ICTShore.com

We re-branded, ictshore.com is now accelerates.it!

WAN Connections and Technologies Explained

Tutorial about different types of WAN connections for the CCNA

Share This Post

Modern networks offer plenty of options to connect remote sites. Furthermore, the majority of companies requiring a network engineer have multiple sites. Because of that, you need to know what are the different WAN connections and technologies, and how to use them. In this article, we will give you this knowledge. We will see all the most famous options to connect two sites together across the WAN, and how to select one instead of the others.

Introducing the WAN

WAN stands for Wide Area Network and indicates any network connecting geographically distant locations. This can mean two sites in different cities or even countries, but also within the same city. In fact, if the network goes outside your facilities, you are likely to require the intervention of a Service Provider. If that’s the case, you are working with a WAN connection.

So, we know that with WAN we connect two (or more sites) to a provider, and the provider enables the communication between them. To that, we need to add a special type of WAN connection: the Internet. In both cases, we need to connect our devices to the provider’s devices. Luckily for us, a common way to do it exists.

With Enterprises, the provider uses at least two devices to connect a new customer’s site to its network. The Provider Premise Equipment (PE) is a powerful router with redundant hardware within the Provider’s facility. They are going to have a few data centers and networking closets around the country to host their PEs. Instead, the provider supplies the Customer Premise Equipment (CE or CPE) to the customer. This is a small router that will be installed within the customer’s building.

In WAN connections, CE stands for Customer Equipment and PE stands for Provider Equipment
Customer Equipment and Provider Equipment are two key routers in the WAN connection of a site.

You will connect your devices to the CE, and the provider will connect the CE to the PE. A PE hosts multiple CEs, generally from different customers.

WAN Topologies

In this article about topologies, we describe all possible network topologies. WAN topologies make no difference: they are a subset of possible network topologies. For your convenience, here’s a quick recap:

  • Point-to-Point is the simplest one because it can connect two sites only. It will simply connect one site with the other.
  • Hub and Spoke is a Star topology in terms of WAN. A central site exists, generally, the Head Quarter and all other sites send their traffic to HQ. Therefore, if two remote sites want to talk with each other, they will pass through the HQ. We can see this topology where HQ offers company services, and the traffic between remote sites isn’t so heavy.
  • With the Full Mesh, we connect each site with all the others. This is the option with the best performance, but also the most expensive and complex to maintain.

Private WAN Technologies

Technically, a Private Network has its own dedicated cable and hardware. If you aren’t the CIA or any other top-secret agency, you won’t have your own cables. Instead, you are going to use a Virtual Private Network. With this technology, we share the same physical infrastructure (of the provider) among multiple customers. However, with some special configurations, we keep everything isolated. On top of that, we can specifically allocate an amount of bandwidth to each customer and grant it. To do that, we have different technologies.

Broadband PPPoE and ISDN Access

We want to start with the easy stuff: dial-up connections. These connections are generally quite expensive for the bandwidth they give you. However, they have a unique feature: the provider can bill you for the time you use it.

In fact, PPPoE leverages a DSL link, and ISDN leverages a telephony connection. As a result, you need to initiate the connection in order to turn the link on. You need to dial up the link. Furthermore, we consider these links to be extremely reliable.

Because of their nature, we often see dial-up connections as passive backups. In case the primary link, which uses a different technology, fails, we turn on the dial-up. Note that these are access technologies: they connect you to the provider. Another site connected to the same provider can use different technology, like Ethernet, fiber, or even wireless.

Frame Relay and ATM

Frame Relay was an important part of the CCNA syllabus until 2016 restyling. In fact, Cisco asked you to know how to configure and troubleshoot it. However, Frame Relay is an extremely legacy technology, originally used to replace leased lines. We now use Asynchronous Transfer Mode Switching (ATM), but the underlying logic is the same.

With these technologies, you connect each site with a serial link to the Service Provider. Then, you use Frame Relay or ATM to create some Private Virtual Circuits between your sites (PVCs). Those virtual circuits look like a direct connection between two sites. And, with them, you can have a minimum agreed bandwidth with the provider (Committed Rate).

In WAN technologies, Frame Relay is a legacy approach to connect remote sites using virtual circuits (VCs)
Frame Relay is a legacy connection to interconnect remotes sites over the WAN.

You can define the structure of your PVCs to create a hub-and-spoke topology or a full mesh. Of course, the more virtual links you have, the higher the cost. Each router identifies the virtual links with a number, the Data Link Connection Identifier (DLCI). The thing is, two routers will see the same link with different DLCIs. In fact, the DLCI itself has meaning only within the router. So, as in the example, for Branch2 the link with HQ will be 301, but for HQ the same link will be 103. Now, we selected those numbers to make things easier. In real life, numbers may not be related at all (e.g. 1049 and 398).

Metro Ethernet

Metro Ethernet is a common technology for a campus of a few buildings in the same city or district. In fact, many providers develop in all important cities a double ring of fiber optic. To do that, they use some special switches: each has two links to the next one, and two to the previous one. In the end, the last switch connects to the first one, creating a redundant closed loop.

WAN: Metro Ethernet connects your site to a fiber optic switch ring
In Metro Ethernet, you connect your site to a ring of switches.

Then, the provider attaches the CE to one of the switches in the loop, delivering connectivity to your building. By connecting multiple sites to the same Metro Ethernet loop, you can have a fast private connection between them, at a reasonable price. The nature of this technology, however, limits the geographical coverage. In fact, the same Metro Ethernet link will cover just one city. Two different cities will have different Metro Ethernet rings, not connected with one another.

MPLS

Multi-Protocol Label Switching (MPLS) networks are the go-to technology for virtual private networks. They are relatively cheap and can connect sites across the world while granting bandwidth and Quality of Service on each link. Furthermore, you can develop the logical structure of MPLS the way you want it. For example, you can define that the MPLS cloud must look like a flat LAN to the eyes of the CE routers.

MPLS is a modern WAN technology
MPLS is the modern approach for connecting remote sites privately over WAN cloud.

MPLS is an extremely complex technology, but this complexity is only within the provider’s boundaries. To the customer’s site, it looks like connecting to a LAN, or a worldwide-sized Metro Ethernet link (even if it isn’t). A provider offering MPLS may rely on third-party providers to reach rural and remote areas. This doesn’t matter to you, as third-party providers are integrated into the MPLS cloud transparently.

With MPLS, you can connect each site to a different PE, but also multiple sites to the same PE. Of course, if you use more of them you will have a better redundancy.

Internet VPNs

You don’t want to confuse Virtual Private Networks with Internet VPNs. Until now, we explained Virtual Private Networks, where the providers allocate specific resources to you. Internet VPNs are completely different: you have an Internet connection, and you run encryption over it. This way, you can send data over the Internet privately. However, nobody grants bandwidth. And you are still running over the public internet: the privatization happens in the overlay. Instead, with real VPNs, you run in a dedicated environment, even if it’s virtual.

You can run Internet VPNs on routers and firewalls.

Site-to-Site VPN

This is probably the simplest type of Internet VPN you will encounter. In this environment, you have two sites connected to the Internet with a static public IP. You configure each site to have all the information on the other site: public IP, VPN-Specific settings, and routes. Then, the two firewalls will establish a virtual link using IPSec encapsulation.

Site-to-Site VPN is a flexible alternative to many private WAN technologies
With a VPN Site-to-Site, you can connect two remote sites privately over the Internet instead of having a private WAN link.

The two sites will encrypt all IP packets and put them in other IP packets to send over the Internet publicly. This approach is static, as each site needs to know everything on the other side beforehand. If it doesn’t, they won’t be able to establish the VPN tunnel. This approach is identical to GRE Tunnels but adds encryption to them (with the IPSec protocol).

A common approach is to have some sites connecting with a VPN to the headquarter when we don’t have another type of connection like MPLS.

Client VPN

With Client VPN, we start to see flexibility. With them, we are not connecting two sites anymore: we are connecting user clients. The PCs of our users, with dedicated software, can connect directly to our network as if they were within the building. Then, they can use all the company’s internal services and reach all the private IP addresses without worrying about NAT. They may not even need special software, and just use the browser for some features.

Client VPNs enable flexibility never seen in the WAN before
With a Client-VPN, an end-user PC directly creates a tunnel toward the firewall.

With this approach, we have a VPN termination in one site (generally HQ, or the Data Center). This is public, and hardcoded into all clients. When clients want to connect to the company services, initiates a request to that termination. The clients authenticate, and then we turn on the VPN tunnel. From now on, it is like a site-to-site VPN terminating directly on our PC.

Since the client initiates the connection and can do it from anywhere in the world, the VPN termination needs to be ready to accept connections from everywhere.

Dynamic Multipoint VPN (DMVPN)

With DMVPN, we increase flexibility and performance when connecting remote sites. You can think about DMVPN like a whole framework to dynamically create Site-to-Site VPNs. In fact, with this technology, you elect a hub site. All sites will try to form a VPN to the hub site, like clients would do in Client VPNs.

At this point, you can think about them like a Client VPN connecting sites instead of clients. In fact, the hub site is ready to accept connections from anywhere. However, DMVPN goes even further. The hub router can notify the remote peers about the public IP addresses of other branch routers. As a result, branch sites can dynamically establish tunnels between each other, without passing from HQ. This optimizes the usage of bandwidth.

DMVPN dynamically create Internet-based WAN links (VPN) between remote sites
Dynamic Multipoint VPN (DMPVPN) dynamically creates direct tunnels between remote sites.

This technology is extremely versatile, and its configuration is not so complex after all. Many Cisco routers support that by default.

Handling Multiple WAN Connections

When evaluating a strategy for WAN connections, knowing the technology is not enough. You need to know how to mix different technologies together, and the degree of redundancy you want. The better the redundancy, the shortest, and less-impacting the possible fault. However, this also means increased costs.

Single-Homing and Dual-Homing

The first and most natural option is to use a single Service provider. This is the cheapest route, and you don’t have to care about getting an IP address. In fact, you don’t need to register your BGP AS and buy IP addresses from IANA. You could, if you want, but you are not required to. If you want to go as light as possible, the provider will lease some of its public IP addresses (this isn’t necessary if the network is just private).

Once you decided which buys the IP addresses, you need to select the degree of redundancy you want. In the following picture, you see all the possible combinations a provider may give you.

Single Homed and Dual Homed options for WAN connections and MPLS
Different approaches for connecting to an MPLS network, using the same provider.

Here’s a quick description of the picture above.

  • With a Single-Homed connection, you have a single CE and a single PE. The provider runs a single cable between them
  • The cheapest option for Dual-Homed is to just add another link to the single-homed solution. PE routers are heavy and fully redundant: they have multiple modules, processing units, and PSU. With this option, the two cables from the CE goes into two different modules on the PE.
  • After that, we can opt for connecting our CE to two different PEs.
  • The best option is to have everything redundant: two CEs connected to two different PEs with different links, possibly running on different paths.

As always, you need to evaluate which level of redundancy you can fit within your budget.

Going Multihomed

Multihoming pushes redundancy even further, by adding a second provider into the game. With each provider, you can have single-homing or dual-homing (if the latter, you would be dual multihoming). This setup requires buying your own addressing space and BGP AS. Don’t worry, these are CCNP stuff.

Multihomed is the best option for resiliently connect a datacenter to the Internet
With Multihomed, you use two providers. Each link may be dual-homed with the provider as well.

Is Multihoming with two single-homed links better than dual-homing? Probably, it isn’t. In fact, if two links are from the same provider they can guarantee that they go on different paths. If the two links are from different providers, they may run in the same underground pipe. Multihoming protects you from a whole provider failure, but this is far less common than a cable being cut during road works.

If you want to go heavy on redundancy, go multihoming, but have at least one provider dual-homed.

Conclusion

In this article, we presented the most important technologies when it comes to WAN connections. Take a moment to review the crucial topics:

  • Broadband PPPoE and ISDN are two dial-up connections where you access the WAN only after having the link established, they are generally expensive
  • You can use Frame Relay (legacy) or ATM to create virtual links between sites with dedicated bandwidth. You can do that in a hub-and-spoke fashion or in a full mesh
  • Use Metro Ethernet to connect buildings in the same city: it is private, fast and cheap
  • Use MPLS to develop a worldwide-sized private network with dedicated bandwidth
  • If you go for Internet VPNs, use Site-to-Site to connect remote sites or DMVPN if you want the same flexibility; use Client VPN allow access from any PC in the world (but still enforcing security)
  • When selecting the redundancy level: you can have none with Single-Homing, or a good level with Dual-Homing; you can have Multi-Homing only with two providers

Now you are ready to evaluate and select the best WAN connectivity option for your company. Furthermore, you have all the knowledge you need to implement a simple single or dual-homed BGP setup.

Don't fail the CCNA Exam!

Failing the CCNA exam equals wasting $300. Don't do that, be prepared instead.
Together with our free course, we offer a companion book with Questions and Answers. And it's only $27.50 if you are following the course.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.
Picture of Alessandro Maggio

Alessandro Maggio

Project manager, critical-thinker, passionate about networking & coding. I believe that time is the most precious resource we have, and that technology can help us not to waste it. I founded ICTShore.com with the same principle: I share what I learn so that you get value from it faster than I did.

Join the Newsletter to Get Ahead

Revolutionary tips to get ahead with technology directly in your Inbox.

Alessandro Maggio

2017-11-16T16:30:04+00:00

Unspecified

Free CCNA Course

Unspecified