover routes

Unanswered Question
Jun 2nd, 2010

Hi and thanks for taking the time to read this...

I have 6 branches connect to our Head Office in a star configuration. Each branch has both a T1 and a DSL line connected to an 1841 router. The original idea was that the DSL would act as a failover in the event the T1 goes down, but I'd really like to make more use of the DSL line.

So what I want to do is:
- route all branch traffic with local/internal IP address destinations (192.168.x.x) through the T1  (192.168.x.x is things like email and other business applications)
- route all branch traffic with local/internal IP address destinations (10.10.x.x) through the T1    (10.10.x.x is VOIP)
- route all branch traffic with a few specific IP address destinations (eg and through the T1
- route all branch traffic with other IP address destinations (ie internet) through the DSL
- have the DSL serve as a failover for the T1 and, when this happens, give all the priority to 192.168.x.x and 10.10.x.x traffic and essentially block internet traffic (or make it ultra low priority)
- have the T1 serve as a failover for the DSL, but make sure the internet traffic is low priority

Here is the current configuration for one of our branches
-note: fa0/0 is connected to the DSL, fa0/1 is connected to the T1
-note: IPX routing is no longer required
-note: 192.168.60.x = IP addresses of branch equipment; 192.168.10.x = IP addresses of Head Office equipment

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname NWT_1841
logging buffered 16384 debugging
no logging console
no aaa new-model
resource policy
clock timezone PST -8
clock summer-time PDT recurring 2 Sun Mar 2:00 1 Sun Nov 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip domain list
ip name-server
ip sla monitor 1
type echo protocol ipIcmpEcho
timeout 1000
threshold 2
frequency 3
ip sla monitor schedule 1 life forever start-time now
ipx routing 0018.19c2.3394
no ftp-server write-enable
track 123 rtr 1 reachability
class-map match-any SHORETEL_VOIP
match ip dscp ef
match access-group 102
  priority percent 50
class class-default
  set dscp default
interface FastEthernet0/0
description Secondary Link to HO Sonicwall
ip address
ip helper-address
no ip mroute-cache
duplex auto
speed auto
no snmp trap link-status
interface FastEthernet0/1
description Primary Link to HO Bell
bandwidth 1544
ip address
ip helper-address
speed 10
ipx encapsulation SAP
ipx network 2A
ipx type-20-propagation
service-policy output SHORETEL_VOIP_POLICY
interface FastEthernet0/0/0
description Trunk to HP_NWT_2626 Port 24
switchport mode trunk
service-policy output SHORETEL_VOIP_POLICY
interface FastEthernet0/0/1
interface FastEthernet0/0/2
interface FastEthernet0/0/3
interface Vlan1
no ip address
interface Vlan10
ip address
ip helper-address
interface Vlan20
ip address
ip helper-address
ip local policy route-map FAILOVER-TO-SONICWALL
ip classless
ip route name BELL track 123
ip route 254 name SONICWALL
ip http server
ip http authentication local
ip http timeout-policy idle 60 life 86400 requests 10000
access-list 101 permit icmp any host echo
access-list 102 remark : Shoretel VOIP ports
access-list 102 permit udp any any eq 2427
access-list 102 permit udp any any eq 2727
access-list 102 permit udp any any range 5440 5446
route-map FAILOVER-TO-SONICWALL permit 10
match ip address 101
set interface Null0
set ip next-hop
line con 0
login local
line aux 0
line vty 0 4
session-timeout 60
transport input telnet
ntp update-calendar
ntp server

So there is basically 2 classes of traffic - business related (192.168.x.x and 10.10.x.x) and non-business (everything else with the exception of three or four specific IP addresses) and within the business related traffic is VOIP and non-VOIP.

Where do I start??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
John Blakley Thu, 06/03/2010 - 12:42


You should identify, either by port or destination, the type of traffic that you want to force over which link. Let's say that you just want your internet traffic to go over the DSL, and you want the T1 line to service your LAN traffic:

Supposing the LAN traffic is ONLY addresses:

ip access-list ext LANONLY

permit ip any

route-map SPLIT permit 10

match ip address LANONLY

set interface s0

route-map SPLIT permit 10

set interface s1

int fa0/0 (internal interface)

ip policy route-map SPLIT

What this SHOULD do is match all traffic destined for and send it over your T1. Anything that doesn't match should go out the DSL line. Obviously, you may need to nat the traffic that goes out of the DSL side in order for it to get back.



Richard Burts Thu, 06/03/2010 - 16:30


First a couple of details and then the important point:

- You describe the connection as T1. But your configuration has it on fa0/1. How do you get a T1 onto an Ethernet interface?

- I do not understand the logic of your route map which is:

oute-map FAILOVER-TO-SONICWALL permit 10
match ip address 101
set interface Null0
set ip next-hop

why are you setting the interface to null0? I thought that you wanted to forward this traffic but you are sending it to the bit bucket.

- Policy Based Routing is the answer to your requirements. John has made a good suggestion, but I will suggest a somewhat different approach.

  + first let us clarify that what you have configured with ip policy local is policy based routing for packets generated by the router itself. But it does nothing for packets sent to the router and the end stations for the router to forward. What you need to do is to configure ip policy on the interfaces on which the traffic arrives (in this case I believe that it is the VLAN interfaces).

  + John's suggestion specifies setting outbound interfaces for both interfaces. I would suggest that you use a default route to make the DSL the favored outbound interface. Then your route map only needs to specify the traffic which you want to go specifically out the other interface. You can then use a floating static default route so that if the DSL fails (the original default route) all traffic will fail over. You will also need to configure Object Tracking (ip sla) to check to verify that the path through the DSL is working and to withdraw the primary default route if the DSL does fail.



cscusystems Fri, 06/04/2010 - 10:39

Hi John and Rick,

Thanks for responding to my question...  I inherited this configuration, so I'm not sure why some of the configurations were made (eg setting the interface to null).

The T1 is provided by what Bell calls a LANx - from what I understand, they installed the line and an "anda box" - I use an RJ45 cable to plug fa0/1 into one of the ports on the anda box.

Should I remove the "ip policy local" - it doesn't sound like it is doing much for me?  I already have an "ip sla"  set up on the T1 - can I set another one up to monitor the DSL?  I'm afraid that I don't understand how I would give the business traffic priority over the internet traffic in the event of a failover of either circuit, and I also don't understand John's comment about needing to nat the traffic on the dsl side.

Would you be able to provide me with a skeleton framework of how this would hang together?

Thanks again.



This Discussion

Related Content