WAN & VPN Technologies MODULE 08
0 / 16 topics

WAN & VPN

Connecting sites across the globe β€” the technologies, tunnels, and security that make it work.

WAN Technology Overview
Different services for different connectivity needs
MPLS
Type: Service provider managed
Speed: 10 Mbps – 10+ Gbps
Latency: Very low (label switching)
QoS: Yes β€” built-in SLAs
Uses short labels for forwarding β€” faster than IP route lookups. Most enterprise WAN uses MPLS.
Metro Ethernet
Type: Ethernet WAN (E-Line, E-LAN)
Speed: 1 Mbps – 10 Gbps
Latency: Low
Model: Looks like a LAN to customer
Extends Ethernet across metro areas. Customer sees Ethernet handoff, not Frame Relay.
DSL / Cable
DSL Type: ADSL/VDSL over phone lines
Cable: DOCSIS over coax
Speed: 1 – 1000 Mbps
Protocol: PPPoE (DSL)
Best effort, shared bandwidth. Often used for small branches or home offices (SOHO).
Cellular / Satellite
Cellular: 4G LTE / 5G
Satellite: GEO/LEO (Starlink)
Use case: Remote sites, backup WAN
Latency: High (GEO) / Low (LEO)
Used as backup links or for sites where other options aren't available.
WAN Topology Terms: Hub-and-Spoke (star) β€” central site connects to all branches. Full Mesh β€” every site connects to every other (most resilient, most expensive). Partial Mesh β€” compromise between the two.
PPPoE β€” Point-to-Point Protocol over Ethernet
Standard authentication method for DSL broadband

PPPoE encapsulates PPP frames within Ethernet frames, allowing ISPs to authenticate and track individual users over a shared medium. The router acts as the PPPoE client β€” credentials go in the dialer interface.

PPPoE Client Configuration
! Create dialer interface with PPP credentials interface Dialer1 ip address negotiated ! ISP assigns via IPCP encapsulation ppp dialer pool 1 ppp chap hostname myuser@isp.com ppp chap password secretpassword ip nat outside ! Bind physical interface to dialer pool interface GigabitEthernet0/0 no ip address pppoe-client dial-pool-number 1
GRE β€” Generic Routing Encapsulation
RFC 2784 Β· Protocol 47 Β· Tunnels ANY packet including multicast

GRE creates a virtual point-to-point link between two routers over an IP network. Unlike IPsec, GRE supports multicast and broadcast β€” meaning you can run routing protocols (OSPF, EIGRP) inside the tunnel.

GRE Overhead: Each GRE packet adds 24 bytes of overhead (20-byte IP header + 4-byte GRE header). MTU issues are common β€” tune MSS with ip tcp adjust-mss 1436 on the tunnel interface.
GRE Tunnel β€” Router A (10.0.0.1)
interface Tunnel0 ip address 172.16.0.1 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ip tcp adjust-mss 1436
GRE Tunnel β€” Router B (203.0.113.2)
interface Tunnel0 ip address 172.16.0.2 255.255.255.0 tunnel source GigabitEthernet0/0 tunnel destination 10.0.0.1 ip tcp adjust-mss 1436
GRE + IPsec: GRE is not encrypted. In production, GRE tunnels are often protected with IPsec to get the best of both: GRE supports multicast, IPsec provides encryption.
IPsec β€” IP Security
Suite of protocols for authenticating and encrypting IP traffic

IPsec secures traffic between two endpoints through two phases. It provides confidentiality (encryption), integrity (hashing), authentication, and anti-replay protection.

Site A
10.1.0.0/24
203.0.113.1
←——
IKE Phase 1
ISAKMP SA
IKE Phase 2
IPsec SA (ESP)
β€”β€”β†’
Site B
10.2.0.0/24
203.0.113.2
IKE Phase 1
Establishes an ISAKMP SA β€” a secure, authenticated channel for negotiation. Uses Main Mode (6 messages) or Aggressive Mode (3 messages).
Negotiates: Encryption, Hash, Auth method, DH group, Lifetime
IKE Phase 2
Uses the Phase 1 channel to negotiate IPsec SAs for actual data encryption. Quick Mode only (3 messages).
Creates: ESP or AH SAs for the data traffic (unidirectional)
ESP (Encapsulating Security Payload): Protocol 50. Provides encryption + authentication. Most common in site-to-site VPNs.
AH (Authentication Header): Protocol 51. Authentication + integrity only. No encryption. Rarely used β€” ESP supersedes it.
QoS β€” Quality of Service Basics
Prioritizing traffic to ensure voice and video perform well

QoS solves the bandwidth competition problem. Without it, a large file download could impair a VoIP call. The three main QoS tools: Classification, Marking, and Queuing.

DSCP (Differentiated Services Code Point): 6-bit field in the IP header. Values 0–63. Replaces the old IP Precedence (3-bit). The most common values to know:
46
EF
Voice RTP
34
AF41
Video (H.264)
24
CS3
Call Signaling
0
BE / CS0
Best Effort
Trust Boundary: Mark traffic as close to the source as possible. IP phones should mark their own traffic (DSCP 46 for voice, 26 for signaling). The first Cisco switch port is the trust boundary β€” re-mark or trust the device's markings here.
Queuing Methods
FIFOFirst In First Out (default)
WFQWeighted Fair Queuing
CBWFQClass-Based WFQ
LLQLow Latency Queue (voice)
Basic QoS Policy Example
class-map VOICE match dscp ef policy-map QOS_POLICY class VOICE priority percent 30 ! LLQ class class-default fair-queue

WAN & VPN Drills

Test your knowledge. Wrong answers come back more often thanks to spaced repetition.

30s
QUESTION 1 / 16
Loading…
βœ“ 0 βœ— 0 πŸ”₯ 0

WAN & VPN Flashcards

Click to flip. Arrow keys navigate. Space bar flips.

CONCEPT
Loading…
Click to reveal answer
Loading…
1 / 1

WAN & VPN Labs

Configure GRE tunnels and verify connectivity between sites.

Lab A β€” GRE Tunnel between HQ and Branch
HQ: 10.0.0.1 (public) / Branch: 203.0.113.2 (public) / Tunnel: 172.16.0.0/30
1

Configure GRE tunnel on HQ router

interface Tunnel0 description GRE to Branch ip address 172.16.0.1 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 203.0.113.2 ip tcp adjust-mss 1436
2

Configure GRE tunnel on Branch router

interface Tunnel0 description GRE to HQ ip address 172.16.0.2 255.255.255.252 tunnel source GigabitEthernet0/0 tunnel destination 10.0.0.1 ip tcp adjust-mss 1436
3

Add a static route through the tunnel

! On HQ: route to branch LAN via tunnel ip route 192.168.2.0 255.255.255.0 172.16.0.2 ! Verify show interface Tunnel0 ping 172.16.0.2
Lab B β€” Run OSPF over the GRE Tunnel
GRE supports multicast, so OSPF can run over the tunnel
1

Enable OSPF on both routers β€” include tunnel interface

! On HQ router ospf 1 network 172.16.0.0 0.0.0.3 area 0 network 10.1.0.0 0.0.0.255 area 0 ! On Branch router ospf 1 network 172.16.0.0 0.0.0.3 area 0 network 192.168.2.0 0.0.0.255 area 0
2

Verify OSPF neighborship over tunnel

show ip ospf neighbor show ip route ospf ! Should see O routes to the remote LAN

WAN Topology

GRE TUNNEL OVER THE INTERNET HQ Router LAN: 10.1.0.0/24 WAN: 203.0.113.1 Tunnel0: 172.16.0.1 Branch Router LAN: 192.168.2.0/24 WAN: 203.0.113.2 Tunnel0: 172.16.0.2 Internet Public IP space GRE Tunnel (virtual link) 172.16.0.0/30 Β· Carries multicast (OSPF Hellos) + IPsec ESP Encryption SW-HQ SW-BR PC1 PC2 PC3 PC4

WAN & VPN Cheatsheet

WAN Technology Comparison
MPLSLabel-based, SP managed, QoS
Metro-EEthernet handoff, scalable
DSLPhone lines, PPPoE, SOHO
CableCoax, DOCSIS, best effort
4G/5GCellular, backup WAN
GRE vs IPsec
GRE protocolIP Protocol 47
GRE overhead24 bytes per packet
GRE encryptionNone (plain text)
GRE multicastYes β€” runs routing protocols
IPsec ESPProtocol 50, encrypts
IPsec AHProtocol 51, no encrypt
IPsec IKE Phases
Phase 1 resultISAKMP SA (bidirectional)
Phase 1 modesMain (6 msgs) / Aggressive (3)
Phase 2 resultIPsec SAs (unidirectional)
Phase 2 modeQuick Mode (3 msgs)
IKEv2Simpler, faster, more secure
Key QoS DSCP Values
DSCP 46 (EF)Voice RTP
DSCP 34 (AF41)Interactive Video
DSCP 24 (CS3)Call Signaling
DSCP 0 (BE)Best Effort (default)
Trust boundaryFirst switch port from IP phone

Module Progress

Topic Checklist
Mark topics as done to track your progress