I am trying to setup load balacning and failover over two WAN links on my 1811. One provider is cable and the other is dsl. Each has a modem and no pppoe/authentication is required. Also I have a single static IP from each ISP. I have a vlan that is natted on the 8 port switch portion of the router. So far I have setup 2 static default routes, one for each isp and 2 ip nat inside sources, one for each interface. However, when one link goes down the traffic routed to that interface doesn't switch over to the other unless the cable from the modem to the router is physically down. What do I need to do to set this up? Also to make things a bit more complicated I need to setup a vpn tunnel that will failover from one isp to the other if one goes down. I have read that oer is one way to do this, but I am a bit lost on how. Or would it be possible to run a routing protocol over the tunnel and have that determine what route is up? I am new to using routing protocols so details on how to do it would help a ton. Any advise would be greatly appreciated.
Solved! Go to Solution.
That looks easy enough. Will I be able to use tracking on tunnel interfaces as well for my vpn? Can I setup two tunnels one for each isp interface and then a route that uses tracking for each?
Thanks for the quick response and I will be sure to rate you when I get it work :)
I have the same exact setup as mark, will this setup work with the VPN tunnel in place even though its on its own Virtual Interface and tied to the primary link ?
I have this setup up and running now. Here is the simplified version of what I did (With the help of a Cisco pro from Freenode irc)...
I setup PBR with next hops to make sure all traffic from each interface was using the correct next hop.
2 default routes at the remote each with tracking (did my icmp-echos to my central router, because an ids would probably pick up the random pings)
2 ip nat rules one for each connection
2 ipsec tunnels using transport mode and ipsec profiles
EIGRP routing over the tunnel, which does vpn load balancing and failover.
Works like a well oiled machine. If you want more info or a sample config let me know. Also, please rate my post if it helped.
Thanks for the response, Your situation is definately more complicated than mine as I am not running any routing protocols over my 1 tunnel. Could you please provide a config so I can see what you did? Thanks in advance.
I will try to get some configs up tomorrow or Monday... Hopefully this will help others with setting up a cheap redundant remote connection.
Tell me, please, are tunnel destinations fow both tunnels are the same or different?
And did you set up static route for each destination separately?
What do you mean? At my main location there is only one internet connection, so the tunnel destination on both tunnel interfaces at the remote are the same. However, at the main location tunnel0 goes to one connection and tunnel1 goes to the other. I have 2 static default routes and I had to setup the route-maps so the correct first hop would be used.
Well, if you have two default routes and two ISPs on one router, there is no way to make two tunnels to one destination IP to work over different routes. I have discoverd that bug after week googling about my problems.
CSCds24740 Bug Details
GRE packets are not subject to local policy routing
Symptom and conditions:
GRE packets are not subject to local policy routing though they are
originated by router itself. I.e. it is expected that in this configuration:
ip address 192.168.2.1 255.255.255.0
tunnel source Loopback0
tunnel destination 192.168.1.2
ip local policy route-map dev
route-map dev permit 10
set ip precedence critical
set ip next-hop 192.168.4.2
GRE packets will receive higher priority and deviate from normal routing path.
But currently GRE-encapsulated packets ignore this policy routing map.
So local policy doesn't work for GRE packets.
Maybe your ISP for some reason doesn't filter foreign source IP and packets got delivered to correct destination but over wrong interface and ISP.
I just talked with my CCIE friend, who gave me some insight on why mine is working. I am using IPSec to protect the tunnel, so the PBR can work. Without the IPSec to go over the GRE I would see this problem.