Metropolitan Area Network (MAN) – Technologies, Topologies & Design

1. What Is a MAN?

A Metropolitan Area Network (MAN) is a network that interconnects multiple Local Area Networks (LANs) within a defined metropolitan region — typically a city, cluster of suburbs, or group of buildings spread across a wider area than a single campus. MANs bridge the gap between the small geographic reach of a LAN and the global span of a Wide Area Network (WAN).

Geographically, a MAN typically spans between 5 and 50 kilometres in diameter. The boundary is not rigid — a MAN is defined more by its purpose (connecting city-scale sites) and ownership model than by a precise distance.

  Metropolitan Area Network — conceptual view:

       ┌──────────────────────────────────────────────────────────────┐
       │                       CITY                                   │
       │                                                              │
       │  ┌─────────┐    Fiber Ring (MAN)    ┌─────────────────────┐ │
       │  │ Campus A├──────────────────────── ┤ Campus B            │ │
       │  │(LAN)    │                         │ (LAN)               │ │
       │  └────┬────┘                         └──────────┬──────────┘ │
       │       │                                         │            │
       │       │          ┌──────────────────┐           │            │
       │       └──────────┤   City Hall      ├───────────┘            │
       │                  │   (LAN)          │                        │
       │                  └──────────────────┘                        │
       │                                                              │
       │  All sites share the same MAN infrastructure                 │
       │  Managed by city/ISP; connected via fibre or leased links    │
       └──────────────────────────────────────────────────────────────┘

Related pages: VLANs/LAN | WAN | Fiber vs Copper

2. LAN vs MAN vs WAN — Full Comparison

Feature	LAN	MAN	WAN
Geographic scope	Room, building, campus — up to ~1 km	City, metro area — 5–50 km	Country, continent, global — 50 km to worldwide
Ownership	Single private entity	Single entity or service provider	Carrier/ISP; leased infrastructure
Typical speed	1–10 Gbps (copper); up to 100 Gbps (fibre)	100 Mbps – 10 Gbps (Metro Ethernet); higher with DWDM	Variable — 1 Mbps to 100 Gbps; latency varies by distance
Latency	Sub-millisecond	~1–10 ms (fibre across city)	10–100+ ms (national); 100–300+ ms (intercontinental)
Key technologies	Ethernet 802.3, Wi-Fi 802.11	Metro Ethernet, SONET/SDH, MPLS, DWDM, dark fibre	MPLS, BGP, SD-WAN, IPsec VPN, satellite, leased lines
Layer 2 or Layer 3	Primarily Layer 2 (switching)	Layer 2 (Metro Ethernet) or Layer 3 (MPLS/routed)	Primarily Layer 3 (routing)
Broadcast domain	Single or per-VLAN	Separate per VLAN/E-LAN service	No broadcast — routed
Typical cost	Low — own infrastructure	Medium — fibre lease or ownership; carrier services	High — carrier-provided; per-Mbps pricing
Management	Self-managed	Self-managed or carrier-managed	Usually carrier-managed (SLA)

3. MAN Technologies

Metro Ethernet (MEF / IEEE 802.3)

Metro Ethernet extends familiar Ethernet technology to metro distances. The Metro Ethernet Forum (MEF) defines standardised service types that carriers offer over their fibre infrastructure:

MEF Service	Also Called	Description	Typical Use
E-Line	Ethernet Private Line (EPL)	Point-to-point Layer 2 circuit between exactly two sites — like a dedicated leased line but using Ethernet framing	Connecting two offices with a private, dedicated Ethernet pipe; replacing TDM leased lines
E-LAN	Ethernet Private LAN (EPLAN)	Multipoint-to-multipoint service — all connected sites share a common Ethernet broadcast domain (like a giant virtual switch)	Connecting 5 hospitals in a city so they all appear on the same Layer 2 network; university multi-campus
E-Tree	Ethernet Tree	Hub-and-spoke — one root site communicates with multiple leaf sites; leaf sites cannot communicate directly with each other	ISP providing internet access to multiple customers (root = ISP; leaves = customers); FTTH/FTTB architectures

Metro Ethernet advantage: Because it uses Ethernet framing, Metro Ethernet is directly compatible with the LAN equipment organisations already own. No specialised CPE is needed — a standard Ethernet switch port connects to the carrier's service. This dramatically reduces the cost and complexity of connecting multiple sites compared to legacy TDM circuits.

SONET/SDH — Synchronous Optical Networking

SONET (North America) and SDH (international equivalent) are carrier-grade optical transport standards that have formed the backbone of metro and long-haul networks since the late 1980s. They provide extremely reliable, synchronised, high-capacity transport over fibre with built-in protection switching.

SONET Level	SDH Equivalent	Bit Rate	Common Name
OC-1	STM-0	51.84 Mbps	Base SONET rate
OC-3	STM-1	155.52 Mbps	Legacy metro backbone
OC-12	STM-4	622.08 Mbps	Common metro ring
OC-48	STM-16	2.488 Gbps	High-capacity metro/regional
OC-192	STM-64	9.953 Gbps	Core/backbone

SONET/SDH rings use Automatic Protection Switching (APS) — if a fibre cut occurs, traffic is rerouted on the backup path of the ring within 50 milliseconds. This carrier-grade resilience is why SONET/SDH remained dominant in critical infrastructure for decades.

MPLS in Metro Networks

MPLS (Multiprotocol Label Switching) is widely used in metro networks by service providers to offer managed Layer 2 and Layer 3 VPN services. MPLS labels allow traffic to be forwarded along pre-determined Label Switched Paths (LSPs) without per-hop IP routing lookups, providing consistent latency and enabling traffic engineering.

MPLS L2VPN (VPLS): Virtual Private LAN Service — carrier provides a multipoint Ethernet service over MPLS; customers see it as an E-LAN service
MPLS L3VPN: Carrier routes between customer sites; customer gets a fully routed VPN with route separation per customer (VRF)
Traffic engineering (MPLS-TE): Routes can be explicitly steered around congestion or failures, unlike hop-by-hop IP routing

DWDM — Dense Wavelength Division Multiplexing

DWDM dramatically multiplies the capacity of a single fibre pair by transmitting dozens or hundreds of independent optical wavelengths (channels) simultaneously. Each wavelength is effectively a separate high-speed circuit.

A single fibre pair with 96 DWDM channels at 100 Gbps each = 9.6 Tbps of capacity
Used in metro core rings and inter-city links where raw capacity is the priority
Enables spectrum leasing — a carrier can lease individual wavelengths to customers (Wavelength Services)

Dark Fibre

Dark fibre refers to installed but unused (unlit) fibre optic cable that an organisation leases or purchases from a carrier or city authority. The lessee provides their own optical transceivers and networking equipment at each end — effectively owning the network layer while leasing the physical medium.

Advantage: Complete control over capacity, protocol, and upgrades; no per-Mbps carrier pricing; can run DWDM for massive capacity
Disadvantage: Requires significant technical expertise; responsible for all equipment and maintenance; higher upfront cost
Common users: Large universities, city governments, data centre operators, financial institutions

4. MAN Topologies

The choice of topology for a MAN directly impacts redundancy, cost, and how quickly the network recovers from a fibre cut or node failure.

Ring Topology (Most Common for MANs)

  Dual-fibre ring:
                   Site A
                  /       \
       Site E --              -- Site B
                  \       /
       Site D ---  Site C

  Normal:  Traffic flows clockwise (primary ring)
  Failure: Fibre cut between A and B
           ↓
  APS (50ms): Traffic reroutes counter-clockwise via E→D→C→B
  All sites remain connected; no manual intervention required

Each site connects to two neighbours — provides one path of redundancy
SONET/SDH rings use APS protection switching — 50 ms recovery
Metro Ethernet rings use Spanning Tree (STP/RSTP) or G.8032 Ethernet Ring Protection Switching (ERPS) for faster failover
Most common MAN topology — balances redundancy, cost, and simplicity

Mesh Topology

  Partial mesh — each site has 2+ diverse paths:
  Site A ------- Site B
    |    \    /    |
    |     Site E   |
    |    /    \    |
  Site C ------- Site D

  Multiple diverse fibre paths between all sites
  Any single (or multiple) link failures: traffic reroutes automatically

Highest redundancy — can survive multiple simultaneous failures
Highest cost — requires more fibre and more CPE ports
MPLS-TE or dynamic routing (OSPF/IS-IS) manages path selection
Used in critical infrastructure: financial networks, emergency services, data centre interconnects

Star (Hub-and-Spoke) Topology

  Hub (central site — e.g., data centre):
              Site A
              /
  Hub ------- Site B
              \
              Site C

  All traffic between sites flows through Hub.
  Single point of failure: if Hub fails, ALL sites lose connectivity.

Simplest to design and operate
Lowest redundancy — hub is a single point of failure; each spoke has only one path
Often improved with dual-homed spokes (each spoke connects to two hubs) for resilience
Common in enterprise WANs and smaller MANs where redundancy is less critical

Hybrid Topology

Most real-world MANs use a hybrid: a redundant ring or mesh at the core (connecting aggregation nodes) with star-connected spokes at the edges (connecting individual sites to the nearest aggregation node).

  Real-world hybrid MAN:

  Core ring (fibre ring between 3 PoPs):
  PoP1 ───── PoP2
   │   \   /   │
   │    PoP3   │
   │           │

  Access layer (star from each PoP):
  PoP1 ─── School A
       ─── Library B
       ─── Fire Station C
  PoP2 ─── Hospital D
       ─── City Hall E
  PoP3 ─── University F

5. MAN Protocols and Standards

Protocol/Standard	Layer	Role in MAN	Key Characteristic
IEEE 802.3 (Ethernet)	Layer 2	Metro Ethernet framing — the same Ethernet frames used in LANs extended across metro distances	Uses 802.1Q VLAN tags and 802.1ad Q-in-Q (double tagging) to separate customer traffic on shared infrastructure
802.1Q VLAN Tagging	Layer 2	Tags Ethernet frames with a 12-bit VLAN ID — separates customer VLANs over shared Metro Ethernet links	See VLAN Tagging for full details
802.1ad (Q-in-Q)	Layer 2	Double-tags Ethernet frames — carrier's S-VLAN wraps the customer's C-VLAN; allows multiple customers each to use their own full 4096 VLAN space on the same metro infrastructure	Outer tag = Service Provider VLAN (S-tag); Inner tag = Customer VLAN (C-tag)
SONET/SDH	Layer 1	Synchronised optical transport; encapsulates Ethernet, ATM, and TDM payloads for transport over fibre rings	50ms APS ring protection; carrier-grade 99.999% availability
MPLS	Layer 2.5	Label-based forwarding for L2VPN (VPLS) and L3VPN services; traffic engineering; fast reroute (FRR)	Labels inserted between Layer 2 and Layer 3 headers; enables per-customer traffic separation without per-hop routing
G.8032 ERPS	Layer 2	Ethernet Ring Protection Switching — purpose-built Ethernet ring protection standard; faster than STP for ring topologies	Sub-50ms failover on Ethernet rings; no STP convergence delays
OSPF / IS-IS	Layer 3	Link-state routing protocols used in routed MAN cores; fast convergence after failures	See OSPF Configuration for full details

6. Q-in-Q (Double Tagging) — How Carriers Serve Multiple Customers

When a carrier provides Metro Ethernet to multiple customers, each customer may use the same VLAN IDs internally (e.g., every customer has a VLAN 10 for data). Q-in-Q (IEEE 802.1ad) solves the collision problem by adding a second outer VLAN tag at the customer-facing port of the carrier equipment.

  Customer A sends: [Ethernet | C-VLAN 10 tag | IP payload]
                                ↑ Customer tag (C-tag)

  At carrier ingress port:
  Carrier adds outer S-tag:
  [Ethernet | S-VLAN 100 tag | C-VLAN 10 tag | IP payload]
                ↑ Service tag       ↑ Customer tag preserved inside

  Customer B also uses VLAN 10 but gets S-VLAN 200:
  [Ethernet | S-VLAN 200 tag | C-VLAN 10 tag | IP payload]

  On carrier metro ring:
  Carrier switches only on S-tag (100 or 200)
  Customer's C-tags (including VLAN 10) are transparent to carrier
  Both customers get full 4096-VLAN space without collision

7. MAN Use Cases and Real-World Applications

Sector	MAN Application	Technology Used	Benefit
University	Connecting 4–6 dispersed campuses across a city to a central data centre and internet exchange	Dark fibre or Metro Ethernet E-LAN; OSPF routing	Single IP addressing plan; shared services (DHCP, DNS, AD); seamless Wi-Fi roaming between campuses
City Government	Connecting city hall, courts, police stations, fire stations, libraries, and schools	SONET ring or Metro Ethernet ring; MPLS L3VPN per department	Traffic isolation between departments (police vs schools); centralised internet and security inspection; VoIP across all sites
Healthcare	Connecting hospitals, clinics, and GP surgeries for real-time sharing of medical imaging (DICOM) and electronic health records	Dark fibre ring; 10 Gbps Metro Ethernet	Low latency for radiology image transfer; single patient record system; telehealth between sites
Smart City / IoT	Traffic management sensors, CCTV, smart street lighting, air quality monitoring, public Wi-Fi infrastructure	Metro Ethernet + 5G small cells; SDN for programmable control	Centralised traffic control; real-time incident response; data aggregation for city analytics
ISP / Carrier	Providing business broadband, Ethernet services (E-Line), and FTTH/FTTB to residential and commercial customers	GPON / XGS-PON fibre access; MPLS metro core; DWDM backbone	Scalable last-mile delivery; centralised subscriber management; QoS enforcement per customer
Financial / Trading	Ultra-low-latency connectivity between exchanges, data centres, and trading firms within a financial district	Dark fibre; specialised low-latency optical switches	Sub-microsecond latency for high-frequency trading algorithms; dedicated capacity; no shared congestion

8. Design Considerations for MANs

Factor	Requirement	Design Approach
Bandwidth	Must support the aggregate traffic from all connected LANs — including future growth	Use DWDM or high-speed fibre uplinks; over-provision by 2–3× expected peak; monitor utilisation trends
Latency	Critical for real-time applications: VoIP (<150ms one-way), video conferencing, trading (<1ms)	Minimise fibre path length; use direct fibre rather than routed paths; implement QoS to prioritise real-time traffic; see NTP Synchronisation for timing
Redundancy	Failure of any single link or node must not isolate a site	Ring or partial mesh topology; SONET APS or G.8032 ERPS; dual-homed sites; diverse physical paths (different ducts/routes)
Scalability	Adding new sites and increasing speeds without redesigning the network	DWDM allows wavelength-by-wavelength capacity addition; MPLS enables adding new VPNs without physical changes
Security	Traffic between sites must be protected from eavesdropping and tampering; different customer/department traffic must be isolated	MPLS VRF isolation; 802.1Q/Q-in-Q VLAN separation; IPsec encryption over untrusted segments (see IPsec Basics); IDS/IPS monitoring
QoS	Voice, video, and critical data must be prioritised over bulk transfers	DSCP marking at LAN edge; MPLS EXP (TC) bits for traffic class in metro core; strict priority queuing for voice/video traffic classes
Management	Centralised visibility and control across all MAN nodes	SNMP (see SNMP/Syslog); Syslog centralisation (see Syslog Configuration Lab); NetFlow for traffic analysis (see NetFlow Configuration Lab)

9. Security in MANs

A MAN carries traffic between sites over infrastructure that may traverse public rights-of-way, carrier exchange points, and shared physical plant. Security is therefore a primary concern, not an afterthought.

Threat	Description	Mitigation
Physical fibre tap	An attacker bends or splices the fibre to passively intercept optical signals	Optical power monitoring (OTDR/power meters detect tap-induced loss); Layer 2 encryption (MACsec — IEEE 802.1AE) on metro links; IPsec for Layer 3 encryption
VLAN hopping	Attacker injects double-tagged frames to access a VLAN they should not reach	Configure explicit allowed VLANs on all trunk ports; disable DTP auto-negotiation; use native VLAN other than VLAN 1
Customer traffic leakage	Misconfiguration allows one customer's traffic to reach another's VLAN on shared metro infrastructure	Q-in-Q double tagging isolates customer VLANs; MPLS VRF provides Layer 3 isolation; rigorous change management
DoS / DDoS	Flood of traffic targeting a site or the metro core exhausts bandwidth or CPU	Traffic policing at ingress; scrubbing centres; RTBH (Remotely Triggered Black Hole) routing; rate-limiting at CE ports
Unauthorised access	Rogue devices connected to metro access ports	IEEE 802.1X port authentication (see 802.1X Port Authentication); MAC address filtering; physical security of CPE and distribution points

10. Emerging Trends in MANs

5G Wireless Backhaul

5G is increasingly used as a wireless alternative to fibre for MAN backhaul — particularly useful for connecting sites where trenching fibre is expensive or impractical (historic buildings, temporary sites, rapid expansion). 5G NR mmWave links can deliver multi-gigabit wireless connections over distances of hundreds of metres to a few kilometres. For longer links, licensed microwave and millimetre-wave point-to-point radios (40–80 GHz bands) provide fibre-equivalent capacity over 1–10 km.

5G FWA (Fixed Wireless Access): Provides last-mile connectivity to buildings using 5G mmWave or sub-6 GHz — an ISP alternative to running a physical fibre to every building
5G small cells as MAN nodes: Dense urban 5G deployments use metro fibre as the transport network connecting hundreds of small cells back to the core

SDN in Metro Networks

Software-Defined Networking (SDN) separates the control plane (deciding where traffic goes) from the data plane (forwarding traffic), moving control to a centralised software controller. In MANs this enables:

Rapid provisioning of new circuits and VLANs without touching individual devices
Dynamic traffic engineering — reroute traffic away from congested paths in real time
Programmable APIs for automated network management (NetConf, RESTCONF, YANG) — see Northbound and Southbound APIs
Network slicing — create multiple virtual MANs on the same physical infrastructure, each with guaranteed bandwidth and isolation (critical for 5G core)

FTTH / FTTB — Fibre to the Home/Building

Modern MAN deployments increasingly use GPON (Gigabit Passive Optical Network) and XGS-PON to deliver multi-gigabit fibre connectivity directly to homes and buildings, replacing copper DSL entirely. PON uses a single fibre strand from the OLT (Optical Line Terminal at the ISP) that splits passively to serve up to 128 ONTs (Optical Network Terminals at the customer). These PON access trees connect to the metro Ethernet/MPLS core.

11. Challenges in MAN Deployment

Challenge	Detail	How It Is Addressed
Physical infrastructure cost	Trenching, conduit, fibre installation through urban streets is very expensive — often £100–500 per metre for urban civil works	Dark fibre leasing from existing carriers; shared infrastructure with utilities; micro-trenching and micro-duct systems; aerial fibre on utility poles
Rights-of-way and permits	Running cables beneath streets requires permits from city councils, transport authorities, and utility companies; multi-party coordination can take months or years	Early stakeholder engagement; use of existing utility corridors; working with carriers who already have route licences
Regulatory compliance	Public networks may require Ofcom (UK), FCC (US), or other national regulator licences; data protection regulations (GDPR) apply to traffic traversing city infrastructure	Legal review before deployment; carrier-grade equipment that meets regulatory standards; encryption for GDPR-sensitive data
Multi-vendor interoperability	MAN equipment from different vendors must interoperate — proprietary protocols can create integration problems	Use open standards (MEF, IEEE 802.3, MPLS RFC); test interoperability in lab before deployment; leverage SDN for abstraction
Fibre cuts and physical damage	Urban construction, accidents, and vandalism regularly cut underground fibre — metro networks must survive these events	Redundant ring or mesh topology; physically diverse routes (different streets/conduits); rapid repair SLAs with carriers; aerial fibre as temporary bypass

12. Hybrid Network Architecture — LAN + MAN + WAN

Large organisations rarely rely on a single network type. The layered model combines all three: LAN at each site, MAN connecting city-wide sites, and WAN connecting cities and countries.

  Layered network architecture:

  Workstations / Servers
         │
  ┌──────┴──────┐
  │    LAN      │  ← Ethernet switches, Wi-Fi APs, VLANs within each building
  │   (site)    │
  └──────┬──────┘
         │
  ┌──────┴──────────────────────────────┐
  │              MAN                    │  ← Metro Ethernet ring connecting all city sites
  │  Hospital A ─ Hospital B ─ Hospital C│
  │       Clinic D ─ Clinic E           │
  └──────┬──────────────────────────────┘
         │
  ┌──────┴──────┐
  │    WAN      │  ← MPLS or SD-WAN connecting cities / countries / cloud
  │  (national) │
  └─────────────┘

  See also:
  • LAN: lan.html
  • WAN: wan.html
  • MPLS fundamentals: StepbyStepTut/mpls-fundamentals.html
  • SD-WAN: StepbyStepTut/cisco-sdwan-viptela-overview.html

13. MAN vs WAN — Detailed Comparison

Dimension	MAN	WAN
Geographic scope	City / metropolitan area (5–50 km)	Regional / national / global (50 km to worldwide)
Latency	1–10 ms (fibre propagation across city)	10–300+ ms (depends on distance and routing)
Bandwidth	100 Mbps – 10 Gbps typical; Tbps with DWDM	Variable — carrier-determined; per-Mbps billing common
Layer	Often Layer 2 (Metro Ethernet) or Layer 2.5 (MPLS)	Primarily Layer 3 (IP routing, BGP)
Ownership	Can be privately owned (dark fibre) or carrier-provided	Always carrier-provided; leased circuits or internet transit
Resilience	Ring topology with APS/ERPS gives 50ms failover	BGP convergence typically seconds to minutes after failure
Security model	VLAN separation, Q-in-Q, MACsec, or IPsec	IPsec VPN, MPLS L3VPN, or SD-WAN encryption
Broadcast	Possible at Layer 2 (Metro Ethernet E-LAN) — controlled by VLANs	No broadcasts — routed network; each site is a separate subnet

14. Key Points & Exam Tips

MAN = metropolitan area network; spans a city (5–50 km); larger than LAN, smaller than WAN; owned by single entity or carrier.
Primary MAN technologies: Metro Ethernet (E-Line point-to-point, E-LAN multipoint, E-Tree hub-and-spoke), SONET/SDH (carrier-grade optical rings, 50ms APS protection), MPLS (L2VPN/L3VPN over metro core), DWDM (multi-Tbps capacity on single fibre pair), dark fibre (leased unlit fibre).
Ring topology = most common MAN choice — each site connects to two neighbours; single fibre cut reroutes in 50ms (APS) or with G.8032 ERPS.
Q-in-Q (802.1ad) = double VLAN tagging — Service Provider S-tag wraps Customer C-tag; allows multiple customers to use full VLAN space on shared metro infrastructure.
SONET ring speeds: OC-3=155Mbps, OC-12=622Mbps, OC-48=2.5Gbps, OC-192=10Gbps.
MPLS in MAN: VPLS = Layer 2 multipoint service; L3VPN = routed VPN with VRF per customer; TE = traffic engineering.
Emerging trends: 5G wireless backhaul (replaces fibre where trenching is impractical); SDN (centralised programmable control, rapid service provisioning, northbound/southbound APIs); GPON/XGS-PON for FTTH/FTTB.
MAN challenges: fibre installation cost, rights-of-way permits, regulatory compliance, physical fibre cuts.
MAN security: VLAN isolation, Q-in-Q separation, IPsec or MACsec encryption, 802.1X port authentication, OTDR monitoring for fibre taps.
Hybrid architecture: LAN (site) → MAN (city) → WAN (national/global) — each layer uses appropriate technology for its scale.

15. Metropolitan Area Network (MAN) Quiz

1. A city government wants to connect 12 municipal sites (city hall, police stations, fire stations, libraries) across a 15 km area. They require that no single cable cut can isolate any site, and failover must complete in under one second. Which topology and technology best satisfies these requirements?

A. Star topology with a central aggregation router — all sites connect to one hub for simplicity B. Bus topology using coaxial cable — lowest cost for 15 km spans C. Mesh topology connecting every site to every other site — maximum redundancy D. Dual-fibre ring topology with SONET/SDH Automatic Protection Switching (APS) or G.8032 ERPS — each site connects to two neighbours so any single fibre cut is survived; APS/ERPS restores traffic in under 50 milliseconds, well within the one-second requirement

Correct answer is D. A ring topology provides each site with two diverse paths — if the cable between any two sites is cut, traffic automatically routes the opposite way around the ring. SONET/SDH Automatic Protection Switching (APS) or Ethernet Ring Protection Switching (G.8032 ERPS) detects the failure and reroutes within 50 milliseconds — far faster than the 1-second requirement. A star topology fails this requirement because the hub is a single point of failure. A full mesh would work but is far more expensive (requires 12×11/2 = 66 links). Bus topology is obsolete for modern metro deployments and cannot survive cuts. The dual-fibre ring is the standard design for city government MANs precisely because it balances redundancy, cost, and recovery time.

2. A Metro Ethernet carrier provides service to two enterprise customers, Customer A and Customer B. Both customers independently use VLAN 10 for their data traffic. The carrier uses the same shared fibre infrastructure for both customers. How does the carrier prevent Customer A's VLAN 10 from interfering with Customer B's VLAN 10?

A. The carrier assigns different VLAN IDs to the customers — Customer A gets VLAN 11 and Customer B gets VLAN 12 on the carrier network B. IEEE 802.1ad Q-in-Q double tagging — at the carrier ingress port, a second outer Service VLAN tag (S-tag) is added. Customer A's frames get S-VLAN 100; Customer B's frames get S-VLAN 200. The carrier switches only on the S-tag; the customer's C-tag (VLAN 10) is preserved transparently inside, so both customers can use VLAN 10 without collision C. The customers must coordinate and agree on unique VLAN IDs before connecting to the metro service D. SONET/SDH encapsulation separates the customer VLANs at the physical layer

Correct answer is B. This is the exact problem that IEEE 802.1ad (Q-in-Q or Provider Bridging) was designed to solve. Without Q-in-Q, a shared Metro Ethernet network can only support 4094 unique VLANs total across all customers — and VLAN collisions between customers are a real problem. With Q-in-Q, when Customer A's frame (tagged with VLAN 10) enters the carrier's edge switch, a second outer S-VLAN tag is added. The carrier's core switches forward the frame based on the S-tag only — they are unaware of the inner C-tag. When the frame exits the carrier network at the destination, the S-tag is stripped and the original Customer C-tag is restored. Both Customer A and Customer B can each use their full 4094-VLAN space independently. The carrier needs only one S-VLAN per customer E-Line circuit.

3. A hospital group is designing a MAN to connect 8 hospitals across a city for real-time sharing of medical imaging files (DICOM). The IT team reports that image transfers are currently slow and occasionally interrupted. Which two design factors are most critical to address?

A. Cost minimisation and geographic coverage B. Wireless backup links and VLAN segmentation C. Bandwidth (sufficient capacity for large DICOM files) and redundancy (no single failure should interrupt active transfers) — implemented with high-speed Metro Ethernet or dark fibre and a ring or dual-homed topology D. DNS configuration and DHCP server placement

Correct answer is C. Medical imaging uses the DICOM standard which produces files from hundreds of MB to several GB (CT scans, MRI, PET scans). Slow transfers indicate insufficient bandwidth — a 1 Gbps Metro Ethernet or dark fibre upgrade to 10 Gbps directly addresses this. Interrupted transfers indicate link or network failures disrupting active sessions — a redundant ring topology with G.8032 ERPS or SONET APS provides 50ms failover, preventing any transfer interruption visible to clinical applications. QoS should also be implemented to prioritise DICOM traffic over administrative traffic when both share the same MAN. Latency is less critical for file transfers than for real-time applications (DICOM transfers are not real-time), but consistent latency helps application performance.

4. A carrier wants to offer their enterprise customers the ability to connect multiple offices as if they were all on the same Layer 2 network (same broadcast domain), without requiring the customer to deploy any routing infrastructure. Which Metro Ethernet service type provides this?

A. E-LAN (Ethernet LAN service) — provides multipoint-to- multipoint Layer 2 connectivity; all customer sites share a common Ethernet broadcast domain; equivalent to a giant virtual switch; customers connect with standard Ethernet and see all other sites at Layer 2 B. E-Line — provides point-to-point Layer 2 circuits between exactly two sites C. E-Tree — provides hub-and-spoke service where leaf sites cannot communicate with each other D. MPLS L3VPN — requires customer routing; operates at Layer 3

Correct answer is A. E-LAN (Ethernet LAN) is the MEF service type that provides multipoint-to-multipoint Layer 2 connectivity. From the customer's perspective, all sites appear to be connected to the same Ethernet switch — they can use the same IP subnet across all locations, broadcast traffic (ARP, DHCP) reaches all sites, and no routing is required between sites. The carrier implements this using VPLS (Virtual Private LAN Service) over MPLS — creating a distributed virtual switch across the metro infrastructure. E-Line only connects two specific endpoints. E-Tree allows spokes to reach the root but not each other. MPLS L3VPN operates at Layer 3 and requires IP routing between sites. For the scenario described (same broadcast domain, no customer routing needed), E-LAN is the correct choice.

5. A city plans to expand its MAN to connect 50 IoT sensor nodes (traffic cameras, air quality monitors, smart lights) distributed across suburbs where installing fibre would require extensive civil works costing millions. What emerging technology provides a cost-effective alternative?

A. SONET/SDH — designed for exactly this use case with its embedded operations channel B. Dark fibre — lease existing unlit cable to avoid new trenching costs C. 5G wireless backhaul — 5G small cells or licensed point-to-point microwave/mmWave links can deliver gigabit-class connectivity to each sensor node without any trenching, dramatically reducing deployment cost and enabling rapid expansion D. Bluetooth mesh — connects all IoT sensors in a self-healing wireless mesh

Correct answer is C. 5G wireless backhaul and licensed microwave/mmWave point-to-point links are the cost-effective solution for connecting geographically dispersed nodes where fibre trenching is prohibitively expensive. 5G NR (mmWave at 26/28 GHz) can deliver multi-gigabit wireless links over hundreds of metres to a few kilometres between small cells and MAN aggregation points. Licensed microwave P2P radios (at 18, 23, 60, 70–80 GHz bands) provide fibre-equivalent capacity (1–10 Gbps) over 1–10 km links. For IoT sensor nodes with lower bandwidth requirements, 4G LTE or 5G NR sub-6 GHz provides adequate capacity. These wireless approaches eliminate civil works entirely and can be deployed in days rather than months. Dark fibre (option B) still requires physical fibre to exist — it does not help where no fibre runs. Bluetooth mesh has a range of only tens of metres — wholly unsuitable for city-wide deployment.

6. A SONET OC-48 ring carries traffic between five city sites. What is the bit rate of OC-48, and how long does Automatic Protection Switching (APS) take to restore traffic after a fibre cut?

A. 622 Mbps; 1 second recovery B. 2.488 Gbps; 50 milliseconds recovery — the 50ms APS switching time is a core SONET/SDH design specification C. 9.953 Gbps; 30 seconds recovery D. 155 Mbps; 50 milliseconds recovery

Correct answer is B. OC-48 (Optical Carrier 48) is the 48th multiple of the base SONET OC-1 rate of 51.84 Mbps: 48 × 51.84 = 2,488.32 Mbps ≈ 2.488 Gbps. The SDH equivalent is STM-16. The 50ms APS (Automatic Protection Switching) time is a fundamental SONET/SDH specification requirement — it was designed to be fast enough that voice calls (which use 8,000 samples per second, each 125 µs apart) would not notice a brief interruption. 50ms means at most 4 voice samples are lost during the switchover — imperceptible to human hearing. This 50ms recovery specification is what makes SONET/SDH the standard for carrier-grade metro rings in critical applications. OC-3 = 155.52 Mbps; OC-12 = 622.08 Mbps; OC-192 = 9.953 Gbps.

7. An organisation wants to connect three city offices to a central data centre using a Metro Ethernet service. The offices only need to reach the data centre — they do not need to communicate directly with each other. Which MEF service type is most appropriate?

A. E-LAN — connects all sites in a shared broadcast domain B. E-Line — provides a single point-to-point circuit between two sites only C. MPLS L3VPN — requires routing infrastructure at each site D. E-Tree — the data centre acts as the "root" and the three offices are "leaf" sites; leaves communicate only with the root (data centre), not directly with each other, which exactly matches the requirement

Correct answer is D. E-Tree (MEF 6.2) defines a hub-and-spoke Layer 2 service where one site is designated the "root" and all other sites are "leaves." The fundamental characteristic of E-Tree is that leaf sites can communicate with the root but are prohibited from communicating directly with other leaf sites. This exactly matches the requirement: offices need data centre access but should not be able to reach each other directly (a common security requirement — branch offices should not have lateral access to each other). E-LAN would allow all sites including the three offices to communicate with each other — unnecessary and a potential security risk. E-Line only connects two endpoints — three separate E-Lines would be needed (not a single service). MPLS L3VPN requires routing equipment at each site. E-Tree is also commonly used for FTTH/FTTB deployments where the ISP is the root and customers are leaves.

8. A network engineer is designing a MAN for a financial institution requiring sub-1ms latency between two trading floors 3 km apart. What physical medium and design approach achieves the lowest possible latency?

A. Dark fibre with minimal intermediate switching — light travels at ~200,000 km/s through fibre, giving ~15 µs propagation delay per 3 km. Direct fibre with Layer 1 optical amplification (no routing hops) achieves the lowest possible latency; specialised low-latency optical switches add nanoseconds rather than microseconds B. Metro Ethernet with multiple MPLS hops — MPLS label switching is extremely fast C. 5G mmWave wireless — faster than fibre because radio waves travel at the speed of light D. SONET OC-192 — the highest bandwidth option also has the lowest latency

Correct answer is A. For ultra-low-latency financial applications, the approach is direct dark fibre with the fewest possible intermediate processing hops. Light propagates through single-mode fibre at approximately 200,000 km/s (two-thirds the speed of light in vacuum) — giving roughly 5 µs per km. Over 3 km, propagation delay is ~15 µs one-way (30 µs round trip), well within 1 ms. Each additional routing or switching hop adds latency: a Layer 3 router adds 5–50 µs; even a fast optical switch adds 1–2 µs. The lowest-latency solution bypasses all of these: direct dark fibre with no intermediate switching, or at most a single Layer 1 optical cross-connect. Note: 5G mmWave travels at the speed of light in air (~300,000 km/s), actually faster than fibre per distance unit, but introduces processing latency in the radio heads and base stations that exceeds the propagation difference. SONET OC-192 has nothing to do with latency — bandwidth and latency are independent.

9. An SDN controller is deployed in a city MAN to manage all metro switches. A construction crew accidentally severs a fibre link. The SDN controller detects the failure and automatically reroutes traffic around the break within 200ms. What is the key SDN capability enabling this, and how does it differ from a traditional distributed protocol approach?

A. SDN physically repairs the fibre automatically using robotic systems B. SDN runs faster versions of OSPF that converge in 200ms C. The SDN controller has a global topology view — it knows the complete network state instantly (via southbound APIs/OpenFlow) and can compute the optimal new path and push updated forwarding rules to all affected switches simultaneously. Traditional distributed protocols like OSPF must flood link-state updates and independently recalculate routes on each router — convergence takes longer because each device acts individually rather than being centrally coordinated D. SDN uses SONET APS switching which always operates in 50ms

Correct answer is C. The fundamental SDN advantage in failure recovery is the global topology view. An SDN controller receives link-state notifications from all switches simultaneously via the southbound API (OpenFlow, NETCONF). It immediately knows: which link failed, which flows are affected, and what alternative paths exist across the entire network. It then computes the optimal rerouting and pushes new forwarding rules to all affected switches in a single coordinated operation. Traditional distributed protocols (OSPF, IS-IS) work differently: each router independently detects the failure (via hello timer expiry), floods a Link State Advertisement to all neighbours, each router runs SPF independently, and then reprograms its forwarding table. This sequential, distributed process takes more time than centralised computation and simultaneous push. SDN's centralised control enables consistent, coordinated failover decisions that optimise the entire network simultaneously rather than each node acting independently.

10. A university has four campuses connected by a Metro Ethernet E-LAN service. The network team notices that a broadcast storm originating on Campus A is affecting all four campuses simultaneously. How does the E-LAN service model explain this, and what architectural change would contain the storm to Campus A only?

A. E-LAN is a Layer 3 service — broadcast storms cannot cross Layer 3 boundaries; the problem must be within a single campus B. E-LAN creates a shared Layer 2 broadcast domain across all sites — a broadcast storm on Campus A floods to all campuses because they are all in the same broadcast domain. To contain it, replace E-LAN with either: an MPLS L3VPN (each campus in its own routed subnet — no Layer 2 between campuses) or E-LAN with per-campus VLANs and inter-VLAN routing between them C. The Metro Ethernet carrier should enable STP globally — this will automatically block Campus A's broadcasts D. Campus A's switch has a fault — replacing it will fix the issue without network redesign

Correct answer is B. This scenario illustrates the broadcast domain implication of E-LAN services. E-LAN implements a Layer 2 multipoint service — all connected sites share a single broadcast domain, exactly like being connected to the same large virtual switch. Any broadcast frame (ARP, DHCP, or the looping frames of a broadcast storm) is forwarded to all sites in the E-LAN service. A broadcast storm on Campus A generates millions of frames per second that flood to Campuses B, C, and D over the Metro Ethernet — saturating all links and crashing the network everywhere. The architectural fix: segment the network at Layer 3. Options: (1) Replace E-LAN with MPLS L3VPN — each campus gets its own IP subnet with routing between them; broadcasts never cross campus boundaries. (2) Keep E-LAN but implement per-campus VLANs with inter-VLAN routing at the distribution layer — each campus VLAN is a separate broadcast domain. (3) Deploy Spanning Tree guard features (Root Guard, BPDU Guard, Storm Control) to limit the impact of Layer 2 loops at each campus access switch.

← Back to Home