Wide Area Network (WAN) – Technologies, Topologies, and Troubleshooting

1. What Is a WAN?

A Wide Area Network (WAN) is a data communication network that spans a large geographic area — cities, countries, or entire continents — connecting multiple Local Area Networks (LANs), branch offices, data centres, and remote users into a single unified network infrastructure. Unlike a LAN, which an organisation owns and operates entirely within its own building or campus, a WAN typically relies on infrastructure leased or provided by telecommunications carriers and Internet Service Providers (ISPs).

The Internet itself is the largest WAN in existence. Enterprise WANs are private networks that connect an organisation's geographically dispersed sites using a combination of leased circuits, MPLS services, VPN tunnels over the public Internet, and increasingly, SD-WAN overlays.

WAN in context — connecting dispersed sites:[London HQ]MPLS circuit[Frankfurt Branch][Cisco Router] [Cisco Router][LAN: 10.1.0.0/16] [LAN: 10.2.0.0/16]IPsec VPN tunnel [Dubai Branch / Remote Workers]Internet [AWS Cloud / SaaS Applications]Key characteristics:✓ Spans large distances — city, country, continent, or global✓ Operated over service-provider infrastructure (leased, not owned)✓ Connects multiple LANs or MANs into one enterprise network✓ Typically slower and higher-latency than LAN (longer distances, shared media)✓ Requires WAN-specific protocols and encapsulations (PPP, HDLC, MPLS)

Related pages: Routers | WAN Technologies | MPLS | DMVPN | SD-WAN Overview | IPsec VPN | IPsec Basics | GRE Tunnels | Site-to-Site vs Remote Access VPN | BGP Overview | OSPF Overview | OSPF Neighbor States | OSPF Areas & LSAs | EIGRP Overview | Floating Static Routes | Default Routes | Dynamic NAT | Static NAT | QoS Overview | QoS Policing & Shaping | Firewalls | ping | traceroute | show ip route | show interfaces | show ip protocols

2. WAN vs LAN vs MAN

Feature LAN MAN WAN
Coverage area Single building or campus City or metropolitan area (up to ~50 km) Country, continent, or global
Typical speed High — 100 Mbps to 400 Gbps on modern switches Medium to high — 10 Mbps to 10 Gbps Variable — 1.5 Mbps (T1) to 100 Gbps (fibre backbone); often shared
Latency Very low — sub-millisecond within the building Low to medium Higher — tens to hundreds of milliseconds over intercontinental links
Ownership Single organisation owns and operates all equipment Single or multiple entities; often a city or ISP Operated by telecoms/ISPs; organisations lease bandwidth
Infrastructure Ethernet switches, access points — owned by the org Fibre rings, metro Ethernet — often shared Leased circuits, MPLS clouds, satellite, undersea cables
Cost Low per-Mbps cost; hardware is bought once Medium — monthly leases to service providers High — recurring monthly circuit costs, especially for private MPLS
Typical examples Office floor network, university campus City government network, municipal Wi-Fi Internet, enterprise MPLS backbone, inter-country VPN

3. WAN Technologies — Circuit-Switched vs Packet-Switched

WAN technologies are divided into two fundamental categories based on how they share the physical transmission medium between multiple users.

Circuit-Switched (Legacy)

Circuit-Switched WAN A dedicated physical path is established for the full duration of the call/session, then released. Device A 192.168.1.10 ── reserved dedicated circuit ── Device B 192.168.2.20 Characteristics Bandwidth reserved even when idle Same path used for entire session One failure = call drops Examples PSTN — Public Switched Telephone Network ISDN — digital voice/data (legacy) Dial-up modem connections Status: Largely obsolete for data networking Still relevant for CCNA exam history and understanding voice infrastructure Circuit-switched: one reserved path, held for the full session duration

Packet-Switched (Modern)

Packet-switched WAN: data is broken into packets; each packet is routedindependently through the provider network and may take different paths.Bandwidth is shared; no dedicated circuit is reserved.Device A → Packet 1 → Router1 → Router3 → Device BDevice A → Packet 2 → Router2 → Router3 → Device BDevice A → Packet 3 → Router1 → Router2 → Router3 → Device BAdvantages over circuit-switched:✓ Bandwidth shared efficiently (unused capacity not wasted)✓ More resilient — packets reroute if a link fails✓ Scales to millions of simultaneous sessionsModern packet-switched WAN technologies:• MPLS — provider backbone; fast label-switching; QoS support• Broadband — DSL, cable, fibre; shared medium; internet access• Metro Ethernet — Ethernet extended over WAN distances• VPN over Internet — IPsec/SSL tunnels; uses public internet as transport

4. WAN Technologies — Detailed Comparison

Technology Type Speed Key Characteristics Typical Use
Dedicated Leased Line (T1/E1) Point-to-point, private T1: 1.544 Mbps; E1: 2.048 Mbps Always-on; fixed dedicated bandwidth; not shared; very predictable latency; high monthly cost Connecting corporate data centres to MPLS cloud; legacy financial and government networks
MPLS (Multiprotocol Label Switching) Packet-switched, private provider cloud 2 Mbps to 10 Gbps Labels replace IP lookups at each hop — faster forwarding; supports QoS classes; any-to-any connectivity via provider; appears as a private network to the customer Enterprise backbone connecting multiple branch offices; voice and video with QoS guarantees
Broadband Internet (DSL, Cable, Fibre) Packet-switched, public/shared 5 Mbps to 10 Gbps (fibre) Shared medium; lower cost; variable performance; no inherent QoS guarantees; used as WAN transport when overlaid with VPN Small branch offices; backup WAN link; SD-WAN underlay; remote worker access
IPsec Site-to-Site VPN Encrypted tunnel over public internet Limited by underlying internet link Encrypts all traffic between sites using AES; uses existing internet connectivity as transport; low cost; no guaranteed bandwidth or latency Replacing MPLS at smaller branches; primary WAN for cost-sensitive organisations; backup to MPLS
SSL/TLS VPN (Remote Access) Client-to-site encrypted tunnel Limited by internet link Individual remote users connect to corporate network using a VPN client or web browser; uses TCP/443 (HTTPS) — traverses most firewalls easily Remote employees, work-from-home, travelling staff
4G/5G Wireless WAN Mobile broadband 4G: up to 150 Mbps; 5G: up to 20 Gbps No physical cabling needed; available wherever mobile coverage exists; latency higher than fibre; ideal for temporary or remote sites WAN failover/backup link; kiosks; remote locations without fixed-line access; construction sites
Satellite WAN Wireless, orbital 12–150 Mbps (LEO satellites like Starlink) High latency (GEO: 600ms+ round trip; LEO: 20–40ms); covers any geographic location including oceans and polar regions Offshore platforms, maritime, extremely remote locations with no terrestrial options
Metro Ethernet Ethernet over carrier fibre 10 Mbps to 100 Gbps Ethernet interface on the customer side; carrier provides the fibre transport; simple to integrate with existing Ethernet networks Connecting sites within a metropolitan area; data centre interconnect

5. MPLS — How Label Switching Works

MPLS (Multiprotocol Label Switching) is the dominant enterprise WAN backbone technology. Understanding how it differs from standard IP routing is a CCNA requirement.

MPLS Label Switching — How It Works Branch CE Customer Edge standard IP PE1 Provider Edge assigns labels P1 Core Router label swap only P2 Core Router label swap only PE2 Provider Edge pops labels HQ CE Customer Edge standard IP push label 32 swap → 45 swap → 61 pop label MPLS Provider Network — labels only, no IP lookups at P routers Label Switching Steps 1. Ingress PE1 receives IP packet → looks up destination → assigns label 32 → pushes onto header 2. P1 (core) reads label 32 → swaps to 45 → forwards at hardware speed — no IP lookup needed 3. P2 (core) reads label 45 → swaps to 61 → forwards at hardware speed 4. Egress PE2 pops label → delivers original IP packet to HQ CE — label removed CE — Customer Edge Customer's router; speaks standard IP to PE PE — Provider Edge Assigns & removes labels; runs BGP/OSPF with CE P — Provider Core Label swap only — never sees customer routing tables Benefits: ✓ O(1) label lookup ✓ Traffic Engineering ✓ QoS via EXP bits ✓ Any-to-any connectivity ✓ VRF VPN isolation

6. WAN Protocols — PPP and HDLC

On serial (point-to-point) WAN links, a Layer 2 encapsulation protocol is required. The two most tested on the CCNA are PPP and HDLC.

Where PPP and HDLC Apply Router A Serial0/0/0 Serial link — T1 / leased line Router B Serial0/0/0 Both serial interfaces must have matching Layer 2 encapsulation HDLC (High-Level Data Link Control) • Cisco’s DEFAULT serial encapsulation • Cisco proprietary — Cisco-to-Cisco only • No authentication, no multilink • Low overhead — simple and fast Router(config-if)# encapsulation hdlc (default — often no config needed) PPP (Point-to-Point Protocol) • Open standard (RFC 1661) — multi-vendor • Authentication: PAP or CHAP • Multilink: bond multiple serial links • Compression and error detection Router(config-if)# encapsulation ppp Router(config-if)# ppp authentication chap PPP Authentication Methods CHAP — 3-way handshake · MD5 hash · password never sent in clear text · preferred PAP — 2-way handshake · credentials sent in plain text · less secure PPP vs HDLC Comparison Feature HDLC (Cisco) PPP Standard Cisco proprietary Open (RFC 1661) Multi-vendor ✗ No (Cisco–Cisco only) ✓ Yes Authentication ✗ None ✓ PAP / CHAP Multilink ✗ No ✓ Yes Default on Cisco ✓ Yes (automatic) ✗ Must configure
Verifying serial WAN encapsulation:Router# show interfaces Serial0/0/0Serial0/0/0 is up, line protocol is upHardware is WAN DSU/CSUInternet address is 10.0.0.1/30MTU 1500 bytes, BW 1544 Kbit/sec, DLY 20000 usecEncapsulation HDLC, loopback not set ← current encapsulationMismatched encapsulation causes:"Serial0/0/0 is up, line protocol is down"→ Physical link is up (carrier detect) but Layer 2 keepalives fail→ Check encapsulation matches on BOTH ends

7. WAN Topologies

WAN topology defines how sites are interconnected. The right choice depends on the number of sites, redundancy requirements, traffic patterns, and budget.

Point-to-Point

Site A HQ / Data Centre dedicated link — leased line / fibre Site B Branch / DR Site Advantages ✓ Simple — one link, one path ✓ Low latency — direct, no hops ✓ Predictable dedicated bandwidth ✓ Easy to troubleshoot Limitations ✗ No redundancy — one failure = outage ✗ Not scalable — N sites need N−1 links ✗ High cost for long-distance circuits ✗ Must add link per new site

Best for: two-site organisations, data-centre-to-data-centre links

Hub-and-Spoke (Star)

HQ / Hub Central site — all traffic flows here Branch 1 spoke site Branch 2 spoke site Branch 3 spoke site must go via HQ ✓ Cost-effective — one link per branch ✓ Centralised security inspection at hub ✗ Hub = single point of failure ✗ Suboptimal spoke-to-spoke traffic

Best for: enterprise branches connecting to a central HQ or data centre; MPLS VPN deployments

Full Mesh

Site A — DC1 Primary Data Centre Site B HQ Site C DR Site Site D — DC2 Secondary DC Links = n(n−1)/2 4 sites = 6 links · 10 sites = 45 ✓ Maximum redundancy ✓ Optimal direct paths

Best for: critical inter-data-centre links; headquarters-to-DR where cost is secondary to availability

Partial Mesh

full mesh backbone HQ Headquarters DC1 Primary DC DC2 Regional DC Branch 1 spoke to HQ Branch 2 spoke to DC1 Branch 3 spoke to DC2 hub-and-spoke to nearest regional site Practical balance: full redundancy for critical backbone — cost-effective spokes for branches

Best for: large enterprises with tiered architecture — resilient core, lean branch connections

8. WAN Routing Protocols

Protocol Type Where Used on WAN Key Characteristics
BGP (Border Gateway Protocol) Exterior Gateway Protocol (EGP); path-vector The Internet; between organisations (eBGP); between PE and CE routers in MPLS VPN (iBGP) The routing protocol of the Internet; manages routing between autonomous systems (AS); supports policy-based routing; slow convergence; extremely scalable
OSPF Interior Gateway Protocol (IGP); link-state Within enterprise WAN; between CE and PE in MPLS as CE routing protocol Fast convergence; hierarchical area design; scales well within an enterprise; most common IGP in enterprise WANs
EIGRP Interior Gateway Protocol; advanced distance-vector (Cisco proprietary) Cisco-only enterprise WANs; often used where OSPF complexity is undesirable Fast convergence; DUAL algorithm; supports unequal-cost load balancing; easier to configure than OSPF
Static routes Manual configuration Small WANs with one or two paths; edge routers with a single upstream provider Simple; predictable; no protocol overhead; no automatic failover unless floating static routes are configured

See: BGP Overview | OSPF Overview | OSPF Neighbor States | OSPF Areas & LSAs | EIGRP Overview | Floating Static Routes | show ip protocols

9. WAN Security

Because WAN traffic crosses service-provider networks and often the public Internet, data in transit must be protected. The two primary security mechanisms are encryption (protecting confidentiality and integrity) and access control (restricting which traffic is permitted to cross WAN links).

IPsec Site-to-Site VPN Branch Router 192.168.10.0/24 LAN behind Internet Public — untrusted HQ Router 10.0.0.0/8 LAN behind IPsec Tunnel — AES-256 Encrypted all traffic encrypted end-to-end Phase 1 — IKE (Management Tunnel) → Authenticate peers (pre-shared key / certs) → Negotiate algorithms: AES, SHA, DH group → Exchange keys using Diffie-Hellman → Result: ISAKMP SA (secure mgmt channel) Phase 2 — IPsec SA (Data Tunnel) → Negotiate ESP or AH protocol → Encrypt & encapsulate data packets → AES-256 / SHA-256 typical → Result: IPsec SA (encrypted data path) Cisco IOS Verification Router# show crypto isakmp sa ! Phase 1 tunnel status Router# show crypto ipsec sa ! Phase 2 status + packet counters
Security Control WAN Purpose Implementation
IPsec VPN Encrypt site-to-site traffic over untrusted public internet; provides confidentiality, integrity, and authentication Cisco IOS crypto map or tunnel interface (GRE over IPsec); Phase 1 IKE + Phase 2 SA
MPLS VPN (L3VPN) Logical isolation of customer traffic within the provider network using VRF (Virtual Routing and Forwarding) — customers share physical infrastructure but are completely isolated Provider configures VRFs on PE routers; no encryption but logical separation enforced by the carrier
Firewall at WAN edge Inspect and filter traffic entering/leaving the WAN edge; block unauthorised inbound connections; permit only needed traffic Cisco ASA or IOS Zone-Based Firewall on the WAN-facing interface; stateful inspection of all WAN traffic
ACLs on WAN interfaces Restrict which source/destination IP pairs and ports are permitted across WAN links; applied inbound on the WAN interface ip access-group ACL_NAME in on the Serial or WAN Ethernet interface

See: Firewalls | IPsec VPN | IPsec Basics | GRE Tunnels | Named ACLs | Applying ACLs

10. WAN Performance — QoS and Optimisation

WAN links are the bandwidth bottleneck in most enterprise networks — a branch office LAN might run at 1 Gbps but its WAN connection might be only 10 Mbps. When that 10 Mbps is shared between VoIP calls, video conferencing, file backups, and general web traffic, Quality of Service (QoS) is essential to ensure real-time traffic gets priority.

QoS on a Congested WAN Link ✗ Without QoS Large backup file transfer (best-effort) VoIP call — queued behind backup → choppy! Result: call drops · poor user experience ✓ With QoS VoIP/Video — DSCP EF → Priority Queue → first Business apps — DSCP AF31 → Guaranteed BW Backups — DSCP BE → Best-effort queue → last Cisco IOS QoS Configuration (MQC — Modular QoS CLI) class-map match-any VOIP match dscp ef policy-map WAN-QOS class VOIP priority 512 ! strict priority — 512 kbps reserved class class-default fair-queue ! fair queuing for remaining interface Serial0/0/0 → service-policy output WAN-QOS
Optimisation Technique How It Helps Typical Application
QoS / Traffic Shaping Classifies traffic and allocates guaranteed bandwidth and priority to real-time applications; delays or drops lower-priority traffic during congestion VoIP, video conferencing, financial transaction systems prioritised over bulk file transfers and backups
WAN Compression Reduces the payload size of data before transmission, increasing effective throughput without adding bandwidth Text-heavy traffic like XML, HTML, database queries; less effective for already-compressed data (video, images)
WAN Optimisation (WAAS) Caches frequently accessed files locally at the branch; deduplicates data patterns across the WAN; reduces latency for common file server and application traffic Cisco WAAS; Riverbed Steelhead; reduces effective bandwidth consumption for branch access to central servers
Load Balancing / ECMP Distributes traffic across multiple WAN links simultaneously, increasing aggregate throughput and providing automatic failover Dual MPLS circuits; MPLS + broadband; SD-WAN multi-link aggregation

11. WAN Redundancy and Failover Design

WAN Redundancy Models — Least to Most Resilient 1 — Single Link (No Redundancy) Branch MPLS only HQ Link failure = complete outage. Zero redundancy. ⚠ Single point of failure 2 — Dual Link (Primary + Backup) Branch MPLS primary 4G/LTE backup HQ If MPLS fails → routing auto-switches to 4G. Use floating static routes or IP SLA tracking. ip route 0.0.0.0 0.0.0.0 Cellular0 200 ! higher AD = backup 3 — Dual Provider (Geographic Redundancy) Branch ISP-A MPLS ISP-B fibre HQ DC1 HQ DC2 Survives a complete ISP outage or site failure. BGP used for provider redundancy. Two ISPs + two DCs = highest resilience. 4 — SD-WAN Active-Active Multi-Path (Best) Branch MPLS Broadband 4G/5G SD-WAN Controller real-time path steering HQ All paths active simultaneously — SD-WAN steers by latency, jitter & loss per link ✓ VoIP on lowest-latency ✓ Bulk on cheapest ✓ Instant failover ✓ Zero-touch provisioning

12. SD-WAN — Software-Defined WAN

SD-WAN is the most significant evolution in WAN technology over the past decade. It decouples the WAN control plane (management, policy, routing decisions) from the data plane (actual packet forwarding) — following the same software-defined networking principle applied to WANs.

Traditional WAN:Each router configured independently → manual CLI on every devicePolicy changes require visiting or SSHing to every router individuallyTraffic engineering requires per-device configurationSD-WAN:Central SD-WAN Controller (cloud or on-premises)↓ (pushes policies automatically)[Branch vEdge/cEdge router] ← receives policy, enforces locally[Branch vEdge/cEdge router][Branch vEdge/cEdge router]SD-WAN capabilities:✓ Centralised management — configure all sites from one dashboard✓ Multi-link transport — uses MPLS, broadband, and 4G simultaneously✓ Intelligent path selection — automatically routes VoIP on low-latencylink; bulk data on cheapest link; in real time based on link health✓ Application-aware routing — recognises Salesforce, Office 365, Teamsby application signature and applies specific policies✓ Zero Touch Provisioning (ZTP) — new branch router connects, pulls configautomatically from controller; no on-site engineer needed for rollout✓ Built-in IPsec — all WAN links encrypted by default between all sites✓ Visibility — real-time dashboards showing per-application, per-link statsKey vendors:<a href="sd-wan-overview.html">Cisco Viptela (Cisco SD-WAN)</a> — widely deploye…VMware VeloCloud — strong cloud integrationFortinet SD-WAN — security-focused; integrates with FortiGate firewall

13. Troubleshooting WAN Issues — Cisco IOS Commands

Symptom Likely Cause Diagnostic Command and What to Look For
WAN link shows "down/down" in show interfaces Physical layer problem — no carrier signal; cable unplugged or faulty; CSU/DSU powered off; provider circuit down show interfaces Serial0/0/0 — "down/down" = physical issue; contact service provider; check cable and CSU/DSU power
WAN link shows "up/down" Physical is up (carrier present) but Layer 2 keepalives failing — encapsulation mismatch (one end HDLC, other end PPP); PPP authentication failure; missing keepalives show interfaces Serial0/0/0 — check encapsulation type; ensure both ends match; debug ppp authentication for PPP auth failures
Can ping WAN gateway but cannot reach remote site Routing issue — missing route, wrong next-hop, ACL blocking traffic show ip route — verify route to remote subnet exists; traceroute [remote-ip] — identify where packets stop; show access-lists for ACL matches
High latency or packet loss on WAN Congested WAN link (insufficient bandwidth); provider network issue; QoS misconfiguration ping [remote] repeat 100 size 1400 — check loss percentage; show interfaces Serial0/0/0 — check input/output drop counters; show policy-map interface for QoS drops
IPsec VPN tunnel not establishing Mismatched IKE parameters; wrong pre-shared key; firewall blocking UDP/500 (IKE) or ESP (protocol 50) show crypto isakmp sa — check Phase 1 state; show crypto ipsec sa — check Phase 2 and packet counters; debug crypto isakmp for negotiation details
Intermittent connectivity on WAN Flapping interface (Layer 1 instability); routing protocol adjacency instability; provider network congestion show logging — look for repeated %LINK-3-UPDOWN or interface state change messages; show interfaces reset counter incrementing

WAN Troubleshooting Workflow

WAN Troubleshooting — OSI Bottom-Up Approach Layer 1 Physical down/down show interfaces Serial0/0/0 "down/down" → physical problem: check cable, CSU/DSU power, provider circuit Check LED indicators on CSU/DSU · Contact ISP if internal hardware is OK ⚠ If down/down: fix physical before checking higher layers Layer 2 Data Link up/down show interfaces Serial0/0/0 → check Encapsulation line "up/down" → keepalives failing: encapsulation mismatch (HDLC vs PPP) show running-config | include encapsulation → both ends must match debug ppp authentication → check for PPP auth failures Layer 3 Network routing issues show ip route → verify route to remote subnet exists ping [remote-gateway] → confirm Layer 3 reachability to far end traceroute [remote-site] → pinpoint where the path breaks show access-lists → check for ACL matches blocking traffic show crypto isakmp sa / ipsec sa → verify VPN tunnel (if applicable) Layer 7 Application L1–3 OK telnet [remote-server] [port] → test TCP service reachability If fails → check ACLs, NAT translations, firewall rules at both ends show policy-map interface → check for QoS drops on WAN link show logging → look for %LINK-3-UPDOWN flapping messages Tip: work bottom-up — never troubleshoot Layer 3 until Layer 1 and 2 are confirmed healthy

See: ping | traceroute | show ip route | show interfaces | show ip protocols | show logging | ACLs | debug commands

14. Exam Tips & Key Points

  • A WAN connects multiple LANs across large geographic areas. It operates over service-provider infrastructure rather than organisation-owned equipment.
  • Know the two categories of WAN switching: circuit-switched (dedicated path per session — PSTN, legacy) and packet-switched (shared infrastructure — MPLS, Internet, VPN).
  • HDLC is Cisco's default serial encapsulation — Cisco-proprietary, no authentication. PPP is open standard, supports CHAP/PAP authentication, multilink, and compression. An encapsulation mismatch causes "up/down" on the serial interface.
  • MPLS forwards packets using short fixed-length labels instead of full IP routing table lookups — faster, supports QoS, and provides VPN isolation via VRFs.
  • WAN topologies: point-to-point (simple, unscalable), hub-and-spoke (cost-effective, single point of failure at hub), full mesh (maximum redundancy, expensive — n×(n-1)/2 links).
  • BGP is the routing protocol of the Internet and is used between autonomous systems. OSPF and EIGRP are used within enterprise WANs (IGPs).
  • QoS is critical on WAN links because they are the bandwidth bottleneck. VoIP needs priority queuing (DSCP EF); bulk transfers use best-effort. See QoS Policing & Shaping.
  • SD-WAN uses a centralised controller to manage multiple WAN transports (MPLS + broadband + 4G) simultaneously with application-aware intelligent path selection.
  • WAN troubleshooting follows the OSI model bottom-up: physical ("down/down") → encapsulation ("up/down") → routing (show ip route) → application (Telnet port test, ACL check).

15. Summary Reference Table

Topic Key Detail
WAN definition Network spanning large geographic areas connecting multiple LANs
Circuit-switched Dedicated path per session (PSTN, ISDN) — legacy
Packet-switched Shared infrastructure; packets routed independently (MPLS, Internet)
HDLC Cisco default serial encapsulation; proprietary; no authentication
PPP Open standard; supports CHAP/PAP authentication; multilink; compression
up/down on serial interface Encapsulation mismatch or PPP authentication failure
MPLS operation Labels replace IP lookups; CE/PE/P router roles; supports QoS and VPN
Hub-and-spoke Cost-effective; single point of failure at hub; branch-to-branch via hub
Full mesh links formula n × (n-1) / 2
BGP Exterior Gateway Protocol; routes between autonomous systems; Internet protocol
IPsec VPN phases Phase 1 (IKE — authenticate + key exchange); Phase 2 (ESP — data encryption)
SD-WAN advantage Centralised control; multi-link active-active; application-aware routing; ZTP
Verify WAN interface show interfaces Serial0/0/0
Verify IPsec VPN show crypto isakmp sa and show crypto ipsec sa

WAN Quiz

What is the geographic scope of a WAN, and what is the key difference in how a WAN's infrastructure is owned and operated compared to a LAN?

Correct answer is D. A WAN spans large geographic areas — from connecting two buildings in different cities up to global intercontinental networks (the Internet itself is the largest WAN). The fundamental difference from a LAN is ownership: an organisation owns all the equipment in its LAN (switches, access points, cables) and is solely responsible for it. For a WAN, the organisation typically does not own the transmission infrastructure — it pays a telecommunications carrier or ISP for the use of circuits, MPLS services, or Internet bandwidth. The carrier owns and operates the physical cables, routers, and switching nodes that make up the WAN fabric. The organisation connects to this provider infrastructure through a WAN router at each site (the CPE — Customer Premises Equipment).

Which entity typically operates and manages the physical WAN infrastructure, and what is the customer's role?

Correct answer is A. Telecommunications carriers (BT, AT&T, Verizon, Orange, etc.) and Internet Service Providers build and operate the physical WAN infrastructure — the fibre cables running between cities, the submarine cables crossing oceans, the MPLS switching nodes in carrier data centres, and the Internet backbone exchange points. An enterprise customer's role is to: (1) select and pay a service provider for WAN connectivity (monthly recurring fees); (2) install and manage CPE (Customer Premises Equipment) — typically a Cisco or other brand WAN router at each site that connects to the provider's access circuit; (3) configure routing protocols, security policies, and QoS on the CPE devices; (4) manage the LAN behind each WAN router. The demarcation point (demarc) is the boundary between what the customer owns and what the provider owns — usually a physical interface or handoff point at the customer's premises.

How does MPLS differ from standard IP routing, and what are the roles of the CE, PE, and P routers in an MPLS network?

Correct answer is C. In standard IP routing, every router in the path reads the destination IP address and performs a routing table lookup at each hop. MPLS replaces this in the provider core: the ingress PE router reads the destination IP once, assigns a short numeric label (e.g., 32), and pushes it onto the packet. All subsequent P (core) routers see only the label and perform a fast label-swap operation — they replace the incoming label with an outgoing label and forward the packet. No IP routing table lookup is performed in the core. The egress PE router pops the final label and delivers the original IP packet to the destination CE router. This makes the provider core faster (label lookup is O(1)) and simpler (P routers don't need customer routing tables). MPLS also enables Traffic Engineering (pre-defined paths), QoS (labels carry priority bits), and VPN isolation (different customers kept separate using VRFs on PE routers).

A serial WAN link shows "up/down" in show interfaces. What are the two most likely causes and how is each fixed?

Correct answer is B. On a serial WAN interface, show interfaces Serial0/0/0 can show three combinations: (1) down/down = physical problem — no carrier signal detected; cable issue, CSU/DSU problem, provider circuit failure. (2) up/down = physical layer is active (carrier present) but the Layer 2 protocol is failing. The two most common causes of up/down: Encapsulation mismatch — one router is configured for HDLC and the other for PPP. HDLC is Cisco's default; if the other end is a non-Cisco router using PPP, the keepalives will fail. Fix: match encapsulation on both ends. PPP authentication failure — both routers are using PPP with CHAP or PAP, but the configured usernames or passwords don't match. Fix: verify username/password configuration; use debug ppp authentication to see the negotiation in real time. (3) up/up = healthy.

An enterprise needs to connect 12 branch offices to a central headquarters. Which WAN topology minimises the number of WAN links needed while still providing connectivity to all branches, and what is its main vulnerability?

Correct answer is A. Hub-and-spoke (star) topology requires exactly one WAN link per spoke site — for 12 branches, that is 12 WAN links total to provide connectivity to all sites. This makes it the most cost-effective option for multi-branch networks. Full mesh would require n × (n-1) / 2 = 12 × 11 / 2 = 66 links for 12 sites — vastly more expensive and complex. The primary disadvantage of hub-and-spoke is the hub site being a single point of failure: if the hub router, WAN circuit, or HQ facility goes down, every branch office loses its WAN connection simultaneously. Additionally, branch-to-branch traffic must traverse the hub (Branch1 → HQ → Branch2), consuming double the WAN bandwidth and adding latency. DMVPN (Dynamic Multipoint VPN) is a common solution that maintains hub-and-spoke infrastructure while allowing direct spoke-to-spoke tunnels to form dynamically when needed.

BGP is widely used for routing on the global Internet and large enterprise WANs. What makes it specifically suited to inter-organisation routing that OSPF and EIGRP cannot provide?

Correct answer is D. BGP is an Exterior Gateway Protocol (EGP) — it is specifically designed to route between different autonomous systems (AS), each of which is operated by a different organisation (ISPs, enterprises, government agencies). Each AS has its own AS number (ASN); BGP exchanges routing information between these independent organisations. OSPF and EIGRP are Interior Gateway Protocols (IGPs) — they route within a single organisation's network. They lack the policy mechanisms needed for inter-organisation routing: BGP supports path attributes (AS_PATH, MED, LOCAL_PREF, COMMUNITY) that allow fine-grained control over which paths are preferred, which routes are advertised to which peers, and how traffic enters and exits the autonomous system. The Internet routing table (over 900,000 prefixes as of 2024) is exchanged entirely via BGP between all ISPs and large organisations.

What is the purpose of IPsec VPN in a WAN, and what are the two IPsec negotiation phases?

Correct answer is C. IPsec (Internet Protocol Security) is the standard framework for creating encrypted, authenticated tunnels between two sites over the public Internet. Instead of paying for expensive private MPLS circuits, organisations can use existing broadband internet connections and overlay an IPsec VPN to secure the traffic. The two-phase negotiation: Phase 1 (IKE — Internet Key Exchange): the two routers authenticate each other (using a pre-shared key or digital certificates) and use Diffie-Hellman key exchange to establish a shared secret — this creates the IKE Security Association (SA), a secure management channel. Phase 2 (IPsec SA): using the secure Phase 1 channel, the routers negotiate the parameters for the actual data tunnel — encryption algorithm (AES-256), hash (SHA-256), and lifetime. This creates the IPsec SA. Data is then encapsulated using ESP (Encapsulating Security Payload). Verify with show crypto isakmp sa (Phase 1) and show crypto ipsec sa (Phase 2).

A WAN link carries both VoIP calls and large file backups. What technique ensures voice quality is maintained during peak traffic periods?

Correct answer is B. WAN links are the bandwidth bottleneck in most enterprise networks. When a congested WAN link must carry both latency-sensitive traffic (VoIP, video conferencing) and bulk data (file backups, software updates), without QoS every packet waits in the same queue. Large backup packets filling the queue cause VoIP packets to be delayed — resulting in choppy audio, jitter, and dropped calls. QoS (Quality of Service) with traffic shaping solves this by classifying traffic into priority classes: VoIP is marked DSCP EF (Expedited Forwarding) and placed in a strict priority queue that is served before all other traffic; video conferencing gets its own guaranteed bandwidth class; bulk backups go in the best-effort queue and are delayed or rate-limited during congestion. Cisco IOS implements this with class-maps (classify), policy-maps (apply actions), and service-policy on the interface. The result: voice calls remain clear even when the WAN link is saturated with backup traffic.

Which diagnostic commands check WAN link reachability and path, and what does each specifically reveal?

Correct answer is A. Ping sends ICMP Echo Request packets to the target and measures whether they receive ICMP Echo Reply responses. It confirms Layer 3 reachability and provides round-trip time (RTT) measurements — useful for detecting high latency or packet loss on WAN links. On Cisco IOS: ping [remote-ip] repeat 100 size 1400 — 100 packets at 1400 bytes each gives a statistically meaningful measurement of the link. Traceroute (or tracert on Windows) sends packets with incrementing TTL values to discover each intermediate router (hop) on the path. It shows the IP address of each hop, the latency to each hop, and — most valuably — where the path fails or where latency suddenly increases. A * * * at a particular hop indicates packets are not returning from that device (often a firewall dropping ICMP). These two tools together answer: is the remote site reachable? How many hops away? Where is the delay occurring?

What does SD-WAN do that traditional WAN architecture cannot, and what specific capability allows it to use multiple WAN transport types simultaneously?

Correct answer is D. Traditional WAN architecture requires each router to be configured individually via CLI — making policy changes labour-intensive and error-prone across hundreds of branch sites. Traffic typically uses a single primary WAN link with a manual failover backup. SD-WAN fundamentally changes this by separating the control plane (policy decisions) from the data plane (packet forwarding): a central SD-WAN controller holds all policies and automatically pushes them to every edge router in the network. The key capabilities that traditional WAN cannot match: (1) Active-active multi-transport — MPLS, broadband, and 4G are all active simultaneously; SD-WAN measures each link's health in real time and steers traffic accordingly; (2) Application-aware routing — SD-WAN identifies specific applications (Microsoft Teams, Salesforce, SAP) by signature and applies specific policies per application; (3) Zero Touch Provisioning — new branch routers automatically download their configuration from the controller; (4) Built-in encryption — all WAN links are encrypted by default; (5) Real-time visibility — dashboards show per-application, per-link performance metrics across the entire WAN.

Related Topics & Step-by-Step Tutorials

Continue your WAN studies:

Back to Home