Back to Blog
โ˜…โ˜…โ˜†Intermediate๐Ÿ”€ Routing & Switching
BGPHSRPPBRIP SLAFailoverCisco

BGP Prepending, HSRP, PBR & IP SLA: Building a Bulletproof Failover Architecture

March 3, 2026ยท7 min read

Overview

When a client has two ISP links and needs automatic failover, most engineers reach for just one tool. The real-world answer is a combination of four: BGP prepending (influence inbound traffic), HSRP (gateway redundancy), PBR (steer outbound traffic), and IP SLA (detect failure and trigger changes). Together they give you deterministic, sub-minute failover in both directions.

This guide walks through a dual-ISP setup where ISP-A is primary and ISP-B is standby, with full automatic switchover.

Topology

// DUAL-ISP FAILOVER โ€” BGP + HSRP + PBR + IP SLA ISP-A (Primary) 203.0.113.0/30 ISP-B (Backup) 198.51.100.0/30 RTR-A (Edge Router) BGP AS 65001 ยท PBR ยท IP SLA Core Switch HSRP VIP 10.10.10.254 Primary Standby LAN IP SLA probes both ISP gateways Track 1 โ†’ ISP-A ยท Track 2 โ†’ ISP-B PBR: verify-availability per track HSRP: track 1 decrement 30

Step 1 โ€” BGP Prepending for Inbound Traffic Control

BGP prepending makes your AS-path artificially longer on the backup link, so remote ISPs prefer the primary path inbound.

Configure BGP on the Edge Router

cisco
router bgp 65001 bgp router-id 203.0.113.2 bgp log-neighbor-changes ! ! ISP-A - Primary peer neighbor 203.0.113.1 remote-as 64496 neighbor 203.0.113.1 description ISP-A-PRIMARY neighbor 203.0.113.1 route-map RM-ISP-A-OUT out neighbor 203.0.113.1 route-map RM-ISP-A-IN  in ! ! ISP-B - Backup peer neighbor 198.51.100.1 remote-as 64500 neighbor 198.51.100.1 description ISP-B-BACKUP neighbor 198.51.100.1 route-map RM-ISP-B-OUT out neighbor 198.51.100.1 route-map RM-ISP-B-IN  in ! ! Advertise your public prefix network 203.0.113.0 mask 255.255.255.0

Route Maps โ€” Prepend on ISP-B Outbound Advertisement

cisco
! Define prefix list for your blockip prefix-list PL-MY-BLOCK permit 203.0.113.0/24! ISP-A: advertise normally (preferred inbound)route-map RM-ISP-A-OUT permit 10 match ip address prefix-list PL-MY-BLOCK ! No prepend โ€” clean path, ISPs prefer this! ISP-B: prepend 3x to make inbound traffic avoid this pathroute-map RM-ISP-B-OUT permit 10 match ip address prefix-list PL-MY-BLOCK set as-path prepend 65001 65001 65001! Accept defaults from both ISPs with local-preference to control outboundroute-map RM-ISP-A-IN permit 10 set local-preference 200route-map RM-ISP-B-IN permit 10 set local-preference 100

Tip: local-preference controls outbound path preference within your AS. Higher = preferred. 200 on ISP-A means all outbound traffic uses it by default.

Step 2 โ€” IP SLA to Detect ISP Failure

IP SLA probes the ISP gateway every 5 seconds. When it fails, it withdraws the primary default route and forces BGP/PBR to use ISP-B.

cisco
! Probe ISP-A gatewayip sla 1 icmp-echo 203.0.113.1 source-interface GigabitEthernet0/0 threshold 500 timeout 1000 frequency 5ip sla schedule 1 life forever start-time now! Probe ISP-B gatewayip sla 2 icmp-echo 198.51.100.1 source-interface GigabitEthernet0/1 threshold 500 timeout 1000 frequency 5ip sla schedule 2 life forever start-time now! Track objects tied to SLAtrack 1 ip sla 1 reachability delay down 10 up 15track 2 ip sla 2 reachability delay down 10 up 15

Static Routes with Tracking

cisco
! Primary default via ISP-A โ€” only active if SLA 1 is upip route 0.0.0.0 0.0.0.0 203.0.113.1 10 track 1 name ISP-A-PRIMARY! Backup default via ISP-B โ€” higher AD, kicks in when ISP-A failsip route 0.0.0.0 0.0.0.0 198.51.100.1 20 track 2 name ISP-B-BACKUP

Note: The delay down 10 up 15 prevents flapping โ€” 10 seconds before declaring down, 15 seconds before declaring up.

Step 3 โ€” PBR for Deterministic Outbound Traffic Steering

Policy-Based Routing lets you steer specific traffic (VoIP, management, a specific VLAN) out a specific ISP regardless of the routing table โ€” and use IP SLA to fail it over.

cisco
! ACL to identify traffic to steerip access-list extended ACL-VOIP-TRAFFIC permit ip 10.10.10.0 0.0.0.255 any dscp ef permit udp 10.10.10.0 0.0.0.255 any range 16384 32767ip access-list extended ACL-MGMT-TRAFFIC permit ip 10.10.10.128 0.0.0.127 any! Route map for PBRroute-map RM-PBR-POLICY permit 10 description Steer VoIP out ISP-A, failover to ISP-B match ip address ACL-VOIP-TRAFFIC set ip next-hop verify-availability 203.0.113.1 1 track 1 set ip next-hop verify-availability 198.51.100.1 2 track 2route-map RM-PBR-POLICY permit 20 description Steer management out ISP-B match ip address ACL-MGMT-TRAFFIC set ip next-hop verify-availability 198.51.100.1 1 track 2 set ip next-hop verify-availability 203.0.113.1 2 track 1route-map RM-PBR-POLICY permit 30 description All other traffic - follow routing table

Apply PBR to the LAN-Facing Interface

cisco
interface GigabitEthernet0/2 description LAN-FACING ip address 10.10.10.1 255.255.255.0 ip policy route-map RM-PBR-POLICY

verify-availability is the critical addition โ€” without it, PBR would forward to a next-hop even if the link is down. With track, it only uses that next-hop if IP SLA confirms reachability.

Step 4 โ€” HSRP for Gateway Redundancy

HSRP ensures the default gateway for LAN hosts remains reachable even if the primary router fails. Use HSRP preempt with tracking so the active router reflects ISP health.

cisco
! On Router A (Primary)interface GigabitEthernet0/2 standby version 2 standby 10 ip 10.10.10.254 standby 10 priority 120 standby 10 preempt delay minimum 30 standby 10 authentication md5 key-string Str0ngK3y! standby 10 track 1 decrement 30 ! If ISP-A goes down, priority drops to 90 โ€” Router B (priority 100) takes over! On Router B (Standby)interface GigabitEthernet0/2 standby version 2 standby 10 ip 10.10.10.254 standby 10 priority 100 standby 10 preempt delay minimum 30 standby 10 authentication md5 key-string Str0ngK3y!

HSRP for Multiple VLANs (Load Balancing)

cisco
! VLAN 10 โ€” Router A activestandby 10 ip 10.10.10.254standby 10 priority 120standby 10 preempt! VLAN 20 โ€” Router B active (load balance)standby 20 ip 10.10.20.254standby 20 priority 100standby 20 preempt

Verification Commands

cisco
! Check BGP neighbors and prefixesshow bgp summaryshow bgp neighbors 203.0.113.1 advertised-routesshow bgp neighbors 198.51.100.1 advertised-routes! Check IP SLA statusshow ip sla statisticsshow ip sla summary! Check tracked objectsshow trackshow track brief! Check PBR applicationshow route-map RM-PBR-POLICYshow ip policy! Check HSRP stateshow standby briefshow standby detail! Verify routing tableshow ip route 0.0.0.0show ip route track-table

Failover Sequence

When ISP-A fails, this is what happens automatically:

  1. IP SLA 1 detects ICMP failure to 203.0.113.1 โ€” marks track 1 as DOWN after 10 seconds
  2. Static route 0.0.0.0/0 via 203.0.113.1 track 1 is removed from RIB
  3. Backup route 0.0.0.0/0 via 198.51.100.1 track 2 becomes active
  4. PBR verify-availability on track 1 fails โ€” VoIP traffic switches to ISP-B next-hop
  5. BGP neighbor 203.0.113.1 goes down โ€” ISP-B takes over as outbound path
  6. HSRP tracking decrements Router A priority by 30 (120โ†’90) โ€” Router B (priority 100) preempts
  7. Total failover time: 30โ€“60 seconds depending on BGP hold timers (tune to 10s/30s for faster convergence)