Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 2911 Dual ISP route

Hello Guys

We have a cisco 2911 cisco router so i want to use as a load balancer using two different ISP networks, example if the first ISP network gets down i need the second ISP will take over all routing and get for internet access

here is my scenerio..

First ISP = PUblic ip =    155.1555.155.2  gateway =   155.155.155.1

seceond ISP Public =    40.51.16.9           gateway =    40.51.16.1

Inside network = 192.168.1.0. /24

5 REPLIES
Purple

Re: Cisco 2911 Dual ISP route

Hi,

You can try this:

ip sla 1

icmp-echo 8.8.8.8

timeout 1000

frequency 3

ip sla schedule 1 start-time now life forever

track 1 ip sla 1

ip route 0.0.0.0 0.0.0.0 155.155.155.1  track 1

ip route 0.0.0.0 0.0.0.0 40.51.16.1 10

access-list 110 permit icmp host 8.8.8.8

route-map SLA_TRACK permit 10

match ip address 110

set ip next-hop 155.155.155.1

exit

ip local-policy route-map SLA_TRACK

On inside interface: ip nat inside

On Outside interface: ip nat outside

access-list 10 permit 192.168.1.0 0.0.0.255

route-map PRIMARY permit 10

match ip address 10

match ip next-hop 155.155.155.1

route-map BACKUP permit 10

match ip address 10

match ip next-hop 40.51.16.1

exit

ip nat inside source route-map PRIMARY interface x/x   where x/x is going to 155.155.155.1

ip nat inside source route-map BACKUP interface x/x   where x/x is going to 40.51.16.1

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

Cisco 2911 Dual ISP route

Hi, I have a question to that set-up,

with 2 or more lines set up as load ballancing, can you add vpn s2s with load ballancing also?

Bronze

Cisco 2911 Dual ISP route

s2s IPSec is an overlay of your load-balancing.  If your load-balancing works, s2s IPSec will work as well, as long as you use a loopback interface for your crypto map (i.e. crypto map local-address lo0) so that your IPSec is independent of the ISP and it will utilize both ISP

New Member

Cisco 2911 Dual ISP route

do you have any example off hand?

Bronze

Cisco 2911 Dual ISP route

on cisco 2911:

ip access-list extended vpn

  permit ip your_lan/x  remote_lan_x

crypto isakmp key cciesec address vpn_peer_x no-xauth

interface lo0

ip address 4.2.2.2 255.255.255.255 (make sure that this loopback address is reachable on the Internet)

crypto isakmp pol 1

  authen pre-sh

  hash sha

  ecnr aes 256

  group 5

  life 86400

no crypto ipsec udp-en (not sure about the exact syntax)

crypto ipsec trans tset esp-aes 256 esp-sha-hmac

crypto map local-address looback0

crypto map vpn 10 ipsec-isakmp

  set peer vpn_peer_x

  set transform tset

  set pfs group5

  set securify life sec 3600

  mat address vpn

interface lo0

  crypto map vpn

interface g0/0

  ip address ISP1

  crypto map vpn

interface g0/1

  ip address ISP2

  crypto map vpn

2096
Views
0
Helpful
5
Replies