Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Fail over with 2 seperate WAN providers

There are a lot of ways to do this but I am looking for ideas on a "best practices" way to accomplish this. Situation: We have approximately 800 users and 50 VPN's that are in use 24x7 and extremely critical (emergency service personel). We have 2 providers for our Internet, both in the 20 gb/sec + fiber area. Currently we have the nework configured so that approximately half the users go out one pipe and the other half go out the other.

The entire LAN/Man sprawls over aproximately a 15 sq mile area and all offices are connected by fiber. Latency is not an issue. The bulk of the emplyees are located in 2 areas and fairly evenly devided between the two, which are connected via fiber and each of those 2 areas is the demarc for the WAN connection.

I would appreciate any thoughts on this. I do not need a step by step guide just some ideas as to what approach would work best for this scenario. I looked at using Active/Active failover on the ASA but the VPN's warnings I read about through me off that idea.

We currenlty load balance about half the users by assigning the default gateway to various vlans but I need the ability to send all the traffic out one WAN connection in the event that the other goes out. We live in a hurricane alley so redundancy is not only critical but has a high probability of actually being used.

Thanks in advance for your input.

New Member

Fail over with 2 seperate WAN providers

For me the best practice is with an ip sla pinging any public ip address or the service provider gateway, if it fails use the backup route.

Kind regards

New Member

Fail over with 2 seperate WAN providers

Thanks I was leaning in that direction but thought I would post this in case someone had found a better way

Hall of Fame Super Silver

Fail over with 2 seperate WAN providers


Having the picture is helpful. It would be helpful to know if you run a dynamic routing protocol within your network. Also whether you run any dynamic routing protocol with the WAN providers?

I had thought about suggesting configuring HSRP with track for the outbound interface. But with the firewalls that might be difficult to get to work. Though as I think about it I believe that HSRP would give you a good way to fail over if there is a problem on one of the layer 3 switches. And (assuming that there is no dynamic protocol with the providers) that a primary static default route with track/IP SLA and a floating static default route to the other switch might be a way to get what you want.



New Member

Fail over with 2 seperate WAN providers

Hi Joe,

Even i would suggest to use IPSLA and track. Configure a IPSLA to ping the PE IP of service provider and trach the same.

Why dont you try load balancing between the ISP links, so that if one links fails for sure the traffic will flow on the other.

If you can provide the details of the layer-3 switch used can look for any other option.


Sathvik K V