• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1557
  • Last Modified:

DSL VPN backup for MPLS

Here is the situation:
MPLS network between corporate office and 5 branch sites.
Branch sites each have a cisco 2600 which connects them to the MPLS, and thus back to corporate office for all network/internet access. ( I am pretty sure each router has an empty slot for a WIC)
Corporate has a T1 connected to PIX515 (6.3(4)) providing internet access for entire company.

I would like to have a DSL connection at each branch office to act as a backup in case the MPLS goes down.
The DSL would VPN back to the PIX at corporate.

Ideallly all branch network traffic would still come back through corporate, but the bottom line is to ensure each branch can still get to our corporate network if the MPLS goes down... Of course the failover would need to be automatic.


FYI- the pix is currently providing PPTP client access (XP Native VPN client), and Cisco VPN Client access, in addition to the normal PIX duties...
0
uberpoop
Asked:
uberpoop
2 Solutions
 
pseudocyberCommented:
We're doing what you describe.  Our VPN is a Nortel, but the concept is the same.  We just run a nailed up branch office connection.  We have two default routes on the main router - the second default route pointing to the VPN Concentrator has a higher metric.  Works great.
0
 
naveedbCommented:
What is the question? What is the point you need help with?
0
 
uberpoopAuthor Commented:
Several points...

Can this be done? Apparently so.
Are there DSL WICs? They will work with basically any DSL? If not, which works with which flavor? How much per card?
Does the WIC accept rj45, or RJ11 (ie no DSL Modem)?

Some pointers/links on setting up the VPN between the routers and the pix would also very much be appreciated.
Also, configuring it to failover automagically... But sounds like setting the DSL route with higher metric should take care of that point?

Also something to consider:
The HQ MPLS Router is 192.168.1.1
HQPix is 192.168.1.11

HQ Router default route is to the PIX for internet... but all the routes for the branches go out to the MPLS... So, I will have to deal with those routes being switched over as well.

it feels like i am missing something else here
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
naveedbCommented:
Yes it can be done.

You can do it both ways. There are WIC DSL cards which will connect directly with RJ11. More information is available from the following link:

http://www.cisco.com/en/US/tech/tk175/tk15/technologies_q_and_a_item09186a0080093bff.shtml

For cost, select a card and search froogle, should give you better price based on where you are.

You can setup VPN between 2600 routers and PIX. You will create two routes between each site, one through MPLS and other through VPN with different metrics. Route with lower Metric will be preferred and used as primary link, route with higher metric will serve as backup.
 
For sample configurations, have a look at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml

Yes, you will need to configure primary and backup routes on HQ MPLS router.

There is a lot of things involved, start with purchasing and setting up internet connections at remote sites. Once that piece is complete, proceed to setting up VPN tunnels from remote sites to HQ. After that work on the failover portion.
0
 
qbn321Commented:
I would recommend using PIX 501s at the branches to establish a VPN back to your PIX at the main office. Set a secondary last resort route (default gateway) with a cost on your MPLS router that points to the PIX501. The PIX501 will connect via IPSEC VPN to the corporate PIX515. This way you not only have redundancy on the connection, but on the router in case of equipment failure too. You'll likely spend less or close on the PIX501s then on the ADSL WICs, and you get the aforementioned equipment redundancy.

HTH,
qbn
0
 
uberpoopAuthor Commented:
Just a note that I have not forgotten about this... Will be taking a router to a remote site this week to begin testing.
thanks for the patience.
0
 
uberpoopAuthor Commented:
well, i had trouble handing out the points guys... anyways....

got the router with DSL WIC onsite, that is when I discovered the line coming to our equipment is RJ-45, and they did confirm it is (supposedly) DSL.

so, now I am still awaiting for all the planets to align so they will hook up a normal RJ-11 out of the DSL....
and I thought getting the VPN up would be the hard part of this project... not plugging the DSL into my WIC!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now