Wide Area Network (WAN) – Technologies, Topologies, and Troubleshooting

1. What Is a WAN?

A Wide Area Network (WAN) is a data communication network that spans a large geographic area — cities, countries, or entire continents — connecting multiple Local Area Networks (LANs), branch offices, data centres, and remote users into a single unified network infrastructure. Unlike a LAN, which an organisation owns and operates entirely within its own building or campus, a WAN typically relies on infrastructure leased or provided by telecommunications carriers and Internet Service Providers (ISPs).

The Internet itself is the largest WAN in existence. Enterprise WANs are private networks that connect an organisation's geographically dispersed sites using a combination of leased circuits, MPLS services, VPN tunnels over the public Internet, and increasingly, SD-WAN overlays.

  WAN in context — connecting dispersed sites:

  [London HQ]──────MPLS circuit──────[Frankfurt Branch]
       │                                      │
  [Cisco Router]                        [Cisco Router]
       │                                      │
  [LAN: 10.1.0.0/16]               [LAN: 10.2.0.0/16]
       │
       ├──── IPsec VPN tunnel ──── [Dubai Branch / Remote Workers]
       │
       └──── Internet ──── [AWS Cloud / SaaS Applications]

  Key characteristics:
  ✓ Spans large distances — city, country, continent, or global
  ✓ Operated over service-provider infrastructure (leased, not owned)
  ✓ Connects multiple LANs or MANs into one enterprise network
  ✓ Typically slower and higher-latency than LAN (longer distances, shared media)
  ✓ Requires WAN-specific protocols and encapsulations (PPP, HDLC, MPLS)

2. WAN vs LAN vs MAN

Feature	LAN	MAN	WAN
Coverage area	Single building or campus	City or metropolitan area (up to ~50 km)	Country, continent, or global
Typical speed	High — 100 Mbps to 400 Gbps on modern switches	Medium to high — 10 Mbps to 10 Gbps	Variable — 1.5 Mbps (T1) to 100 Gbps (fibre backbone); often shared
Latency	Very low — sub-millisecond within the building	Low to medium	Higher — tens to hundreds of milliseconds over intercontinental links
Ownership	Single organisation owns and operates all equipment	Single or multiple entities; often a city or ISP	Operated by telecoms/ISPs; organisations lease bandwidth
Infrastructure	Ethernet switches, access points — owned by the org	Fibre rings, metro Ethernet — often shared	Leased circuits, MPLS clouds, satellite, undersea cables
Cost	Low per-Mbps cost; hardware is bought once	Medium — monthly leases to service providers	High — recurring monthly circuit costs, especially for private MPLS
Typical examples	Office floor network, university campus	City government network, municipal Wi-Fi	Internet, enterprise MPLS backbone, inter-country VPN

3. WAN Technologies — Circuit-Switched vs Packet-Switched

WAN technologies are divided into two fundamental categories based on how they share the physical transmission medium between multiple users.

Circuit-Switched (Legacy)

  Circuit-switched WAN: a dedicated physical path is established for the
  duration of each call or session, then released.

  Device A ──reserves dedicated circuit──→ Device B
           ←──────────────────────────────
  All data for this session travels the same dedicated path.
  Bandwidth is reserved even when no data is being transmitted.

  Example: PSTN (Public Switched Telephone Network) — original telephone lines
           ISDN (Integrated Services Digital Network) — digital voice/data

  Status: Largely obsolete for data networking. Still relevant for understanding
  WAN history and voice infrastructure.

Packet-Switched (Modern)

  Packet-switched WAN: data is broken into packets; each packet is routed
  independently through the provider network and may take different paths.
  Bandwidth is shared; no dedicated circuit is reserved.

  Device A → Packet 1 → Router1 → Router3 → Device B
  Device A → Packet 2 → Router2 → Router3 → Device B
  Device A → Packet 3 → Router1 → Router2 → Router3 → Device B

  Advantages over circuit-switched:
  ✓ Bandwidth shared efficiently (unused capacity not wasted)
  ✓ More resilient — packets reroute if a link fails
  ✓ Scales to millions of simultaneous sessions

  Modern packet-switched WAN technologies:
  • MPLS          — provider backbone; fast label-switching; QoS support
  • Broadband     — DSL, cable, fibre; shared medium; internet access
  • Metro Ethernet — Ethernet extended over WAN distances
  • VPN over Internet — IPsec/SSL tunnels; uses public internet as transport

4. WAN Technologies — Detailed Comparison

Technology	Type	Speed	Key Characteristics	Typical Use
Dedicated Leased Line (T1/E1)	Point-to-point, private	T1: 1.544 Mbps; E1: 2.048 Mbps	Always-on; fixed dedicated bandwidth; not shared; very predictable latency; high monthly cost	Connecting corporate data centres to MPLS cloud; legacy financial and government networks
MPLS (Multiprotocol Label Switching)	Packet-switched, private provider cloud	2 Mbps to 10 Gbps	Labels replace IP lookups at each hop — faster forwarding; supports QoS classes; any-to-any connectivity via provider; appears as a private network to the customer	Enterprise backbone connecting multiple branch offices; voice and video with QoS guarantees
Broadband Internet (DSL, Cable, Fibre)	Packet-switched, public/shared	5 Mbps to 10 Gbps (fibre)	Shared medium; lower cost; variable performance; no inherent QoS guarantees; used as WAN transport when overlaid with VPN	Small branch offices; backup WAN link; SD-WAN underlay; remote worker access
IPsec Site-to-Site VPN	Encrypted tunnel over public internet	Limited by underlying internet link	Encrypts all traffic between sites using AES; uses existing internet connectivity as transport; low cost; no guaranteed bandwidth or latency	Replacing MPLS at smaller branches; primary WAN for cost-sensitive organisations; backup to MPLS
SSL/TLS VPN (Remote Access)	Client-to-site encrypted tunnel	Limited by internet link	Individual remote users connect to corporate network using a VPN client or web browser; uses TCP/443 (HTTPS) — traverses most firewalls easily	Remote employees, work-from-home, travelling staff
4G/5G Wireless WAN	Mobile broadband	4G: up to 150 Mbps; 5G: up to 20 Gbps	No physical cabling needed; available wherever mobile coverage exists; latency higher than fibre; ideal for temporary or remote sites	WAN failover/backup link; kiosks; remote locations without fixed-line access; construction sites
Satellite WAN	Wireless, orbital	12–150 Mbps (LEO satellites like Starlink)	High latency (GEO: 600ms+ round trip; LEO: 20–40ms); covers any geographic location including oceans and polar regions	Offshore platforms, maritime, extremely remote locations with no terrestrial options
Metro Ethernet	Ethernet over carrier fibre	10 Mbps to 100 Gbps	Ethernet interface on the customer side; carrier provides the fibre transport; simple to integrate with existing Ethernet networks	Connecting sites within a metropolitan area; data centre interconnect

5. MPLS — How Label Switching Works

MPLS (Multiprotocol Label Switching) is the dominant enterprise WAN backbone technology. Understanding how it differs from standard IP routing is a CCNA requirement.

  Standard IP routing at each hop:
  Router receives packet → reads destination IP → looks up routing table
  → forwards to next hop. Routing table lookup at EVERY router.

  MPLS label switching:
  Ingress PE router → reads destination IP → assigns a SHORT label (e.g., 32)
  → pushes label onto the packet header
  → subsequent P (provider core) routers → read LABEL ONLY (no IP lookup)
  → swap/push/pop labels and forward at hardware speed
  → Egress PE router → pops final label → delivers original IP packet

  MPLS network components:
  CE router (Customer Edge) — customer's router; speaks standard IP to PE
  PE router (Provider Edge)  — assigns/removes labels; runs with CE via eBGP/OSPF
  P router  (Provider Core)  — only sees labels; no customer routing table needed

  [Branch 1 CE] ──→ [PE1] ──label 32──→ [P1] ──label 45──→ [P2] ──→ [PE2] ──→ [HQ CE]
                  label assigned          swap                swap      label removed

  Benefits of MPLS:
  ✓ Faster forwarding — label lookup is O(1) vs IP routing table lookup
  ✓ Traffic Engineering (TE) — pre-defined paths bypass congestion
  ✓ QoS — labels carry Experimental (EXP) bits for traffic prioritisation
  ✓ Any-to-any connectivity — sites connect as if on same private network
  ✓ VPN isolation — different customer VPNs kept separate using VRFs

6. WAN Protocols — PPP and HDLC

On serial (point-to-point) WAN links, a Layer 2 encapsulation protocol is required. The two most tested on the CCNA are PPP and HDLC.

  Where PPP and HDLC apply:
  [Router A] ──── Serial link (T1, leased line) ──── [Router B]
  The serial interfaces on both ends need matching Layer 2 encapsulation.

  ──────────── HDLC (High-Level Data Link Control) ────────────────
  • Cisco's DEFAULT serial encapsulation — automatically configured
  • Cisco HDLC is proprietary (not compatible with non-Cisco devices)
  • Simple, low overhead — no authentication, no multilink
  • If both ends are Cisco routers: HDLC works out-of-the-box

  Cisco HDLC configuration (default — usually no config needed):
  Router(config)# interface Serial0/0/0
  Router(config-if)# encapsulation hdlc

  ──────────── PPP (Point-to-Point Protocol) ──────────────────────
  • Open standard (RFC 1661) — works between Cisco and non-Cisco routers
  • Supports AUTHENTICATION (PAP or CHAP)
  • Supports MULTILINK (combines multiple serial links for more bandwidth)
  • Supports COMPRESSION and error detection

  PPP configuration:
  Router(config)# interface Serial0/0/0
  Router(config-if)# encapsulation ppp
  Router(config-if)# ppp authentication chap   ! CHAP is more secure than PAP

  CHAP authentication (Challenge Handshake Authentication Protocol):
  • Uses a 3-way handshake with MD5 hash — password never sent in clear text
  • Both routers must have matching usernames and passwords configured

  PAP authentication (Password Authentication Protocol):
  • 2-way handshake — sends credentials in plain text — less secure

  PPP vs HDLC:
  ┌──────────────────┬────────────────────────┬────────────────────────┐
  │ Feature          │ HDLC (Cisco)           │ PPP                    │
  ├──────────────────┼────────────────────────┼────────────────────────┤
  │ Standard         │ Cisco proprietary      │ Open (RFC 1661)        │
  │ Multi-vendor     │ No (Cisco–Cisco only)  │ Yes                    │
  │ Authentication   │ No                     │ Yes (PAP / CHAP)       │
  │ Multilink        │ No                     │ Yes                    │
  │ Default on Cisco │ Yes                    │ No (must configure)    │
  └──────────────────┴────────────────────────┴────────────────────────┘

  Verifying serial WAN encapsulation:
  Router# show interfaces Serial0/0/0
  Serial0/0/0 is up, line protocol is up
    Hardware is WAN DSU/CSU
    Internet address is 10.0.0.1/30
    MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usec
    Encapsulation HDLC, loopback not set     ← current encapsulation

  Mismatched encapsulation causes:
  "Serial0/0/0 is up, line protocol is down"
  → Physical link is up (carrier detect) but Layer 2 keepalives fail
  → Check encapsulation matches on BOTH ends

7. WAN Topologies

WAN topology defines how sites are interconnected. The right choice depends on the number of sites, redundancy requirements, traffic patterns, and budget.

Point-to-Point

  [Site A] ──── dedicated link ──── [Site B]

  Characteristics:
  ✓ Simple — one link, one path
  ✓ Low latency — direct connection, no intermediate hops
  ✓ Predictable performance — dedicated bandwidth
  ✗ Not scalable — N sites require N-1 links from a hub (or N×(N-1)/2 for mesh)
  ✗ No redundancy — link failure = complete outage between the two sites

  Best for: two-site organisations; direct data-centre-to-data-centre links;
            serial connections on older WAN infrastructure.

Hub-and-Spoke (Star)

                   [HQ / Hub]
                    /   |   \
                   /    |    \
            [Branch1] [Branch2] [Branch3]

  Characteristics:
  ✓ Cost-effective — each branch only needs ONE WAN link (to the hub)
  ✓ Scalable — adding a branch = adding one link to the hub
  ✓ Centralised security — all traffic passes through the hub for inspection
  ✗ Single point of failure — if the hub fails, ALL spokes lose WAN connectivity
  ✗ Suboptimal branch-to-branch traffic — Branch1→Branch2 must traverse the hub
    (double the WAN bandwidth consumed; adds latency)

  Best for: enterprise networks with many branch offices connecting to
            a central headquarters or data centre; MPLS VPN deployments.

  DMVPN (Dynamic Multipoint VPN) improvement:
  Allows spoke sites to build direct spoke-to-spoke tunnels dynamically
  when needed, while maintaining hub-and-spoke as the default.

Full Mesh

  [Site A] ──────── [Site B]
     │  \          /    │
     │   \        /     │
     │    [Site C]      │
     │        \         │
     └──────────[Site D]┘

  Formula: links = n × (n-1) / 2
  4 sites = 6 links, 5 sites = 10 links, 10 sites = 45 links

  Characteristics:
  ✓ Maximum redundancy — any link can fail; alternative paths remain
  ✓ Optimal traffic — every site has a direct path to every other
  ✓ Lowest latency — no hub traversal needed
  ✗ Expensive — number of links grows quadratically with site count
  ✗ Complex to manage — routing, VPN tunnels, and policies on every link

  Best for: critical inter-data-centre links where maximum redundancy
            is required regardless of cost; headquarters-to-DR-site links.

Partial Mesh

  A practical middle ground — key sites (HQ, data centres, regional hubs)
  have direct links to each other (mesh), while smaller branches connect
  hub-and-spoke to the nearest regional hub.

  [HQ]────[DC1]────[DC2]   ← full mesh for critical backbone
    │        │
  [Branch1] [Branch2]      ← spokes connecting to regional sites

  Best for: large enterprises with a tiered architecture.

8. WAN Routing Protocols

Protocol	Type	Where Used on WAN	Key Characteristics
BGP (Border Gateway Protocol)	Exterior Gateway Protocol (EGP); path-vector	The Internet; between organisations (eBGP); between PE and CE routers in MPLS VPN (iBGP)	The routing protocol of the Internet; manages routing between autonomous systems (AS); supports policy-based routing; slow convergence; extremely scalable
OSPF	Interior Gateway Protocol (IGP); link-state	Within enterprise WAN; between CE and PE in MPLS as CE routing protocol	Fast convergence; hierarchical area design; scales well within an enterprise; most common IGP in enterprise WANs
EIGRP	Interior Gateway Protocol; advanced distance-vector (Cisco proprietary)	Cisco-only enterprise WANs; often used where OSPF complexity is undesirable	Fast convergence; DUAL algorithm; supports unequal-cost load balancing; easier to configure than OSPF
Static routes	Manual configuration	Small WANs with one or two paths; edge routers with a single upstream provider	Simple; predictable; no protocol overhead; no automatic failover unless floating static routes are configured

9. WAN Security

Because WAN traffic crosses service-provider networks and often the public Internet, data in transit must be protected. The two primary security mechanisms are encryption (protecting confidentiality and integrity) and access control (restricting which traffic is permitted to cross WAN links).

  IPsec Site-to-Site VPN — how it works:

  [Branch Router] ──── Internet ──── [HQ Router]
        │                                  │
        └──── IPsec tunnel (AES-256) ──────┘
               ↑ All traffic encrypted here ↑

  IPsec phases:
  Phase 1 (IKE): Establish a secure management tunnel
    → Authenticate the peers (pre-shared key or certificates)
    → Negotiate encryption/hash algorithms (AES, SHA)
    → Exchange keys using Diffie-Hellman
  Phase 2 (IPsec SA): Establish the actual data tunnel
    → Negotiate ESP (Encapsulating Security Payload) or AH
    → Encrypt and encapsulate the actual data packets

  Cisco IOS VPN verification:
  Router# show crypto isakmp sa   ! Phase 1 tunnel status
  Router# show crypto ipsec sa    ! Phase 2 tunnel status; packets encrypted/decrypted

Security Control	WAN Purpose	Implementation
IPsec VPN	Encrypt site-to-site traffic over untrusted public internet; provides confidentiality, integrity, and authentication	Cisco IOS crypto map or tunnel interface (GRE over IPsec); Phase 1 IKE + Phase 2 SA
MPLS VPN (L3VPN)	Logical isolation of customer traffic within the provider network using VRF (Virtual Routing and Forwarding) — customers share physical infrastructure but are completely isolated	Provider configures VRFs on PE routers; no encryption but logical separation enforced by the carrier
Firewall at WAN edge	Inspect and filter traffic entering/leaving the WAN edge; block unauthorised inbound connections; permit only needed traffic	Cisco ASA or IOS Zone-Based Firewall on the WAN-facing interface; stateful inspection of all WAN traffic
ACLs on WAN interfaces	Restrict which source/destination IP pairs and ports are permitted across WAN links; applied inbound on the WAN interface	`ip access-group ACL_NAME in` on the Serial or WAN Ethernet interface

10. WAN Performance — QoS and Optimisation

WAN links are the bandwidth bottleneck in most enterprise networks — a branch office LAN might run at 1 Gbps but its WAN connection might be only 10 Mbps. When that 10 Mbps is shared between VoIP calls, video conferencing, file backups, and general web traffic, Quality of Service (QoS) is essential to ensure real-time traffic gets priority.

  Without QoS on a congested WAN link:
  VoIP call (latency-sensitive) ──→ queued behind large backup file transfer
  → choppy voice, calls dropping, poor user experience

  With QoS:
  VoIP/video (DSCP EF / CS4) ──→ priority queue → forwarded first
  Business apps (DSCP AF31) ──→ guaranteed bandwidth queue
  Backups/bulk transfers (DSCP BE) ──→ best-effort queue → forwarded last

  QoS classification on Cisco IOS:
  class-map match-any VOIP
   match dscp ef
  !
  policy-map WAN-QOS
   class VOIP
    priority 512         ! strict priority queue, 512 kbps reserved
   class class-default
    fair-queue           ! fair queuing for everything else
  !
  interface Serial0/0/0
   service-policy output WAN-QOS

Optimisation Technique	How It Helps	Typical Application
QoS / Traffic Shaping	Classifies traffic and allocates guaranteed bandwidth and priority to real-time applications; delays or drops lower-priority traffic during congestion	VoIP, video conferencing, financial transaction systems prioritised over bulk file transfers and backups
WAN Compression	Reduces the payload size of data before transmission, increasing effective throughput without adding bandwidth	Text-heavy traffic like XML, HTML, database queries; less effective for already-compressed data (video, images)
WAN Optimisation (WAAS)	Caches frequently accessed files locally at the branch; deduplicates data patterns across the WAN; reduces latency for common file server and application traffic	Cisco WAAS; Riverbed Steelhead; reduces effective bandwidth consumption for branch access to central servers
Load Balancing / ECMP	Distributes traffic across multiple WAN links simultaneously, increasing aggregate throughput and providing automatic failover	Dual MPLS circuits; MPLS + broadband; SD-WAN multi-link aggregation

11. WAN Redundancy and Failover Design

  WAN redundancy models — from least to most resilient:

  Single link (no redundancy):
  [Branch] ──── MPLS ──── [HQ]
  One link failure = complete outage. Zero redundancy.

  Dual-link (primary + backup):
  [Branch] ──── MPLS (primary) ──── [HQ]
           └─── 4G/LTE (backup) ───┘
  If MPLS fails, routing automatically switches to the 4G link.
  Configure with floating static routes or tracked objects:

  Router(config)# ip sla 1
  Router(config-ip-sla)# icmp-echo 10.0.0.1 source-interface Serial0/0/0
  Router(config-ip-sla)# frequency 10
  Router(config)# ip sla schedule 1 life forever start-time now
  Router(config)# track 1 ip sla 1 reachability
  Router(config)# ip route 0.0.0.0 0.0.0.0 Serial0/0/0 track 1
  Router(config)# ip route 0.0.0.0 0.0.0.0 Cellular0/0 200    ! higher AD = backup

  Dual-provider (true geographic redundancy):
  [Branch] ──── ISP-A MPLS ──── [HQ DC1]
           └─── ISP-B fibre ─── [HQ DC2]
  Survives a complete ISP outage or site failure. BGP used for provider redundancy.

  SD-WAN active-active multi-path:
  [Branch] ──── MPLS ─────────────────┐
           ──── Broadband Internet ───→ [SD-WAN Controller cloud]──→ [HQ]
           ──── 4G ────────────────────┘
  All three paths active simultaneously; SD-WAN steers traffic intelligently
  based on real-time measurements (latency, jitter, loss per link).

12. SD-WAN — Software-Defined WAN

SD-WAN is the most significant evolution in WAN technology over the past decade. It decouples the WAN control plane (management, policy, routing decisions) from the data plane (actual packet forwarding) — following the same software-defined networking principle applied to WANs.

  Traditional WAN:
  Each router configured independently → manual CLI on every device
  Policy changes require visiting or SSHing to every router individually
  Traffic engineering requires per-device configuration

  SD-WAN:
  Central SD-WAN Controller (cloud or on-premises)
       ↓  (pushes policies automatically)
  [Branch vEdge/cEdge router] ← receives policy, enforces locally
  [Branch vEdge/cEdge router]
  [Branch vEdge/cEdge router]

  SD-WAN capabilities:
  ✓ Centralised management — configure all sites from one dashboard
  ✓ Multi-link transport — uses MPLS, broadband, and 4G simultaneously
  ✓ Intelligent path selection — automatically routes VoIP on low-latency
    link; bulk data on cheapest link; in real time based on link health
  ✓ Application-aware routing — recognises Salesforce, Office 365, Teams
    by application signature and applies specific policies
  ✓ Zero Touch Provisioning (ZTP) — new branch router connects, pulls config
    automatically from controller; no on-site engineer needed for rollout
  ✓ Built-in IPsec — all WAN links encrypted by default between all sites
  ✓ Visibility — real-time dashboards showing per-application, per-link stats

  Key vendors:
  Cisco Viptela (Cisco SD-WAN) — widely deployed; integrates with Cisco IOS XE
  VMware VeloCloud — strong cloud integration
  Fortinet SD-WAN    — security-focused; integrates with FortiGate firewall

13. Troubleshooting WAN Issues — Cisco IOS Commands

Symptom	Likely Cause	Diagnostic Command and What to Look For
WAN link shows "down/down" in `show interfaces`	Physical layer problem — no carrier signal; cable unplugged or faulty; CSU/DSU powered off; provider circuit down	`show interfaces Serial0/0/0` — "down/down" = physical issue; contact service provider; check cable and CSU/DSU power
WAN link shows "up/down"	Physical is up (carrier present) but Layer 2 keepalives failing — encapsulation mismatch (one end HDLC, other end PPP); PPP authentication failure; missing keepalives	`show interfaces Serial0/0/0` — check encapsulation type; ensure both ends match; `debug ppp authentication` for PPP auth failures
Can ping WAN gateway but cannot reach remote site	Routing issue — missing route, wrong next-hop, ACL blocking traffic	`show ip route` — verify route to remote subnet exists; `traceroute [remote-ip]` — identify where packets stop; `show access-lists` for ACL matches
High latency or packet loss on WAN	Congested WAN link (insufficient bandwidth); provider network issue; QoS misconfiguration	`ping [remote] repeat 100 size 1400` — check loss percentage; `show interfaces Serial0/0/0` — check input/output drop counters; `show policy-map interface` for QoS drops
IPsec VPN tunnel not establishing	Mismatched IKE parameters; wrong pre-shared key; firewall blocking UDP/500 (IKE) or ESP (protocol 50)	`show crypto isakmp sa` — check Phase 1 state; `show crypto ipsec sa` — check Phase 2 and packet counters; `debug crypto isakmp` for negotiation details
Intermittent connectivity on WAN	Flapping interface (Layer 1 instability); routing protocol adjacency instability; provider network congestion	`show logging` — look for repeated `%LINK-3-UPDOWN` or interface state change messages; `show interfaces` reset counter incrementing

WAN Troubleshooting Workflow

  Layer-by-layer WAN troubleshooting (OSI model bottom-up):

  Layer 1 — Physical:
  show interfaces Serial0/0/0
  → "down/down" = physical problem (cable, CSU/DSU, provider circuit)
  → Check LED indicators on CSU/DSU; contact ISP if needed

  Layer 2 — Data Link:
  show interfaces Serial0/0/0
  → "up/down" = encapsulation mismatch or keepalive failure
  → Verify: show running-config | include encapsulation
  → Both ends must have identical encapsulation (HDLC or PPP)

  Layer 3 — Network:
  show ip route
  → Is there a route to the remote subnet?
  ping [remote-gateway-ip]
  → Can we reach the other end of the WAN link?
  traceroute [remote-site-ip]
  → Where does the path fail?

  Layer 7 — Application (if layers 1-3 OK):
  telnet [remote-server] [port]
  → Can we reach the specific TCP service?
  → If not: check ACLs, NAT, firewall rules at both ends

14. Exam Tips & Key Points

A WAN connects multiple LANs across large geographic areas. It operates over service-provider infrastructure rather than organisation-owned equipment.
Know the two categories of WAN switching: circuit-switched (dedicated path per session — PSTN, legacy) and packet-switched (shared infrastructure — MPLS, Internet, VPN).
HDLC is Cisco's default serial encapsulation — Cisco-proprietary, no authentication. PPP is open standard, supports CHAP/PAP authentication, multilink, and compression. An encapsulation mismatch causes "up/down" on the serial interface.
MPLS forwards packets using short fixed-length labels instead of full IP routing table lookups — faster, supports QoS, and provides VPN isolation via VRFs.
WAN topologies: point-to-point (simple, unscalable), hub-and-spoke (cost-effective, single point of failure at hub), full mesh (maximum redundancy, expensive — n×(n-1)/2 links).
BGP is the routing protocol of the Internet and is used between autonomous systems. OSPF and EIGRP are used within enterprise WANs (IGPs).
QoS is critical on WAN links because they are the bandwidth bottleneck. VoIP needs priority queuing (DSCP EF); bulk transfers use best-effort. See QoS Policing & Shaping.
SD-WAN uses a centralised controller to manage multiple WAN transports (MPLS + broadband + 4G) simultaneously with application-aware intelligent path selection.
WAN troubleshooting follows the OSI model bottom-up: physical ("down/down") → encapsulation ("up/down") → routing (show ip route) → application (Telnet port test, ACL check).

15. Summary Reference Table

Topic	Key Detail
WAN definition	Network spanning large geographic areas connecting multiple LANs
Circuit-switched	Dedicated path per session (PSTN, ISDN) — legacy
Packet-switched	Shared infrastructure; packets routed independently (MPLS, Internet)
HDLC	Cisco default serial encapsulation; proprietary; no authentication
PPP	Open standard; supports CHAP/PAP authentication; multilink; compression
up/down on serial interface	Encapsulation mismatch or PPP authentication failure
MPLS operation	Labels replace IP lookups; CE/PE/P router roles; supports QoS and VPN
Hub-and-spoke	Cost-effective; single point of failure at hub; branch-to-branch via hub
Full mesh links formula	n × (n-1) / 2
BGP	Exterior Gateway Protocol; routes between autonomous systems; Internet protocol
IPsec VPN phases	Phase 1 (IKE — authenticate + key exchange); Phase 2 (ESP — data encryption)
SD-WAN advantage	Centralised control; multi-link active-active; application-aware routing; ZTP
Verify WAN interface	`show interfaces Serial0/0/0`
Verify IPsec VPN	`show crypto isakmp sa` and `show crypto ipsec sa`

WAN Quiz

1. What is the geographic scope of a WAN, and what is the key difference in how a WAN's infrastructure is owned and operated compared to a LAN?

A. A single building or campus — owned and operated entirely by the organisation, using Ethernet switches and wireless access points B. A room or floor — the smallest possible network type, used for device clusters within a single workgroup C. A city or metropolitan area — operated by a single entity such as a city government or university system D. Multiple cities, countries, or continents — unlike a LAN which is owned entirely by a single organisation, WAN infrastructure is typically operated by telecommunications carriers and ISPs; organisations lease bandwidth and circuits rather than owning the physical medium

Correct answer is D. A WAN spans large geographic areas — from connecting two buildings in different cities up to global intercontinental networks (the Internet itself is the largest WAN). The fundamental difference from a LAN is ownership: an organisation owns all the equipment in its LAN (switches, access points, cables) and is solely responsible for it. For a WAN, the organisation typically does not own the transmission infrastructure — it pays a telecommunications carrier or ISP for the use of circuits, MPLS services, or Internet bandwidth. The carrier owns and operates the physical cables, routers, and switching nodes that make up the WAN fabric. The organisation connects to this provider infrastructure through a WAN router at each site (the CPE — Customer Premises Equipment).

2. Which entity typically operates and manages the physical WAN infrastructure, and what is the customer's role?

A. Service providers or telecommunications companies own and operate the physical WAN infrastructure (cables, switching nodes, MPLS cloud); the customer connects CPE routers to the provider's access point and manages only their own LAN and CPE devices B. Individual users own and manage WAN infrastructure by purchasing their own intercontinental fibre and satellite uplinks C. Small office networks own and manage WAN links as an extension of their LAN, using the same Ethernet switches for both local and wide-area connectivity D. Home users build and manage WANs by connecting their home routers directly to backbone exchange points

Correct answer is A. Telecommunications carriers (BT, AT&T, Verizon, Orange, etc.) and Internet Service Providers build and operate the physical WAN infrastructure — the fibre cables running between cities, the submarine cables crossing oceans, the MPLS switching nodes in carrier data centres, and the Internet backbone exchange points. An enterprise customer's role is to: (1) select and pay a service provider for WAN connectivity (monthly recurring fees); (2) install and manage CPE (Customer Premises Equipment) — typically a Cisco or other brand WAN router at each site that connects to the provider's access circuit; (3) configure routing protocols, security policies, and QoS on the CPE devices; (4) manage the LAN behind each WAN router. The demarcation point (demarc) is the boundary between what the customer owns and what the provider owns — usually a physical interface or handoff point at the customer's premises.

3. How does MPLS differ from standard IP routing, and what are the roles of the CE, PE, and P routers in an MPLS network?

A. MPLS uses the same IP routing table lookup as standard routing but adds a label for QoS marking only; all three router types perform full IP routing table lookups B. MPLS uses dial-up connections between CE and PE routers; P routers provide the physical circuit switching in the carrier backbone C. MPLS replaces IP routing table lookups in the provider core with short fixed-length label operations — CE (Customer Edge) is the customer's router speaking IP; PE (Provider Edge) assigns/removes labels; P (Provider core) routers only perform fast label swaps without reading the IP header D. MPLS uses MAC address tables instead of IP routing tables; CE routers perform Ethernet switching while PE and P routers handle IP forwarding

Correct answer is C. In standard IP routing, every router in the path reads the destination IP address and performs a routing table lookup at each hop. MPLS replaces this in the provider core: the ingress PE router reads the destination IP once, assigns a short numeric label (e.g., 32), and pushes it onto the packet. All subsequent P (core) routers see only the label and perform a fast label-swap operation — they replace the incoming label with an outgoing label and forward the packet. No IP routing table lookup is performed in the core. The egress PE router pops the final label and delivers the original IP packet to the destination CE router. This makes the provider core faster (label lookup is O(1)) and simpler (P routers don't need customer routing tables). MPLS also enables Traffic Engineering (pre-defined paths), QoS (labels carry priority bits), and VPN isolation (different customers kept separate using VRFs on PE routers).

4. A serial WAN link shows "up/down" in show interfaces. What are the two most likely causes and how is each fixed?

A. The interface bandwidth is too low — increase it with the "bandwidth" command; the link shows up/down until the bandwidth is set correctly B. Encapsulation mismatch (one end HDLC, other end PPP) or PPP authentication failure — fix by ensuring both ends have identical encapsulation configured; for PPP auth failure, verify username/password match with "debug ppp authentication" C. The IP address is missing — serial interfaces show up/down until an IP address is configured on both ends D. A routing protocol is not configured — up/down indicates that no IGP or BGP has been enabled on the interface to bring the line protocol up

Correct answer is B. On a serial WAN interface, show interfaces Serial0/0/0 can show three combinations: (1) down/down = physical problem — no carrier signal detected; cable issue, CSU/DSU problem, provider circuit failure. (2) up/down = physical layer is active (carrier present) but the Layer 2 protocol is failing. The two most common causes of up/down: Encapsulation mismatch — one router is configured for HDLC and the other for PPP. HDLC is Cisco's default; if the other end is a non-Cisco router using PPP, the keepalives will fail. Fix: match encapsulation on both ends. PPP authentication failure — both routers are using PPP with CHAP or PAP, but the configured usernames or passwords don't match. Fix: verify username/password configuration; use debug ppp authentication to see the negotiation in real time. (3) up/up = healthy.

5. An enterprise needs to connect 12 branch offices to a central headquarters. Which WAN topology minimises the number of WAN links needed while still providing connectivity to all branches, and what is its main vulnerability?

A. Hub-and-spoke — requires only 12 WAN links (one per branch to HQ), compared to 66 links for a full mesh (12×11/2=66); main vulnerability is that HQ (the hub) is a single point of failure — if HQ connectivity fails, ALL branches lose inter-site connectivity simultaneously B. Full mesh — connects every branch directly to every other branch; requires the fewest links because no intermediate hub is needed C. Point-to-point — direct link between each pair of branches is the most cost-effective for 12 sites D. Bus topology — all branches share a single WAN segment with CSMA/CD collision avoidance

Correct answer is A. Hub-and-spoke (star) topology requires exactly one WAN link per spoke site — for 12 branches, that is 12 WAN links total to provide connectivity to all sites. This makes it the most cost-effective option for multi-branch networks. Full mesh would require n × (n-1) / 2 = 12 × 11 / 2 = 66 links for 12 sites — vastly more expensive and complex. The primary disadvantage of hub-and-spoke is the hub site being a single point of failure: if the hub router, WAN circuit, or HQ facility goes down, every branch office loses its WAN connection simultaneously. Additionally, branch-to-branch traffic must traverse the hub (Branch1 → HQ → Branch2), consuming double the WAN bandwidth and adding latency. DMVPN (Dynamic Multipoint VPN) is a common solution that maintains hub-and-spoke infrastructure while allowing direct spoke-to-spoke tunnels to form dynamically when needed.

6. BGP is widely used for routing on the global Internet and large enterprise WANs. What makes it specifically suited to inter-organisation routing that OSPF and EIGRP cannot provide?

A. OSPF — it uses a hierarchical area design that scales to any size network including the global Internet; its SPF algorithm is specifically designed for carrier-scale routing B. EIGRP — Cisco's proprietary protocol provides the fastest convergence and is used between all autonomous systems on the Internet backbone C. HDLC — the Layer 2 protocol handles routing between providers by using its own routing tables at the data link layer D. BGP (Border Gateway Protocol) — as an Exterior Gateway Protocol, BGP routes between autonomous systems (AS) with different administrative policies; it supports rich policy controls (route filtering, AS-path prepending, local preference) that OSPF and EIGRP lack; it is designed for massive scale (the Internet has over 900,000 BGP routes)

Correct answer is D. BGP is an Exterior Gateway Protocol (EGP) — it is specifically designed to route between different autonomous systems (AS), each of which is operated by a different organisation (ISPs, enterprises, government agencies). Each AS has its own AS number (ASN); BGP exchanges routing information between these independent organisations. OSPF and EIGRP are Interior Gateway Protocols (IGPs) — they route within a single organisation's network. They lack the policy mechanisms needed for inter-organisation routing: BGP supports path attributes (AS_PATH, MED, LOCAL_PREF, COMMUNITY) that allow fine-grained control over which paths are preferred, which routes are advertised to which peers, and how traffic enters and exits the autonomous system. The Internet routing table (over 900,000 prefixes as of 2024) is exchanged entirely via BGP between all ISPs and large organisations.

7. What is the purpose of IPsec VPN in a WAN, and what are the two IPsec negotiation phases?

A. IPsec VPN connects devices within the same LAN segment, providing Layer 2 encryption between hosts on the same switch B. IPsec VPN increases the physical bandwidth of leased lines by bonding multiple circuits together under a single encrypted tunnel C. IPsec VPN provides encrypted, authenticated site-to-site communication over the public Internet — Phase 1 (IKE) authenticates peers and establishes the management tunnel; Phase 2 (IPsec SA) negotiates ESP encryption for the actual data tunnel D. IPsec VPN replaces MPLS technology entirely — it provides the same QoS guarantees and SLA commitments as dedicated MPLS circuits

Correct answer is C. IPsec (Internet Protocol Security) is the standard framework for creating encrypted, authenticated tunnels between two sites over the public Internet. Instead of paying for expensive private MPLS circuits, organisations can use existing broadband internet connections and overlay an IPsec VPN to secure the traffic. The two-phase negotiation: Phase 1 (IKE — Internet Key Exchange): the two routers authenticate each other (using a pre-shared key or digital certificates) and use Diffie-Hellman key exchange to establish a shared secret — this creates the IKE Security Association (SA), a secure management channel. Phase 2 (IPsec SA): using the secure Phase 1 channel, the routers negotiate the parameters for the actual data tunnel — encryption algorithm (AES-256), hash (SHA-256), and lifetime. This creates the IPsec SA. Data is then encapsulated using ESP (Encapsulating Security Payload). Verify with show crypto isakmp sa (Phase 1) and show crypto ipsec sa (Phase 2).

8. A WAN link carries both VoIP calls and large file backups. What technique ensures voice quality is maintained during peak traffic periods?

A. WAN compression — reducing the size of all packets equally ensures VoIP packets reach their destination faster B. QoS (Quality of Service) with traffic shaping — VoIP traffic is classified (DSCP EF) and placed in a strict priority queue that is always served before backup traffic; this guarantees bandwidth and low latency for voice even when the link is congested C. IPsec encryption — encrypting VoIP packets makes them smaller and therefore they traverse the WAN faster D. Static routing — configuring separate static routes for VoIP and backup traffic sends them over different physical paths automatically

Correct answer is B. WAN links are the bandwidth bottleneck in most enterprise networks. When a congested WAN link must carry both latency-sensitive traffic (VoIP, video conferencing) and bulk data (file backups, software updates), without QoS every packet waits in the same queue. Large backup packets filling the queue cause VoIP packets to be delayed — resulting in choppy audio, jitter, and dropped calls. QoS (Quality of Service) with traffic shaping solves this by classifying traffic into priority classes: VoIP is marked DSCP EF (Expedited Forwarding) and placed in a strict priority queue that is served before all other traffic; video conferencing gets its own guaranteed bandwidth class; bulk backups go in the best-effort queue and are delayed or rate-limited during congestion. Cisco IOS implements this with class-maps (classify), policy-maps (apply actions), and service-policy on the interface. The result: voice calls remain clear even when the WAN link is saturated with backup traffic.

9. Which diagnostic commands check WAN link reachability and path, and what does each specifically reveal?

A. ping and traceroute — ping tests end-to-end reachability and measures round-trip latency; traceroute reveals each hop in the path, the latency at each hop, and where the path breaks or becomes slow B. nslookup and dig — these tools test WAN reachability by querying DNS servers along the WAN path C. show ip route — this command reveals the full physical path between sites including per-hop latency measurements D. ipconfig — the Windows network configuration tool shows WAN link reachability and path details

Correct answer is A. Ping sends ICMP Echo Request packets to the target and measures whether they receive ICMP Echo Reply responses. It confirms Layer 3 reachability and provides round-trip time (RTT) measurements — useful for detecting high latency or packet loss on WAN links. On Cisco IOS: ping [remote-ip] repeat 100 size 1400 — 100 packets at 1400 bytes each gives a statistically meaningful measurement of the link. Traceroute (or tracert on Windows) sends packets with incrementing TTL values to discover each intermediate router (hop) on the path. It shows the IP address of each hop, the latency to each hop, and — most valuably — where the path fails or where latency suddenly increases. A * * * at a particular hop indicates packets are not returning from that device (often a firewall dropping ICMP). These two tools together answer: is the remote site reachable? How many hops away? Where is the delay occurring?

10. What does SD-WAN do that traditional WAN architecture cannot, and what specific capability allows it to use multiple WAN transport types simultaneously?

A. MPLS — the only WAN technology capable of centralised policy management; SD-WAN is simply a marketing name for advanced MPLS configuration B. IPsec VPN — site-to-site VPN has always supported hybrid WAN by routing traffic across multiple tunnels C. DSL — broadband DSL provides the centralised controller function that manages all WAN links from a single service point D. SD-WAN (Software-Defined WAN) uses a centralised controller to manage all WAN routers as a unified system — its key capability is active-active multi-transport: MPLS, broadband, and 4G/5G are all used simultaneously, with application-aware intelligent path selection steering each application to the most appropriate link based on real-time measurements of latency, jitter, and packet loss

Correct answer is D. Traditional WAN architecture requires each router to be configured individually via CLI — making policy changes labour-intensive and error-prone across hundreds of branch sites. Traffic typically uses a single primary WAN link with a manual failover backup. SD-WAN fundamentally changes this by separating the control plane (policy decisions) from the data plane (packet forwarding): a central SD-WAN controller holds all policies and automatically pushes them to every edge router in the network. The key capabilities that traditional WAN cannot match: (1) Active-active multi-transport — MPLS, broadband, and 4G are all active simultaneously; SD-WAN measures each link's health in real time and steers traffic accordingly; (2) Application-aware routing — SD-WAN identifies specific applications (Microsoft Teams, Salesforce, SAP) by signature and applies specific policies per application; (3) Zero Touch Provisioning — new branch routers automatically download their configuration from the controller; (4) Built-in encryption — all WAN links are encrypted by default; (5) Real-time visibility — dashboards show per-application, per-link performance metrics across the entire WAN.