DSL VPN backup for MPLS

Posted on 2006-05-17
Last Modified: 2013-12-29
Here is the situation:
MPLS network between corporate office and 5 branch sites.
Branch sites each have a cisco 2600 which connects them to the MPLS, and thus back to corporate office for all network/internet access. ( I am pretty sure each router has an empty slot for a WIC)
Corporate has a T1 connected to PIX515 (6.3(4)) providing internet access for entire company.

I would like to have a DSL connection at each branch office to act as a backup in case the MPLS goes down.
The DSL would VPN back to the PIX at corporate.

Ideallly all branch network traffic would still come back through corporate, but the bottom line is to ensure each branch can still get to our corporate network if the MPLS goes down... Of course the failover would need to be automatic.

FYI- the pix is currently providing PPTP client access (XP Native VPN client), and Cisco VPN Client access, in addition to the normal PIX duties...
Question by:uberpoop
    LVL 27

    Accepted Solution

    We're doing what you describe.  Our VPN is a Nortel, but the concept is the same.  We just run a nailed up branch office connection.  We have two default routes on the main router - the second default route pointing to the VPN Concentrator has a higher metric.  Works great.
    LVL 10

    Expert Comment

    What is the question? What is the point you need help with?
    LVL 4

    Author Comment

    Several points...

    Can this be done? Apparently so.
    Are there DSL WICs? They will work with basically any DSL? If not, which works with which flavor? How much per card?
    Does the WIC accept rj45, or RJ11 (ie no DSL Modem)?

    Some pointers/links on setting up the VPN between the routers and the pix would also very much be appreciated.
    Also, configuring it to failover automagically... But sounds like setting the DSL route with higher metric should take care of that point?

    Also something to consider:
    The HQ MPLS Router is
    HQPix is

    HQ Router default route is to the PIX for internet... but all the routes for the branches go out to the MPLS... So, I will have to deal with those routes being switched over as well.

    it feels like i am missing something else here
    LVL 10

    Assisted Solution

    Yes it can be done.

    You can do it both ways. There are WIC DSL cards which will connect directly with RJ11. More information is available from the following link:

    For cost, select a card and search froogle, should give you better price based on where you are.

    You can setup VPN between 2600 routers and PIX. You will create two routes between each site, one through MPLS and other through VPN with different metrics. Route with lower Metric will be preferred and used as primary link, route with higher metric will serve as backup.
    For sample configurations, have a look at the following link:

    Yes, you will need to configure primary and backup routes on HQ MPLS router.

    There is a lot of things involved, start with purchasing and setting up internet connections at remote sites. Once that piece is complete, proceed to setting up VPN tunnels from remote sites to HQ. After that work on the failover portion.

    Expert Comment

    I would recommend using PIX 501s at the branches to establish a VPN back to your PIX at the main office. Set a secondary last resort route (default gateway) with a cost on your MPLS router that points to the PIX501. The PIX501 will connect via IPSEC VPN to the corporate PIX515. This way you not only have redundancy on the connection, but on the router in case of equipment failure too. You'll likely spend less or close on the PIX501s then on the ADSL WICs, and you get the aforementioned equipment redundancy.

    LVL 4

    Author Comment

    Just a note that I have not forgotten about this... Will be taking a router to a remote site this week to begin testing.
    thanks for the patience.
    LVL 4

    Author Comment

    well, i had trouble handing out the points guys... anyways....

    got the router with DSL WIC onsite, that is when I discovered the line coming to our equipment is RJ-45, and they did confirm it is (supposedly) DSL.

    so, now I am still awaiting for all the planets to align so they will hook up a normal RJ-11 out of the DSL....
    and I thought getting the VPN up would be the hard part of this project... not plugging the DSL into my WIC!

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    Suggested Solutions

    Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
    ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    22 Experts available now in Live!

    Get 1:1 Help Now