• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1631
  • Last Modified:

DSL VPN backup for MPLS

Here is the situation:
MPLS network between corporate office and 5 branch sites.
Branch sites each have a cisco 2600 which connects them to the MPLS, and thus back to corporate office for all network/internet access. ( I am pretty sure each router has an empty slot for a WIC)
Corporate has a T1 connected to PIX515 (6.3(4)) providing internet access for entire company.

I would like to have a DSL connection at each branch office to act as a backup in case the MPLS goes down.
The DSL would VPN back to the PIX at corporate.

Ideallly all branch network traffic would still come back through corporate, but the bottom line is to ensure each branch can still get to our corporate network if the MPLS goes down... Of course the failover would need to be automatic.

FYI- the pix is currently providing PPTP client access (XP Native VPN client), and Cisco VPN Client access, in addition to the normal PIX duties...
2 Solutions
We're doing what you describe.  Our VPN is a Nortel, but the concept is the same.  We just run a nailed up branch office connection.  We have two default routes on the main router - the second default route pointing to the VPN Concentrator has a higher metric.  Works great.
What is the question? What is the point you need help with?
uberpoopAuthor Commented:
Several points...

Can this be done? Apparently so.
Are there DSL WICs? They will work with basically any DSL? If not, which works with which flavor? How much per card?
Does the WIC accept rj45, or RJ11 (ie no DSL Modem)?

Some pointers/links on setting up the VPN between the routers and the pix would also very much be appreciated.
Also, configuring it to failover automagically... But sounds like setting the DSL route with higher metric should take care of that point?

Also something to consider:
The HQ MPLS Router is
HQPix is

HQ Router default route is to the PIX for internet... but all the routes for the branches go out to the MPLS... So, I will have to deal with those routes being switched over as well.

it feels like i am missing something else here
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Yes it can be done.

You can do it both ways. There are WIC DSL cards which will connect directly with RJ11. More information is available from the following link:


For cost, select a card and search froogle, should give you better price based on where you are.

You can setup VPN between 2600 routers and PIX. You will create two routes between each site, one through MPLS and other through VPN with different metrics. Route with lower Metric will be preferred and used as primary link, route with higher metric will serve as backup.
For sample configurations, have a look at the following link:


Yes, you will need to configure primary and backup routes on HQ MPLS router.

There is a lot of things involved, start with purchasing and setting up internet connections at remote sites. Once that piece is complete, proceed to setting up VPN tunnels from remote sites to HQ. After that work on the failover portion.
I would recommend using PIX 501s at the branches to establish a VPN back to your PIX at the main office. Set a secondary last resort route (default gateway) with a cost on your MPLS router that points to the PIX501. The PIX501 will connect via IPSEC VPN to the corporate PIX515. This way you not only have redundancy on the connection, but on the router in case of equipment failure too. You'll likely spend less or close on the PIX501s then on the ADSL WICs, and you get the aforementioned equipment redundancy.

uberpoopAuthor Commented:
Just a note that I have not forgotten about this... Will be taking a router to a remote site this week to begin testing.
thanks for the patience.
uberpoopAuthor Commented:
well, i had trouble handing out the points guys... anyways....

got the router with DSL WIC onsite, that is when I discovered the line coming to our equipment is RJ-45, and they did confirm it is (supposedly) DSL.

so, now I am still awaiting for all the planets to align so they will hook up a normal RJ-11 out of the DSL....
and I thought getting the VPN up would be the hard part of this project... not plugging the DSL into my WIC!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now