Enterprise Network Design

Modern enterprises rarely operate from a single location. Retail chains have hundreds of stores. Financial services firms maintain regional offices across continents. Manufacturing companies connect factories, warehouses, and distribution centers. Healthcare systems span hospitals, clinics, and research facilities. Each of these remote sites requires network connectivity that enables employees to work as productively as those at headquarters—accessing centralized applications, collaborating with colleagues, and maintaining the same security posture.

This is the domain of branch connectivity—the design discipline focused on connecting geographically distributed sites to the enterprise network. Branch design introduces challenges absent from campus networks: constrained bandwidth, higher latency, limited on-site IT expertise, diverse last-mile technologies, and the fundamental economics of provisioning connectivity at scale.

A branch network is a remote site connected back to centralized resources—typically a headquarters campus, regional hub, or datacenter. While branch sites vary enormously in size and function (from a two-person sales office to a 500-employee manufacturing plant), they share common characteristics that differentiate them from campus networks:

Defining Characteristics of Branch Sites:

Branch Traffic Flow Patterns:

Understanding traffic patterns is essential for cost-effective branch design. There are three primary flow patterns:

1. Centralized (Backhauling): All branch traffic traverses the WAN to headquarters, even internet-bound traffic. Provides centralized security inspection but increases WAN bandwidth requirements and latency for cloud applications.

2. Direct Internet Access (DIA): Branch sites have local internet breakout for cloud and internet traffic, while private applications still traverse the WAN. Reduces WAN load but requires security at each branch.

3. Mesh/Branch-to-Branch: For organizations with significant inter-branch collaboration (e.g., video conferencing between regional offices), direct branch-to-branch connectivity avoids hair-pinning through headquarters.

Most modern enterprises adopt a hybrid approach—cloud-first traffic breaks out locally, sensitive internal applications traverse secure WAN paths, and all traffic is subject to consistent security policies regardless of egress point.

Before exploring modern SD-WAN solutions, understanding traditional WAN technologies provides essential context. Many enterprises still rely heavily on these technologies, and even SD-WAN solutions often use them as underlying transport.

MPLS VPN: The Enterprise Standard

Multi-Protocol Label Switching (MPLS) VPNs have been the dominant enterprise WAN technology for two decades. Service providers build nationwide or global MPLS networks that enterprises lease as a managed service.

Other Traditional WAN Technologies:

• Leased Lines (T1/E1, T3/E3): Dedicated point-to-point circuits with guaranteed bandwidth. Legacy technology largely replaced by Ethernet and MPLS, but still found in some regions.

• Frame Relay: Legacy packet-switching technology that preceded MPLS. Officially end-of-life but may exist in legacy installations.

• Metro Ethernet: High-bandwidth Ethernet services for urban/suburban areas. Cost-effective for sites within provider Ethernet footprint.

• Broadband (Cable/DSL/Fiber): Consumer-grade or business-class internet connectivity. Low cost but no SLAs; commonly used as backup or for hybrid WAN.

• Wireless (LTE/5G): Cellular-based connectivity for locations without wired options or as backup. Rapidly maturing for primary branch connectivity.

Virtual Private Networks (VPNs) create encrypted tunnels over untrusted networks (typically the internet), enabling secure branch connectivity at a fraction of MPLS costs. VPN technologies are foundational for both standalone internet WAN and hybrid MPLS/internet architectures.

Site-to-Site VPN Architectures:

IPsec: The Standard for Site-to-Site VPN

IPsec (Internet Protocol Security) is the dominant protocol suite for site-to-site VPNs, providing:

• Authentication: Pre-shared keys (PSK) or certificates via IKE (Internet Key Exchange)
• Encryption: AES-256-GCM (recommended), AES-256-CBC, or other symmetric ciphers
• Integrity: SHA-256, SHA-384, or SHA-512 hash-based message authentication
• Anti-Replay: Sequence numbers prevent packet replay attacks

IPsec can operate in two modes:

1. Tunnel Mode: Entire original IP packet is encrypted and encapsulated in new IP packet. Used for site-to-site VPNs where endpoints are gateways.

2. Transport Mode: Only payload is encrypted; original IP headers preserved. Used for host-to-host and rarely for site-to-site.

IKE Versions:

• IKEv1: Original protocol with complex phase 1/phase 2 negotiation. Legacy but widely supported.
• IKEv2: Simplified, faster connection establishment, better for mobile clients and NAT traversal. Recommended for new deployments.

DMVPN: Scalable Spoke-to-Spoke VPN

Dynamic Multipoint VPN (DMVPN) solves the scalability challenges of full-mesh IPsec. Key components:

1. NHRP (Next Hop Resolution Protocol): Spokes register public IP addresses with hub (NHS - Next Hop Server). When spoke-to-spoke traffic is detected, NHRP resolves destination spoke's public IP.

2. mGRE (Multipoint GRE): Single tunnel interface supports connections to many peers, eliminating per-site tunnel configuration.

3. Routing Protocol: IGP (OSPF, EIGRP) or BGP runs over DMVPN, advertising internal routes. Routing intelligence enables automatic failover.

DMVPN Phases:

• Phase 1: All traffic through hub. Simple but creates bottleneck.
• Phase 2: Direct spoke-to-spoke tunnels for optimized path. Requires NHRP redirect/shortcut.
• Phase 3: Hierarchical scalability with NHRP summarization for thousands of spokes.

Software-Defined WAN (SD-WAN) represents the most significant evolution in branch connectivity in decades. SD-WAN applies the principles of Software-Defined Networking (covered in Chapter 37) to the WAN, abstracting transport from policy and enabling intelligent, application-aware traffic steering across multiple connection types.

The Forces Driving SD-WAN Adoption:

Core SD-WAN Capabilities:

1. Transport Independence SD-WAN abstracts the underlying transport (MPLS, internet, LTE, satellite) into a unified fabric. Traffic is steered across transports based on application requirements and real-time path quality—not static routing decisions.

2. Centralized Orchestration A central controller (cloud-hosted or on-premises) defines policies, pushes configurations, and provides visibility. Branch devices (SD-WAN appliances) enforce policies locally but receive configuration centrally.

3. Application-Aware Routing SD-WAN identifies applications through deep packet inspection (DPI), DNS snooping, or cloud intelligence. Critical applications (voice, video, ERP) receive different treatment than bulk traffic (backups, updates).

4. Dynamic Path Selection SD-WAN continuously monitors path characteristics (latency, jitter, packet loss) and steers traffic to the best available path. This happens per-application, per-packet, transparently.

5. Integrated Security Modern SD-WAN platforms integrate firewall, IPS, web filtering, and CASB capabilities—often called SASE (Secure Access Service Edge) when combined with cloud-delivered security.

Branch sites require connectivity resilience appropriate to their business criticality. A 500-employee manufacturing plant has different uptime requirements than a 5-person sales office. Design decisions around redundancy must balance cost against business impact of downtime.

The Redundancy Spectrum:

WAN Failover Mechanisms:

1. Active/Standby (Cold Standby)

• Primary WAN carries all traffic
• Backup WAN activated only on primary failure
• Simple but wastes standby bandwidth
• Failover time: 30 seconds to several minutes depending on detection mechanism

2. Active/Active with Load Sharing

• Both WAN links carry traffic simultaneously
• Load distributed by destination, application, or packet-level balancing
• Maximizes bandwidth investment
• Requires more sophisticated routing/SD-WAN

3. Priority-Based Steering (SD-WAN)

• Application policies determine which traffic uses which link
• Critical apps on premium link (MPLS), bulk traffic on internet
• Automatic failover if preferred path degrades
• Per-application failover vs. all-or-nothing

LTE/5G as WAN Backup:

Cellular connectivity provides an increasingly viable backup option:

Advantages:

• Diverse failure domain (doesn't share physical path with wired circuits)
• Rapid deployment (days vs. weeks for wired circuits)
• Coverage in areas with limited wired options
• Increasingly competitive bandwidth (5G: 100+ Mbps)

Considerations:

• Data caps/metering on many plans
• Performance variability (congestion, signal strength)
• Monthly costs can exceed wired for high-usage scenarios
• Antenna placement critical for reliable signal

Best Practices for LTE Backup:

• Use enterprise-grade router with integrated LTE (Cisco IR1101, Cradlepoint)
• External antennas for improved signal
• Data-conscious policies (block backups/updates over LTE)
• Negotiate pooled data plans for multi-site deployments

What happens when branch connectivity to headquarters fails completely? Can employees continue working, or does business halt entirely? Branch survivability design ensures critical functions continue during WAN outages.

The Survivability Continuum:

Fully Centralized (Thin Branch)

• All services hosted at headquarters or datacenter
• Branch has only network equipment (router/switch)
• Simple to manage but zero work during WAN outage

Hybrid (Common Approach)

• Critical services have local instances (DHCP, DNS, authentication cache, file caching)
• Core applications remain centralized
• Employees can work with local files and cached data during outages

Fully Distributed (Fat Branch)

• Complete infrastructure stack at each branch (servers, storage, applications)
• Business continuation regardless of WAN
• High cost and management complexity

Example: RODC for Branch Authentication

Read-Only Domain Controllers address a common branch challenge: authentication requires connectivity to writable DCs at headquarters, creating both WAN dependency and latency for logins.

RODC provides:

• Local authentication for cached credentials (users who have logged in before)
• Reduced attack surface (no writable secrets stored at vulnerable branch)
• Efficient replication (only pulls secrets for branch users)
• Centralized management (admin credentials not cached locally)

Limitations:

• New users/first-time logins require WAN connectivity
• Password changes require WAN connectivity to writable DC
• Account lockouts may not propagate immediately during outage

Enterprise branch networks typically follow standardized design patterns (templates) that can be replicated across dozens to thousands of sites. Standardization enables:

• Scalable deployment: Same design works at every site, enabling rapid rollouts
• Consistent security: Uniform policy enforcement across all branches
• Simplified troubleshooting: Support staff familiar with a single design
• Automated provisioning: Templates enable zero-touch or low-touch deployment

Common Branch Design Archetypes:

We've covered substantial ground in branch network design. Let's consolidate the key takeaways:

What's Next:

With campus and branch networks understood, we'll next explore WAN Design—the technologies and architectures connecting distributed sites across metropolitan, national, and global distances. We'll examine carrier services, routing protocol selection for WAN, traffic engineering, and the emerging dominance of SD-WAN for enterprise connectivity.