Chapter 1: Introduction to WAN Architectures

Excerpt from Building Service-Aware Networks: The Next-Generation WAN/MAN.

Cover image 

Excerpt from Building Service-Aware Networks: The Next-Generation WAN/MAN.

By Muhammad Afaq Khan

Published by Cisco Press

ISBN-10: 1-58705-788-3

ISBN-13: 978-1-58705-788-5

Newsletters: Sign-Up & Save! Receive Special Offers, Free Chapters, Articles Reference Guide Updates, and plug into the pulse of what's happening in your corner of the industry by subscribing to InformIT newsletters! FREE coupon after sign-up!

Try Safari Books Online NOW! Access the largest fully searchable e-reference library for programmers and IT professionals!

The WAN is a place in the network that aggregates various types, speeds, and links running a disparate set of protocols together crossing metropolitan, state, and even country boundaries. The largest example of a WAN is the Internet itself, which can be regarded as the public WAN. The primary purpose of a WAN is to connect users and applications connected to various LANs.

As evident from its definition, the WAN is the central point for all data aggregation coming from various places within an enterprise network. Because of this, it is important to understand not only how a WAN is constructed, but also the underlying business drivers that have been and continue to bring changes to this place in the network.

In this book, you study the variety of WANs as they exist today, business models, and the associated emerging trends and how they are giving birth to “next-generation” WAN. Once you have the first four chapters (or Part I) behind you, it should become evident that the core requirement to building such networks hinges on the usage of modern routing/switching infrastructure that is highly available, scalable, flexible, and above all, service rich.

This chapter describes the various types of WAN architectures and their various associated aspects.

Introduction to WAN Solutions

Thanks to an increasingly dispersed global work force, businesses rely on their WANs more than ever. So much so that business performance is now directly tied to how well quality, reliability, and security are implemented when it comes to communications between main and regional headquarters, branch offices, suppliers, partners, and customers. Because of the development of new IP services and applications such as VoIP, video, and mobile data connectivity, and because of remotely connected road warriors and the unification of both wired and wireless networks, the headend router must perform a wide variety of functions.

Depending on the connectivity, transport protocols, and whether the medium is private or public, several different varieties of WAN might be in play. The four main WAN types are as follows:

  • Branch/private WAN aggregation

  • Internet edge

  • Data center interconnect

  • Large branch WAN

The WAN aggregation role can also be subdivided into the following three categories, based on what is typically found in the enterprise networks:

  • Basic WAN aggregation (explained in the following section)

  • Secure WAN aggregation (add-on with solutions based on IPsec or Secure Sockets Layer virtual private networking [SSL VPN])

  • Optimized WAN aggregation (add-on with solutions based on WAN optimization with Web Cache Communication Protocol Version 2/Policy Based Routing [WCCPv2/PBR] and Wide Area Application Services [WAAS])

Figure 1-1 shows various WAN options and puts them into perspective as to how they come together.

Figure 1-1

WAN options.

Branch/Private WAN Aggregation Role

Branch WAN aggregation is a way to connect and aggregate all the enterprise branches into the WAN core router, or headend. On the cloud-facing side, router interfaces use various physical transport options (as outlined in Table 1-1), whereas on the campus core side, the connection is Gigabit Ethernet (GE) or 10 Gigabit Ethernet (10 GigE) that is acting as the uplink for the campus core switches to the WAN. Leased lines are one of the most common ways (now more so Ethernet) of interfacing with the WAN cloud. IPsec tunnel termination and firewall functions are usually not collapsed in the WAN aggregation/edge router. This is usually implemented as classical hub-and-spoke design with traditional Layer 2 connectivity.

Figure 1-2 shows the basic WAN aggregation topology.

Figure 1-2

WAN aggregation topology.

Table 1-1 shows the various options in use for WAN connectivity.

Table 1-1  WAN Connectivity Options


Physical Transport



Typical Bandwidth

Protocol Encapsulations

Leased line

T1/E1, T3/E3



1.544 to 45 Mbps

High-Level Data Control (HDLC), PPP

Circuit switching

Packet over SONET/SDH OC3/OC12/ OC192


Less secure

155 Mbps to 10 Gbps


Packet switching

T1/E1, T3/E3 (PVCs)


Shared bandwidth

Up to 45 Mbps

Frame Relay

Cell relay

OC3/OC12/ OC48


Higher per port cost

Up to 620 Mbps


Metro Ethernet

Ethernet, GE, 10 GigE


Lacks inherent reliability

Up to 10 Gbps

Ethernet (Frac-GE, Frac-10 GigE)


Metro Ethernet is gaining a lot of momentum to aggregate sites located in a given geographic area. This also scales well today with fractional GE and 10 GigE, and will scale even more with the newer standards of 40 and 100 Gbps already in the works at IEEE as P802.3ba, and the first drafts are already out

Basic Feature Requirements

Table 1-2 outlines the basic requirements that a router must meet to be positioned as the WAN aggregation platform. Scale and performance for these services are driven based on how large the branch site concentration is for the given deployment. A platform with a separate control, data, and input/output plane is most preferred, for obvious reasons.

Table 1-2  Feature Matrix for WAN Aggregation Role


Feature/Service Details

IP routing (v4/v6)

Interior Gateway Protocol (IGP) and Border Gateway Protocol (BGP) with fast convergence, such as bidirectional failure detection (BFD)

Policy Based Routing (PBR)

IP unicast and multicast

Protocol Independent Multicast(PIM) Sparse, Sparse-Dense Mode, Auto-Rendezvous Point (RP), Anycast-RP, Source Specific Multicast, Bidirectional PIM, Unicast Reverse Path Forwarding (uRPF)


v5, v9 NetFlow Data Export

Quality of Service (QoS)

Classification based on application traffic, protocol/port, access control lists (ACL)


Hierarchical QoS

Class-based weighted fair queuing (WFQ), fair queuing, low-latency queuing (LLQ), weighted random early detection (WRED)

Traffic policing

Traffic shaping

Link Fragmentation and Interleaving (LFI)


Real-Time Protocol (RTP) header compression for voice traffic

WCCP (Web Cache Control Protocol)

WCCPv2 for web cache engine and WAN optimization for data and video traffic

Multilink PPP (MLPPP)


Multiprotocol Label Switching (MPLS)

2547-based VPNs, Layer 2 VPNs

High availability (HA)

Intra- and Interbox HA

~Basic Service Level Agreement Requirements

Table 1-3 outlines the usual service level agreement (SLA) requirements that need to be met for the converged WAN for voice, video, and data traffic types.

Table 1-3  Typical SLA Target

Traffic Type/Application

SLA Target


Interactive video


Delay <= 50 ms

Jitter <= 5 ms

Loss <= 1%

Voice MOS (mean opinion score) >= 3.8

Video broadcast

Video on Demand (VoD)

Delay <= 50 ms

Loss <= 1%

Mission-critical WWW traffic

Voice signaling

Response time <= 3 sec

Loss of service (RP convergence)

IGP <= 3 mins

Traditional WANs (such as those based on Frame Relay) are assumed to be inherently secure, which is not the case (because providers do use shared physical infrastructure to carry this traffic). An MPLS VPN is another example where traffic is isolated (via Virtual Routing/Forwarding [VRF] instances and labels) but still share the same physical infrastructure while traversing the service provider cloud.

It is not uncommon to see some form of encryption used to achieve confidentiality, the drivers behind which could be company policy (such as any traffic leaving the premises must be encrypted) or regulatory compliance (such as with HIPAA or SOX).

Table 1-4 outlines the commonly used technologies to secure WAN traffic. Chapter 14, “Security Services Use Cases,” provides further detail.

Table 1-4  High-Level Details of Secure WAN Technologies

Secure WAN Technology


Native IPsec (unicast and multicast)

IPsec using both encryption and a hashing algorithm. The virtual tunnel interface can be used for multicast traffic support.

Point-to-point (p2p) generic routing encapsulation (GRE) over IPsec (or p2p GRE inside IPsec)

IPsec with multicast and routing protocol support.

Dynamic Multipoint VPN (DM VPN)

Typically deployed over the public Internet infrastructure.

Remote-access VPNs

Soft IPsec/SSL VPN clients and small office/home office (SOHO; 8xx/18xx) router tunnel aggregation.

Group Encrypted Transport (GET VPN)

Tunnel-less encryption, best suited for private IP or MPLS clouds.


In a majority of the cases, the transport medium for secure connectivity solutions (as outlined in the table) is the public WAN Internet.

Internet Edge Role

The Internet edge is the boundary where an enterprise private network connects to the public Internet. In the simplest sense, the Internet edge device acts as the gateway for the inside network. Contrary to popular understanding, the Internet edge is not only just about accessing the Internet for web traffic for campus users.

The Internet edge serves various functions, including those outlined in Table 1-5.

Table 1-5  Internet Edge Router Functionality



Corporate Internet gateway for campus and data center

Users at the campus access the Internet to browse, email, and use instant messaging, and so on.

Corporate Internet gateway for branches

Users at the branches access the Internet to browse, email, and use instance messaging, and so on. This is to enforce a common set of

policies across the enterprise at the burden of bringing all traffic to the headend.

Demilitarized zone (DMZ) services

Traditional FTP, Domain Name System (DNS), and Network Time Protocol (NTP) services located at the DMZ.

Teleworker (remote users)

Teleworkers or road warriors connect to corporate resources via the Internet through encrypted VPN technologies such as IPsec or SSL VPN soft or hard clients (such as Cisco 800 series routers).

Branch WAN backup

This serves as the backup or alternate connection for branch office routers to connect to the corporate headend via the public Internet. Commonly used technologies in this scenario are DM VPN, GRE over IPsec, or dynamic virtual tunnel interface (VTI)-based remote access.


This is where the Internet edge router connects directly to multiple SPs. This provides higher fault tolerance for brownouts and greater path selection with advanced routing techniques. This requires that the router be capable of supporting one or multiple copies of Internet routing table.

Figure 1-3 shows the Internet edge topology.

Figure 1-3

WAN Internet edge topology.

~Basic Feature Requirements

The primary function of a device at the Internet edge is to act as the demarcation between the private (campus or data center) and public network (that is, the Internet). Features required in a single device depend on how the Internet edge is designed, although typically the basic features are those outlined in Table 1-6.

Table 1-6  Internet Edge Network Device Feature Requirements



IP routing (v4/v6)

IGP, and BGP with fast convergence such as BFD PBR Large routing scale (Internet routing table)


v5, v9 NetFlow Data Export


Classification based on application traffic, protocol/port, ACLs


Hierarchical QoS

Class-based WFQ, fair queuing, LLQ, WRED

Traffic policing

Traffic shaping


Distributed denial of service (DDoS) mitigation

Remotely triggered black holes (RTBH), rACL, firewall


WCCPv2 for web cache engine


L4–L7 firewall

Address translation

Network/Port Address Translation (NAT/PAT) with application layer gateway (ALG)

High Availability

Intra- and interbox HA

Box-to-box HA

Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), Gateway Load Balancing Protocol (GLBP)

Deep Packet Inspection

Network Based Application Recognition (NBAR), Flexible Packet Matching (FPM)

Secure WAN connectivity

DMVPN, GRE over IPsec, IPsec

Data Center Interconnect

Data center interconnect (DCI) is yet another WAN function where someone is trying to connect two data centers together via Layer 2 or 3 links. Layer 2 extensions are much more common because of their capability to take all Ethernet frames (or even dot1Q or QinQ [IEEE 802.1Q-in-Q VLAN]) as is across the data centers. This is usually done with some kind of pseudowire (for example, Ethernet over MPLS [EoMPLS] for two data centers, and Virtual Private LAN Service [VPLS] for multisite data center connectivity). Major drivers behind DCI are as follows:

  • Data center consolidation and virtualization (VMWare VMotion)

  • Disaster recovery or data center HA

  • Geo-clustering, where clusters are connected across geographies

  • Layer 2 extensions for any reason

Figure 1-4 shows the DCI topology

Figure 1-4

WAN DCI topology.

Basic Feature Requirements

The primary function of the edge device at the DCI is to extend VLANs across the data centers for the previously listed applications such as VMWare’s VMotion or geo-clusters to function. Convergence and failover times for this type of connectivity are of extreme importance because the underlying assumptions from the application perspective usually require them to be on the same LAN.


1 2 Page 1
Page 1 of 2
The 10 most powerful companies in enterprise networking 2022