Network Guys

Share your knowledge!

Configuring a fallback for default-route on a Cisco router

This was a wish from one of my customer and I was investing a lot of time to connect the site2site VPN on both WAN uplinks with EIGRP metric and so on… but there is another simple way to configure an automatic default-route fallback which solves all our problems in case the primary WAN links will fail:

We will configure a task which pings every three seconds to a self-defined target (for example the central-office router):

ip sla 10
timeout 1000
threshold 2
frequency 3

ip sla schedule 10 life forever start-time now

Now we will define that the target needs to be reachable

track 10 rtr 1 reachability

/edi: On Version 15.x use this:

track 10 ip sla 10 reachability

the primary WAN uplink / default-route will only be used when the target is reachable and will only use our secondary WAN link (in this example a dialer-interface) in case the icmp echo is not working. So we also add a default-route out to the dialer-interface with a higher distance metric administrative distance:

ip route track 10
ip route Dialer1 200

to be on the safe side we will also NAT overload for both interfaces:

ip access-list extended tonat_wan1
deny   ip any
deny   ip any
deny   ip any
permit ip any

ip access-list extended tonat_wan2
deny   ip any
deny   ip any
deny   ip any
permit ip any

ip nat inside source list tonat_primary_wan interface FastEthernet0 overload

ip nat inside source list tonat_secondary_wan interface Dialer1 overload

you can also bind your VPN crypto map to both WAN uplinks so you will also have a VPN fallback. Keep in mind to configure “ip tcp adjust-mss 1452” at your internal LAN interface, otherwise you can’t surf on webservers in the internet.

4 Responses

Leave a Reply

Click on the button to load the content from

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.


ekahau Certified Survey Engineer
Post Categories
Post Archives