Cisco IOS cheat sheet for ISP connectivity: dual-ISP failover without BGP (IP SLA + tracking), dynamic NAT switching, multihomed BGP with two CE routers, PPPoE client, and Policy-Based Routing (PBR).
IP SLA โ Availability Monitoring
Used to detect ISP link failure and trigger route switching.
IP SLA โ Method 1 (modern IOS)
| Command | Description |
|---|---|
| ip sla 1 | Create SLA probe 1 |
| icmp-echo 20.0.1.2 source-interface e0/2 | Ping ISP1 next-hop from interface e0/2 |
| frequency 10 | Probe every 10 seconds |
| ip sla schedule 1 start-time now life forever | Start probe immediately, run indefinitely |
| track 1 ip sla 1 reachability | Track object 1 = SLA 1 reachability |
| ip route 0.0.0.0 0.0.0.0 2.2.2.2 track 1 | Use ISP1 as default when probe succeeds |
| ip route 0.0.0.0 0.0.0.0 3.3.3.3 10 | Fallback to ISP2 with higher AD (10) when probe fails |
| show track 1 | Show tracking object status |
IP SLA โ Method 2 (legacy IOS)
| Command | Description |
|---|---|
| ip sla monitor 1 | Create SLA monitor |
| type echo protocol IpIcmpEcho 20.0.1.2 source-interface e0/2 | ICMP echo probe |
| frequency 10 | Probe every 10 seconds |
| ip sla monitor schedule 1 life forever start-time now | Activate probe |
| track 1 rtr 1 reachability | Track SLA reachability (legacy syntax) |
You can monitor an external resource instead of the ISP next-hop, but then you must route traffic to that resource exclusively through ISP1 to get accurate results:
ip route 85.202.241.71 255.255.255.255 <isp1-next-hop>
Dynamic NAT Failover (Single CE, Dual ISP)
Problem: each ISP allows NAT only from the IP it assigned. With two ISPs and one router, NAT rules must switch automatically.
NAT for ISP1
| Command | Description |
|---|---|
| route-map ISP1 permit 10 | Match traffic exiting via ISP1 interface |
| match interface e0/1 | ISP1 outbound interface |
| ip nat pool ovrld 217.145.14.4 217.145.14.4 netmask 255.255.255.0 | ISP1 public IP pool |
| ip nat inside source route-map ISP1 pool ovrld overload | NAT with route-map โ translates to ISP1 IP when ISP1 is active |
NAT for ISP2
| Command | Description |
|---|---|
| route-map ISP2 permit 10 | Match traffic exiting via ISP2 interface |
| match interface e0/2 | ISP2 outbound interface |
| ip nat pool ovrld2 147.54.76.4 147.54.76.4 netmask 255.255.255.0 | ISP2 public IP pool |
| ip nat inside source route-map ISP2 pool ovrld2 overload | NAT to ISP2 IP when ISP2 is active |
With two routers (HSRP/VRRP): no route-map needed. Each router handles its own NAT; FHRP determines which router is active.
BGP Multihomed โ Dual CE Routers
When both CE routers advertise the same PI prefix to two ISPs, return traffic may arrive via the wrong CE (breaking NAT). Solution: the standby CE conditionally suppresses its advertisement when the primary ISP is reachable.
Conditional Advertisement (Standby CE)
| Command | Description |
|---|---|
| ip prefix-list NONEXIST seq 5 permit 1.2.3.0/24 | Match the special route advertised by primary ISP (health signal) |
| ip prefix-list our-network seq 5 permit 147.45.67.34/24 | Our PI address block |
| route-map NONEXIST_MAP permit 10 | Trigger: fires when health signal route exists |
| match ip address prefix-list NONEXIST | Match the health signal |
| route-map ournets permit 100 | Always-permit route-map for our prefix |
| match ip address prefix-list our-network | Match our PI block |
| router bgp 65100 | Enter BGP context |
| neighbor 132.56.43.21 route-map ournets out | Advertise our prefix to backup ISP |
| neighbor 132.56.43.21 advertise-map ournets non-exist-map NONEXIST_MAP | Only advertise our prefix to backup ISP when health signal is ABSENT |
PPPoE Client Configuration
Step 1 โ Create Dialer Interface
| Command | Description |
|---|---|
| interface Dialer1 | Create Dialer interface |
| ip address negotiated | Get IP from ISP via PPPoE |
| ip mtu 1492 | Set MTU to PPPoE max (1500 - 8 byte overhead) |
| ip nat outside | Mark as NAT outside |
| encapsulation ppp | Use PPP encapsulation |
| dialer pool 1 | Assign to dialer pool 1 |
| ppp authentication chap callin | CHAP authentication toward ISP |
| ppp chap hostname Maycal | PPPoE username |
| ppp chap password 0 Ghd%4gdns | PPPoE password |
Step 2 โ Bind Physical Interface to Dialer Pool
| Command | Description |
|---|---|
| interface FastEthernet0/1 | Physical interface toward ISP |
| pppoe-client dial-pool-number 1 | Link physical interface to Dialer1 via pool 1 |
Step 3 โ Default Route and NAT
| Command | Description |
|---|---|
| ip route 0.0.0.0 0.0.0.0 dialer 1 | Default route through Dialer interface |
| access-list 1 permit 192.168.0.0 0.0.255.255 | Define private IP range for NAT |
| ip nat inside source list 1 interface dialer 1 overload | PAT: translate to Dialer interface IP |
Policy-Based Routing (PBR)
Route traffic based on source IP, destination, or protocol โ overriding the normal routing table.
PBR Configuration
| Command | Description |
|---|---|
| ip access-list extended CTRL-ACL | Create ACL to match traffic for PBR |
| permit ip host 192.168.1.2 any | Match traffic from specific host |
| route-map CONTROL-RM | Create route-map for PBR |
| match ip address CTRL-ACL | Trigger when ACL matches |
| set ip next-hop 10.0.2.1 | Override next-hop for matched traffic |
| int fa0/1 | Interface facing the end user |
| ip policy route-map CONTROL-RM | Apply PBR route-map on the interface |
PBR Diagnostics
| Command | Description |
|---|---|
| show route-map | Show route-map configuration |
| show ip policy | Interfaces with PBR applied |
| debug ip policy | Real-time PBR matching output |
Cisco IOS Command Reference | ISP Connectivity & PBR