Showing results for 
Search instead for 
Did you mean: 

WAN fail-over question

Kyle DePalma

Good morning!

I work in a 100% cisco environment. At each of our 11 location we have a cisco router and switch routing traffic between our MPLS WAN.

I am currently researching how to set up a fail-over for our WAN utilizing some extra DSL lines we have at each of our locations. My goal is that if any part of our MPLS goes down that the router at that location would detect this and immediately route traffic through the DSL line. So far my research suggests that the router would have to create a vpn tunnel between our main location and the branch that fails.

Could anyone provide me with any specifics that I should be researching to achieve this goal?

Thank you in advance!

6 Replies 6

Bilal Nawaz

Hello, If you mean DSL that only provides connectivity to the Internet, then yes you will need a VPN to secure your traffic.

If you have DSL that is part of your MPLS network then no. You will not need a VPN.

You just need to make sure that your routing is in place - preferably a routing protocol but doesn't have to be. This would provide you with the resilience you are after.

So the main question you need to know the answer to is, who is providing the DSL line. Will it be part of the MPLS network. If not, which router/Firewall will you use to terminate VPN's. Encryption method etc... And lastly, your routing and how you want your failover to work

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.


Hi Kyle,

I am assuming that you are not looking to buy any new kit - i.e. you want to terminate the DSL circuits on your existing MPLS router? This is possible but you will need an ADSL-WIC of some sort for the physical connectivity.

The WAN connectivity is a bit more complex - if the DSL service you are getting it direct internet access then you will need to configure some sort of VPN back to your head office. You will need a device at the head office capable of terminating the VPN connection (most firewalls and routers provide this functionality). If your MPLS provider also provides a private DSL service then you will be dropped into your existing VRF and you won't need to worry about VPNs.

Thank you both for your responses. Yes I plan on installing adsl-wic's on our routers. Our MPLS carrier and DSL carrier are the same in some locations but different in others, so I will need to have different configurations depending on the location.

I have a main office that I will use to terminate the vpn. Unfortunately my knowledge lacks in this area. Could either of you provide me with a direction to look in for instructions on how to configure the vpn links as well as how to trigger the failover when the main line fails?

Thank you for your help


It really depends on what equipment you have in your head office that can terminate a VPN connection. Common practice would be to have a separate router or firewall which would terminate the VPN. Do you have any budget for this or are you looking to utilise existing kit? A Cisco ISR router or ASA would do it - so would pretty much any enterprise class firewall (Juniper, Fortigate etc.).

Triggering the failover is probably the easiest part of all this - you would just run a dynamic routing protocol over the VPN link and it would automatically failover and failback. For example you could run RIP over the DSL link and it would automatically be favoured less than BGP which you probably use on your MPLS connection.

If your MPLS provider can only provide DSL in certain locations then you may be better requesting direct internet access DSL or you risk overcomplicating the solution.

We have a 5510 ASA so I think I'm all set there. I'll just need to learn how to configure the VPN tunnels. Thank you for all your help.

Hello, here is good configuration example of how to set up a VPN between an ASA and a router.

Things to bear in mind! IPSEC VPN's do not support multicast, so protocols like OSPF or EIGRP may not work.

You could set up OSPF 'unicast' config where you manually specify the neighbor and network type.

Please see this thread on the CLN:

Hope this helps

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Please rate useful posts & remember to mark any solved questions as answered. Thank you.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers