How to set up Internet connection (WAN) failover in Cisco IOS

This technique makes a Cisco router monitor connectivity to an IP address, over the primary connection and switch to using a backup gateway if the primary were to fail. The common network set up for this is as follows:

In essence, the Cisco router is connected via a leased line directly to the ISP’s off site router. The Cisco router can also be connected to the Internet, via an on site DSL modem, as a backup.

This tutorial assumes that you already have your interfaces configured and it is possible for the router to ping both your primary and backup gateways.

First we’ll configure our two default gateways. Delete any existing default gateways you have, as follows:

  1. no ip route 0.0.0.0 0.0.0.0

Lets say our primary is 3.3.3.3 and our backup is 99.99.99.99. Add your two routes as follows:

  1. ip route 0.0.0.0 0.0.0.0 3.3.3.3 1 track 1
  2. ip route 0.0.0.0 0.0.0.0 99.99.99.99 254 name DSL_Backup

This adds a tracked route with a metric of 1 and an additional route with a metric of 254. The routing table will use the route with the lowest metric by default (i.e. the primary).

Next, add an ip sla entry to monitor the connection. This will ping a given IP address every 10 seconds. I recommend using the IP address of the next hop (i.e. “ISP’s Router” in the above diagram) as this monitor IP, providing it accepts pings. In this example, we’ll use 50.50.50.50. The 123 is just a numerical identifier for the SLA. This can be whatever you want, within the allowed range.

  1. ip sla 123
  2. icmp-echo 50.50.50.50 source-interface FastEthernet0/0
  3. frequency 10

Now, add an sla schedule so that your sla starts now and runs forever.

  1. ip sla schedule 123 life forever start-time now

Finally, we’ll add a track entry for the SLA to cause the gateway switch to happen:

  1. track 1 rtr 123 reachability

You should now have connectivity through your primary gateway. You can monitor the SLA using this command:

  1. show ip sla statistics 123

This will show you the  “Number of successes” and “Number of failures” the sla had.

Using this command, you can see the current default gateway (gateway of last resort):

  1. show ip route

It should be your primary gateway. Disrupt the primary connection such that it is unable to reach the monitor IP address. Within 10 seconds, the gateway of last resort as shown by the above command will have changed to your backup gateway. Reconnect the primary connection and it will have switched back again.