Setting Up Failover WAN ports of a Cisco Router

If your venue provides a main and backup internet connection with different subnets on each line, it is going to be useful to have the Cisco 4431 or 2921 routers fail over between the two connections if one link goes down.

Our Example Setup

We are assuming here that the rest of you configuration is already working. The two WAN ports should be set with the correct IP addresses and from within the router you should be able to ping the next-hop gateway addresses of each WAN.

For this example, we are going to use the following setup. This should be adapted to match your setup.

gigabitEthernet0/0/0 is our primary WAN interface. It has an IP address of 192.168.4.252/24 and our next-hop gateway for this interface would be 192.168.4.1. We have also declared it to be an outside NAT interface

interface GigabitEthernet0/0/0
description WAN PRIMARY
ip address 192.168.4.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto<br>speed auto

gigabitEthernet0/0/2 is our secondary WAN interface. It has an IP address of 192.168.2.252/24 and our next-hop gateway for this interface would be 192.168.2.1. We have also declared it to be an outside NAT interface

interface GigabitEthernet0/0/2<br> description WAN FAILOVER
ip address 192.168.2.1 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

And finally, gigabitEthernet0/0/1 is our LAN interface. It has an IP address of 10.1.10.1/24.

interface GigabitEthernet0/0/1
description LAN
ip address 10.1.10.1 255.255.255.0
ip nat inside
duplex auto
speed auto

Configuration

Firstly we need a way of checking that our connectivity is present. On Cisco this is done using SLA. Once in configuration mode, create an SLA. We are going to create SLA 1 but the number is just an identifier.

ip sla 1

We now need to give it something to check. In this example we want to test that we can ping Google’s DNS servers through gigabitEthernet0/0/0 every 10 seconds, and allow 2000 milliseconds for a response to come back.

icmp-echo 8.8.8.8 source-interface gigabitEthernet0/0/0
frequency 10
threshold 2000
exit

Now we want to set this check running, and we want it to run all the time, whenever the router is on.

ip sla schedule 1 life forever start-time now

We also want to configure the check to not trigger every time a ping is lost as it will result in a very flappy link, flip-flopping constantly between the two uplinks. To do this, we will tell the router to react to a SLA 1 losing pings by only trigging when the last three pings have been lost. Again, this is a one line command split over two lines here by web formatting.

ip sla reaction-configuration 1 react timeout threshold-type consecutive 3

At the moment, we have a test, however nothing is referencing this check. We need to add it to a tracker. In this nest command we are creating tracker 1 and getting it to look at SLA 1 which we have just set up.

track 1 ip sla 1 reachability

The next step is to tell the router how it should decide how to route packets out of their respective WAN interfaces. We will create two maps, both saying the router should match packets that belong to each rule by using the interface they need to go out of. So in our setup the router knows the IP of each interface, and therefore we can tell it to send packets destined for those networks out of the correct interfaces.

The PRIMARY and FAILOVER in the command is just a friendly name, we will reference it later but it can be named anything you want.

route-map PRIMARY permit 10
match interface GigabitEthernet0/0/0
exit
route-map FAILOVER permit 10
match interface GigabitEthernet0/0/2

Now we need to tell the router about the NAT pools that it should use on each interface, and that it should use the maps we have just created to decide which pool to put the traffic into. This means that when response traffic comes in, the router can look in the correct pool to work out which LAN device made the request. Please note that these are each one of configs is a single continuous line, the formatting below is just to get it to fit on the page. Also note that thise should be the only ‘ip nat inside…’ lines in the configuration. If there are others they should be removed. However yo may get an error to say other lines can’t be removed because they are in use. If this is the case easiest fix is to continue with this guide, then TFTP the configuration off the router and edit it in a text editor to remove the unwanted lines and send the updated configuration back.

ip nat inside source route-map PRIMARY interface GigabitEthernet0/0/0 overload
ip nat inside source route-map FAILOVER interface GigabitEthernet0/0/2 overload

Finally we need to put in our IP routes that will actually tell the router how to direct traffic. The first one states that the traffic from any IP address from any subnet should be sent to the next-hope gateway of gigabitEthernet0/0/0 so long as track 1 returns true, meaning as long as we can ping Google.

ip route 0.0.0.0 0.0.0.0 192.168.4.1 track 1

The next route is for when the our primary route fails. We are now telling the router that if our previous route is set to ‘false’ because out track has told it that Google isn’t available, it should use this route. The same logic applies, the traffic from any IP address from any subnet should be sent to the next-hope gateway of gigabitEthernet0/0/2 but this time we have added a slight cost to this route so the router won’t prefer it if both connections are available.

ip route 0.0.0.0 0.0.0.0 192.168.2.1 10

And the third one just tidies up. We always want our ping test to use our primary connection. If we don’t add this line, when the primary link goes down the track will disable the first route and the router will start using the failover route. But at this point Google will become available again, the track will detect this and start trying to use our failed primary link again. This will continue to flip-flop forever. Adding this route means that traffic heading to Google’s DNS server at 8.8.8.8 will always be routed out of the primary interface regardless of whether the link is working or not.

ip route 8.8.8.8 255.255.255.255 192.168.4.1

Remember to save your configuration!

Editing SLAs

It isn’t possible to edit SLAs whilst they are on use. The simplest way around this is to remove the SLA entirely, then add it again with the desired changes. If you do this you also need to restart the schedule for the SLA to get it to run again.

no ip sla 1
ip sla 1
whatever you need to put your the sla
exit
ip sla schedule 1 life forever start-time now