WAN Technologies Overview
1. What Is a WAN and Why Does It Matter?
A Wide Area Network (WAN) connects geographically separated networks — branch offices, data centres, cloud providers, and remote workers — across distances that range from a few kilometres to intercontinental spans. Unlike a LAN, which an organisation owns and operates entirely, a WAN typically involves service provider infrastructure: leased circuits, shared provider backbones, or internet-based overlays.
Choosing the right WAN technology is one of the most consequential network design decisions an organisation makes. The wrong choice leads to either overspending (paying for premium MPLS when broadband internet with VPN would suffice) or underdelivering (using best-effort broadband for latency-sensitive voice and video). The key evaluation axes are cost, bandwidth, latency, reliability, security, and scalability.
| WAN Technology | Provider Type | Typical Bandwidth | Latency | Cost | Best For |
|---|---|---|---|---|---|
| Leased Line | Telco | 1.5 Mbps – 10 Gbps | Very low — guaranteed | Very high | Mission-critical point-to-point links |
| MPLS | Carrier | 1 Mbps – 10 Gbps | Low — SLA-backed | High | Enterprise multi-site, voice/video, QoS |
| Metro Ethernet | Carrier / CLEC | 10 Mbps – 100 Gbps | Low – medium | Medium – high | Metropolitan area connectivity, campus WAN |
| DSL | Telco (copper) | 1 – 100 Mbps | Medium | Low | Small offices, home workers, backup links |
| Cable (HFC) | Cable operator | 10 Mbps – 1+ Gbps | Low – medium | Low – medium | SMB, home offices, backup links |
| SD-WAN | Software overlay (any transport) | Depends on transport | Variable (managed intelligently) | Medium (saves vs MPLS) | Modern multi-site enterprise, cloud access |
Related pages: WAN Overview | MPLS Deep Dive | SD-WAN Overview | DMVPN | GRE Tunnels | IPsec VPN | IPsec Basics | Site-to-Site vs Remote Access VPN | QoS Overview | Routers | GRE Tunnel Lab | Site-to-Site IPsec VPN Lab
2. WAN Fundamentals — Key Concepts
2.1 Circuit-Switched vs Packet-Switched
WAN technologies historically fall into two categories based on how data is transported across the provider network.
| Model | How It Works | Bandwidth | Examples | Status |
|---|---|---|---|---|
| Circuit-Switched | A dedicated physical path is established between endpoints for the duration of the call or session. Bandwidth is reserved end-to-end regardless of whether data is being sent. | Fixed, dedicated — always available, never shared | PSTN (phone network), ISDN, traditional T1/E1 | Legacy — largely replaced |
| Packet-Switched | Data is divided into packets, each routed independently through shared provider infrastructure. No dedicated path — packets may take different routes. | Shared — bandwidth is used only when packets are in transit | MPLS, internet, Frame Relay (legacy), ATM (legacy) | Current — dominant model |
2.2 CPE, CE, and PE Routers
Three device roles define the boundary between the customer and the service provider in a WAN. The CE router peers with the PE router using routing protocols such as OSPF, EIGRP, BGP, or static routes. See also: Routers.
WAN device roles:
Customer Site Provider Network Customer Site
───────────── ──────────────── ─────────────
[LAN Switches] [LAN Switches]
│ │
[CE Router]──────[PE Router]──[Provider Core]──[PE Router]──[CE Router]
Customer Edge Provider Edge Provider Edge Customer Edge
(customer owns) (provider owns) (provider owns)(customer owns)
CPE (Customer Premises Equipment):
→ Any device on the customer side of the WAN demarcation point
→ Includes CE routers, switches, firewalls at the customer location
→ Owned/managed by the customer (or co-managed with provider)
CE (Customer Edge) Router:
→ The customer's router that connects to the provider's PE router
→ Runs routing protocols with the PE (OSPF, BGP, static routes)
→ Does NOT know the internal structure of the MPLS provider network
PE (Provider Edge) Router:
→ The provider's router at the edge of the MPLS/provider network
→ Maintains VRF (Virtual Routing and Forwarding) tables per customer
→ Applies MPLS labels; connects to CE and to provider core (P routers)
2.3 WAN Serial Interfaces and Common Physical Standards
Common WAN interface types on Cisco routers: Serial interfaces (for leased lines / frame relay / legacy WAN): → Serial0/0/0 — supports T1, E1, T3, E3 speeds → Clock rate configured on the DCE end (provider or simulated in lab) → Encapsulations: PPP, HDLC (Cisco default), Frame Relay Modern WAN interface types: → GigabitEthernet — Metro Ethernet handoff → Dialer/Virtual interfaces — DSL (PPPoE), VPN tunnels → Cellular interfaces — 4G/LTE backup WAN Lab simulation: Router(config)# interface Serial0/0/0 Router(config-if)# ip address 10.0.0.1 255.255.255.252 Router(config-if)# clock rate 2000000 (DCE side only — sets line speed) Router(config-if)# encapsulation ppp (or hdlc / frame-relay) Router(config-if)# no shutdown
3. Leased Lines — Dedicated Point-to-Point Circuits
A leased line (also called a dedicated circuit or private line) is a permanently established, dedicated point-to-point connection between two sites, provided by a telecommunications carrier. The full bandwidth of the circuit is exclusively available to the customer at all times — it is never shared with other customers.
Leased line topology:
[Site A — CE Router] ────────────────────────────── [Site B — CE Router]
│ Dedicated physical circuit │
│ (T1, E1, T3, E3, OC-x) │
[LAN Switches] Provider owns the [LAN Switches]
physical infrastructure;
customer leases the circuit.
Common leased line speeds:
T1 = 1.544 Mbps (24 DS0 channels × 64 Kbps) — North America
E1 = 2.048 Mbps (32 DS0 channels × 64 Kbps) — Europe / rest of world
T3 = 44.736 Mbps (28 T1 channels)
E3 = 34.368 Mbps (16 E1 channels)
OC-3= 155.52 Mbps, OC-12 = 622 Mbps, OC-48 = 2.4 Gbps (SONET/SDH)
Leased Line Characteristics
| Characteristic | Detail |
|---|---|
| Bandwidth | Fixed — the leased speed is always available, never contended with other customers |
| Latency | Very low and predictable — no shared queuing in the provider network |
| Reliability | Very high — SLA-backed with carrier-grade uptime guarantees (typically 99.9% or better) |
| Security | Inherently private — traffic is physically isolated from other customers; no encryption needed |
| Cost | Very high — customers pay a flat monthly rate for the full circuit regardless of actual utilisation |
| Scalability | Poor — each new site requires a new physical circuit; long provisioning times (weeks to months) |
| Topology | Point-to-point only — one circuit connects exactly two sites |
4. MPLS — Multiprotocol Label Switching
MPLS (Multiprotocol Label Switching) is a high-performance packet-forwarding technology used by service providers to build scalable, QoS-capable private WANs for enterprise customers. Instead of routing packets based on IP destination address at every hop (which is CPU-intensive), MPLS routers forward packets based on short fixed-length labels — making forwarding decisions extremely fast.
From the customer's perspective, an MPLS WAN behaves like a private Layer 3 network: all branch sites are connected as if they share a single routing domain, with the provider's network acting as a transparent cloud. Customers do not see or manage the MPLS label infrastructure — that is entirely within the provider's domain.
MPLS WAN architecture — enterprise multi-site:
[Branch A — CE]──[PE-A]──────────────────────────[PE-B]──[Branch B — CE]
│ MPLS Provider Backbone │
│ (P routers — label-based) │
[PE-C]──────────────────────────[PE-D]
│ │
[Branch C — CE] [HQ Data Centre — CE]
Label switching process:
1. CE router sends IP packet to PE router (normal routing)
2. Ingress PE adds an MPLS label (a 20-bit value) to the packet
based on the destination VRF/prefix
3. P (Provider) core routers forward the packet using ONLY the label
— no IP routing table lookup performed in the core
4. Egress PE removes the label (label popping) and delivers the
original IP packet to the destination CE router
VPN isolation: Each customer's traffic is kept separate using
MP-BGP and VRF (Virtual Routing and Forwarding) tables on PE routers.
MPLS Key Characteristics
| Characteristic | Detail |
|---|---|
| Traffic separation | Each customer gets a separate VRF — traffic is logically isolated even though the physical infrastructure is shared |
| QoS support | MPLS providers offer QoS classes — voice, video, and data can receive different treatment across the provider backbone; SLA-backed latency and jitter for real-time traffic |
| Any-to-any connectivity | All customer sites are part of the same VPN — any site can communicate directly with any other without traffic flowing through HQ (unlike hub-and-spoke VPN) |
| Routing | CE routers peer with PE routers using OSPF, EIGRP, BGP, or static routes; CE does not see MPLS internals |
| Bandwidth | 1 Mbps to 10+ Gbps; committed rates with burst capabilities |
| Cost | High — premium over broadband internet, but lower than individual leased lines for multi-site connectivity |
| Provisioning time | Weeks — physical circuit provisioning still required per site |
| Security | Traffic is logically private (VRF separation) but not encrypted — MPLS is not inherently encrypted |
See full detail: MPLS Deep Dive
5. Metro Ethernet — Carrier Ethernet WAN
Metro Ethernet (Metropolitan Area Ethernet) extends standard Ethernet technology beyond the LAN into the WAN, across a metropolitan or regional area using a carrier's fibre infrastructure. From the customer's perspective, the WAN connection looks and behaves like an Ethernet interface — familiar, simple, and interoperable with existing LAN equipment.
The Metro Ethernet Forum (MEF) defines standardised service types. The two most common for enterprise WAN use are:
| MEF Service | Also Called | Description | Use Case |
|---|---|---|---|
| E-Line | Ethernet Private Line (EPL) / Ethernet Virtual Private Line (EVPL) | Point-to-point Ethernet connection between two sites. Effectively a leased line replacement using Ethernet framing over carrier fibre. | Replacing T1/E1 leased lines; data centre interconnect; high-bandwidth point-to-point links |
| E-LAN | Ethernet LAN / VPLS (Virtual Private LAN Service) | Multipoint-to-multipoint Ethernet service. All sites share a common Ethernet broadcast domain — they appear to be on the same LAN even across the provider network. | Multi-site enterprise LANs, campus extension, replacing Frame Relay/ATM multipoint WANs |
Metro Ethernet E-Line (point-to-point):
[Site A]──GigE──[Provider Edge]──Carrier Fibre──[Provider Edge]──GigE──[Site B]
│ │
UNI (User-Network Interface) UNI
(where customer Ethernet meets (same standard interface)
provider network)
Metro Ethernet E-LAN (multipoint):
[Site A]──┐
[Site B]──┼──[Provider Metro Ethernet Network]──┬──[Site C]
[Site D]──┘ (VPLS or Carrier Ethernet bridge) └──[HQ]
All sites appear on the same Ethernet broadcast domain.
Any site can communicate with any other at Layer 2.
Metro Ethernet Characteristics
| Characteristic | Detail |
|---|---|
| Bandwidth | 10 Mbps to 100 Gbps; highly scalable — often just a contract change to upgrade |
| Interface type | Standard Ethernet (802.3) — no special WAN hardware needed on the customer side |
| Latency | Low — fibre-based, minimal provider-side processing |
| Geographic scope | Metropolitan or regional — not suitable for wide geographic separation (that requires MPLS or internet VPN) |
| Cost | Medium to high — lower than traditional leased lines for equivalent bandwidth; fibre infrastructure investment required |
| QoS | Supported via 802.1p CoS marking within provider network; some providers offer SLA-backed classes of service |
6. DSL — Digital Subscriber Line
DSL (Digital Subscriber Line) delivers broadband internet access over the existing copper telephone (PSTN) infrastructure. DSL uses frequencies above the voice band on the copper pair, allowing voice and data to share the same physical line simultaneously.
DSL Variants
| Type | Full Name | Download | Upload | Notes |
|---|---|---|---|---|
| ADSL | Asymmetric DSL | Up to 24 Mbps | Up to 3.5 Mbps | Most common residential DSL; asymmetric (download > upload) |
| ADSL2+ | ADSL2+ | Up to 24 Mbps | Up to 3.5 Mbps | Extended range and improved noise tolerance over ADSL |
| VDSL | Very High Speed DSL | Up to 52 Mbps | Up to 16 Mbps | Requires shorter copper loop; often combined with fibre-to-the-cabinet (FTTC) |
| VDSL2 | Very High Speed DSL 2 | Up to 100+ Mbps | Up to 100 Mbps | Short copper loop required (<500m); basis for "Fibre to the Node" broadband |
| SDSL | Symmetric DSL | Up to 2 Mbps | Up to 2 Mbps | Equal upload/download; suited for small offices hosting servers |
DSL Architecture — PPPoE
Most DSL deployments use PPPoE (PPP over Ethernet) to carry the DSL connection from the customer's router to the ISP's BRAS (Broadband Remote Access Server). PPPoE allows authentication (username/password) and IP address assignment over the Ethernet-like DSL connection.
DSL connection path:
[PC/LAN]──[DSL Router/Modem]──(copper PSTN loop)──[DSLAM at exchange]──[BRAS]──Internet
│ │
CPE (customer) Provider aggregation equipment
Acts as PPPoE client (Digital Subscriber Line
Runs NAT (PAT) Access Multiplexer)
DSLAM: aggregates hundreds of DSL lines from individual customers
BRAS: authenticates PPPoE sessions; assigns public IP addresses
DSL performance degrades with distance from the exchange (DSLAM):
≤ 300m: near maximum ADSL2+ speed
1 km: significant speed reduction
3+ km: speeds may fall to 2-4 Mbps or less
DSL Characteristics
| Characteristic | Detail |
|---|---|
| Cost | Low — among the cheapest broadband options; uses existing copper infrastructure |
| Bandwidth | Up to ~100 Mbps (VDSL2); speed is distance-dependent |
| Contention | Shared at the DSLAM and ISP level; not a dedicated circuit |
| Reliability | Best-effort — no SLA for most consumer/SMB DSL products |
| Typical WAN use | Small office/home office (SOHO) primary or backup WAN; internet access; IPsec/SSL VPN endpoint |
See also: PPPoE Client Configuration Lab
7. Cable Broadband — HFC Networks
Cable broadband uses the Hybrid Fibre-Coaxial (HFC) infrastructure originally deployed for cable television. Fibre runs from the cable operator's headend to neighbourhood nodes; coaxial cable carries the signal the final distance to each home or business. The DOCSIS (Data Over Cable Service Interface Specification) standard governs how data is transmitted over cable TV infrastructure.
HFC / Cable broadband architecture:
[Internet]──[Cable Headend/CMTS]──[Fibre]──[Node]──[Coax]──[Cable Modem]──[LAN]
│ │
Cable Modem CPE (customer)
Termination System Runs DHCP client;
(terminates cable modem provides NAT (PAT)
connections, aggregates to home/office LAN
subscriber traffic)
Shared medium: coaxial segment from node to homes is shared among
all subscribers in that neighbourhood. Bandwidth contention is highest
during peak hours (evenings when everyone streams video).
DOCSIS versions:
DOCSIS 2.0: ~40 Mbps down / 30 Mbps up
DOCSIS 3.0: ~1 Gbps down / 200 Mbps up (channel bonding)
DOCSIS 3.1: ~10 Gbps down / 1–2 Gbps up (OFDM modulation)
DOCSIS 4.0: ~10 Gbps symmetrical (emerging)
Cable vs DSL Comparison
| Feature | Cable (HFC) | DSL (ADSL/VDSL) |
|---|---|---|
| Physical medium | Fibre + coaxial cable | Copper telephone wire |
| Typical speeds | 100 Mbps – 1+ Gbps | 1 – 100 Mbps (distance dependent) |
| Shared medium? | Yes — coaxial segment is shared by neighbours | Partially — dedicated copper loop to DSLAM; shared at ISP level |
| Distance sensitivity | Low — fibre extends deep into neighbourhood | High — speed degrades significantly with distance from DSLAM |
| Typical WAN use | SMB primary or backup internet; home office | SOHO; backup link; internet access for small branches |
| Reliability | Best-effort; no SLA for most consumer plans | Best-effort; no SLA for most consumer plans |
8. SD-WAN — Software-Defined Wide Area Networking
SD-WAN (Software-Defined WAN) is a modern approach that separates the WAN control plane (intelligence) from the data plane (packet forwarding), using software to manage and optimise traffic across multiple underlying WAN transports simultaneously — MPLS, internet broadband, LTE/5G, or any combination. SD-WAN is not a physical WAN technology itself; it is an overlay that runs on top of existing transports.
SD-WAN architecture overview:
[Branch CE/Edge Device]──MPLS──────────────────────►[HQ/DC]
│ └──Internet (broadband)──────► │
│ └──LTE/5G (cellular)──────► │
│ │
└──────── SD-WAN Overlay (encrypted tunnels) ───┘
(vEdge / cEdge devices at each site)
SD-WAN centralised components:
┌─────────────────────────────────────────────────────────────┐
│ vManage — Centralised management dashboard (GUI/API) │
│ vSmart — Control plane; distributes routing policy │
│ vBond — Orchestration; helps edge devices find vSmart │
└─────────────────────────────────────────────────────────────┘
(Cisco SD-WAN / Viptela architecture — naming may vary by vendor)
Traffic steering example:
Voice RTP → preferentially sent over MPLS (low latency, SLA)
Web browsing → sent over cheap internet broadband
If MPLS degrades below jitter threshold:
→ SD-WAN automatically migrates voice to LTE backup
→ No manual intervention required
SD-WAN Key Capabilities
| Capability | Description |
|---|---|
| Transport-agnostic | Works over any WAN transport — MPLS, internet, LTE/5G, satellite — simultaneously |
| Application-aware routing | Identifies applications (Salesforce, Office 365, VoIP) and steers them to the optimal WAN path based on real-time performance metrics (latency, jitter, loss) |
| Centralised policy management | All routing and security policies are defined centrally (via vManage) and pushed to all edge devices automatically |
| Zero-touch provisioning | New branch devices connect to the SD-WAN fabric and download their configuration automatically — no truck roll required |
| Built-in encryption | All overlay tunnels are IPsec-encrypted — data security over internet transports without separate VPN infrastructure |
| WAN optimisation | Some SD-WAN solutions include compression, deduplication, and TCP optimisation to improve application performance |
| Cloud-friendly | Direct cloud breakout — traffic to SaaS (Office 365, Salesforce) can be sent directly to the internet from the branch rather than backhauling through HQ |
SD-WAN vs Traditional MPLS
| Factor | MPLS WAN | SD-WAN (over broadband + MPLS) |
|---|---|---|
| Cost | High — MPLS circuits are expensive | Lower — can use cheap internet broadband for most traffic |
| QoS | SLA-backed across provider backbone | Application-aware steering + path quality monitoring |
| Agility | Low — weeks to provision new sites | High — zero-touch provisioning; branch up in hours |
| Cloud access | Traffic must backhaul to HQ then out to internet | Direct cloud breakout from branch |
| Encryption | Not native — requires additional IPsec overlay | Built-in IPsec for all paths |
| Vendor lock-in | Tied to one MPLS provider | Multi-transport; can mix providers |
See full detail: SD-WAN Overview | Cisco SD-WAN / Viptela Overview Lab
9. VPN Overlays on WAN — IPsec, GRE, and DMVPN
When organisations use internet broadband (DSL, cable, LTE) as their WAN transport, they need to secure traffic and create private connectivity between sites. This is achieved using VPN overlays — encrypted tunnels that run across the public internet, making it behave like a private WAN.
| VPN Technology | Description | Best For |
|---|---|---|
| Site-to-Site IPsec VPN | Encrypted tunnel between two fixed sites using IKE/IPsec. Static tunnels — each site-pair needs its own tunnel configuration. | Small number of branch sites; simple hub-and-spoke topologies |
| GRE Tunnel | Generic Routing Encapsulation — creates a virtual point-to-point link that can carry multicast and routing protocol traffic. Not encrypted by itself — usually combined with IPsec. | Routing protocol extension across WAN; carrying multicast over internet paths |
| DMVPN | Dynamic Multipoint VPN — combines mGRE (multipoint GRE) with NHRP to allow spoke sites to build dynamic direct spoke-to-spoke tunnels on demand, without going through HQ. | Large-scale branch networks; spoke-to-spoke traffic without backhauling through hub |
| SSL/TLS VPN | Remote access VPN using HTTPS — works through firewalls and NAT without special ports. Used for individual remote workers, not typically site-to-site. | Remote user access; BYOD; clientless web-based access — see Site-to-Site vs Remote Access VPN |
WAN overlay comparison — same internet transport, different overlays: Internet-only WAN with IPsec site-to-site: [Branch A]──IPsec──[Internet]──IPsec──[HQ] Spoke-to-spoke traffic must go via HQ (hub-and-spoke) Each site-pair = one tunnel configuration = scales poorly Internet WAN with DMVPN: [Branch A]──┐ [Branch B]──┼──[mGRE]──[Internet]──[mGRE]──[HQ (hub)] [Branch C]──┘ ↑ Spokes register with hub via NHRP; │ Branch A needs to talk to Branch C: │ → NHRP lookup gets Branch C's real IP ─────┘ → Direct spoke-to-spoke tunnel built on demand → Traffic bypasses HQ entirely
See also: IPsec VPN | GRE Tunnels | DMVPN | Site-to-Site vs Remote Access VPN | GRE Tunnel Lab | Site-to-Site IPsec VPN Lab | DMVPN Phases Lab
10. Choosing the Right WAN Technology
WAN technology decision guide:
Do you need guaranteed latency/jitter SLA for real-time voice and video?
│
├─ YES, with any-to-any multi-site connectivity and managed QoS
│ → MPLS (or SD-WAN using MPLS as the primary quality transport)
│
├─ YES, but only between two sites (point-to-point)
│ → Leased line (if budget allows) or Metro Ethernet E-Line
│
└─ NO — primarily internet access and data applications
│
├─ Multi-site enterprise with cloud-first strategy?
│ → SD-WAN over broadband internet (+ optional MPLS for voice)
│
├─ Metropolitan area connectivity (same city/region)?
│ → Metro Ethernet (E-Line or E-LAN)
│
├─ Small office / home office internet access?
│ → Cable broadband (if available) or DSL
│ → Add IPsec VPN for secure connectivity to corporate network
│
└─ Branch site needs private connectivity, low budget?
→ Internet broadband (DSL/cable) + DMVPN or SD-WAN overlay
| Technology | Cost | Scalability | QoS/SLA | Security | Setup Time | Ideal Use Case |
|---|---|---|---|---|---|---|
| Leased Line | ★★★★★ | ★☆☆☆☆ | ★★★★★ | ★★★★★ | Weeks–months | Mission-critical P2P; backbone links |
| MPLS | ★★★★☆ | ★★★☆☆ | ★★★★★ | ★★★★☆ | Weeks | Enterprise multi-site; real-time traffic |
| Metro Ethernet | ★★★☆☆ | ★★★★☆ | ★★★★☆ | ★★★★☆ | Days–weeks | Metro area; campus WAN; DC interconnect |
| DSL | ★☆☆☆☆ | ★★☆☆☆ | ★☆☆☆☆ | ★★☆☆☆ | Days | SOHO; backup WAN; internet access |
| Cable | ★★☆☆☆ | ★★★☆☆ | ★☆☆☆☆ | ★★☆☆☆ | Days | SMB; home office; backup WAN |
| SD-WAN | ★★★☆☆ | ★★★★★ | ★★★★☆ | ★★★★★ | Hours | Modern enterprise; cloud-first; branch agility |
See also: WAN Overview | MPLS Deep Dive | SD-WAN Overview | DMVPN | IPsec VPN | IPsec Basics | QoS Overview | DMVPN Lab | Cisco SD-WAN Lab