Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multihomed router

I have two ISP's, two blocks of public addresses, and one router. The router has 2 WAN 10MB Ethernet cards. ISP-A's router uses RIP so it determines the default route, which I want b/c ISP-A has much greater bandwidth. I also have a static default route w/ a higher cost in case ISP-A goes down.

How can I configure the router so that when ISP-A goes down, traffic

automatically fails over to ISP-B? Keep in mind ISP-A provides a 10MB Ethernet connection to all of our branch offices and ISP-B is a 1.5 SDSL line that I want to setup VPN if ISP-A goes down.

Cisco Employee

Re: Multihomed router

For this router you should just need to apply the same crypto map to ISP-B's interface. If the routing table within this router suddenly sends all traffic out the other interface then if the crypto map is applied to it then the traffic will be encrypted.

You might want to configure a loopback interface on this router with a public IP address and set all other routers up to peer to this address. On this router, use the command:

> crypto map local-address loopback0

to source all the crypto packets from this address rather than the actual interface address (which will cause problems when the interfaces switch over).

Alternatively, on all the peer routers specify the ISP-B interface address as a backup in the crypto map asfollows:

> crypto map 10 ipsec-isakmp

> set trans ESP-3DES

> match address

> set peer

> set peer

ISP-B will only be used if ISP-A is unavailable, which would be if the ISP-A interface went down.

New Member

Re: Multihomed router

Thanks for the quick response. I think what we really want to do is even simplier than we originally thought. The ISP-A interface E0 will connect to other branch offices via the ISPs 10MB Ethernet network. In other words, the IP addresses would be something like,, etc. On the ISP-B interface E1, it's connected to Sprint 1.5MB SDSL and out to the Internet. Therefore, we need to only encrypt the packets going out that interface. I was thinking of just using the following commands:

Ip route (dsl connection interface) 200

(config-if)#backup interface (dsl connection interface)

(config-if)#backup delay 1 60

So if the interface on the ISP-A side fails, then I just want the backup ISP-B interface to wake-up and do it's job until the ISP-A comes back on-line.

Now, currently I'm using multiple static routes on the ISP-A side to connect to the branch offices ISP-A interfaces. Example:

ip route 1

ip route 1

ip route 1

Would it be easier to setup RIP.

Thanks in advance.