Computer NetworksNetwork Design & Interview

Enterprise Network Design

LevelAdvanced

Duration90 mins

TopicNetwork Design & Interview

3 / 5

WAN Design

Connecting the Enterprise Across Distances

When a user in the Tokyo office opens a document stored on a server in New York, their request traverses a complex web of carrier networks, submarine cables, and routing infrastructure spanning 10,000+ kilometers. When that file loads in seconds rather than minutes, it's because of deliberate Wide Area Network (WAN) design decisions made by network architects who understood how to optimize connectivity across vast distances.

WAN design is the discipline of connecting geographically distributed sites—branch offices, datacenters, cloud providers, and partners—into a cohesive enterprise network. Unlike campus networks where you control every cable and switch, WAN design involves navigating carrier services, managing costs that can exceed millions annually, and engineering solutions that perform reliably across infrastructure you don't own.

What You Will Learn

By the end of this page, you will understand WAN topology options and their tradeoffs, carrier service types and selection criteria, WAN routing protocol design, traffic engineering techniques, and emerging architectures like SD-WAN and SASE. You'll acquire the knowledge to design cost-effective, high-performance, resilient WAN architectures for enterprises operating across cities, countries, and continents.

WAN Fundamentals

A Wide Area Network (WAN) connects geographically dispersed locations using telecommunications carrier infrastructure. Unlike Local Area Networks (LANs) where organizations own and control the physical infrastructure, WANs traverse carrier networks—introducing dependencies on external providers, service level agreements, and fundamentally different economics.

WAN vs. LAN: Key Differences:

LAN vs. WAN Characteristics
Characteristic	LAN (Campus/Branch)	WAN
Ownership	Organization owns infrastructure	Carrier owns infrastructure
Geography	Single building or campus (<5km)	Cities, countries, continents (km to 1000s km)
Bandwidth	1-400 Gbps common	10 Mbps - 100 Gbps (cost-dependent)
Latency	<1ms typical	5-300ms (distance-dependent)
Cost Model	CapEx (equipment, cabling)	OpEx (recurring monthly)
Bandwidth Cost	~$0.01/Mbps/month (amortized)	~$1-100/Mbps/month (varies by technology, location)
Provisioning	Days (internal project)	Weeks to months (carrier processes)
Control	Complete control	Limited to equipment at site edges

WAN Design Objectives:

Effective WAN design balances multiple competing objectives:

Performance: Minimize latency, maximize available bandwidth, and ensure consistent application response times.
Reliability: Provide redundant paths to eliminate outages from single component failures. Target 99.9-99.99% availability.
Security: Protect data in transit across untrusted carrier infrastructure through encryption and access control.
Cost Efficiency: Optimize bandwidth investments; WAN costs often exceed $1M annually for large enterprises.
Scalability: Support business growth without architectural redesign. Add sites, increase bandwidth, extend to cloud.
Manageability: Enable centralized visibility and control despite distributed infrastructure.
Agility: Provision and modify connectivity quickly to support business changes.

The relative priority of these objectives varies by organization. A financial trading firm prioritizes performance and reliability above cost. A retail chain with 5,000 stores may prioritize cost efficiency and scalability.

The Economics of Distance

WAN bandwidth costs correlate with distance, but non-linearly. Metro connections (same city) cost significantly less than long-haul (cross-country) or international circuits. Submarine and inter-continental capacity remains expensive due to limited infrastructure. Design decisions should account for these economics—keep high-bandwidth traffic local when possible.

WAN Topology Options

WAN topology determines how sites interconnect and how traffic flows between locations. The choice profoundly impacts performance, cost, resilience, and operational complexity.

1. Hub-and-Spoke (Star) Topology

All remote sites (spokes) connect to a central hub (typically headquarters or primary datacenter). Traffic between spokes traverses the hub.

Hub-and-Spoke Advantages

•Simplified routing and policy management
•Centralized security inspection at hub
•Minimized WAN circuits (n-1 for n sites)
•Easy to scale by adding spoke connections
•Centralized services (applications, internet) at hub

Hub-and-Spoke Disadvantages

•Hub is single point of failure (SPOF)
•Spoke-to-spoke traffic inefficient (double-tromboning)
•Hub link may become bottleneck
•Increased latency for inter-spoke traffic
•Hub capacity must scale with spoke count

2. Full Mesh Topology

Every site has direct connectivity to every other site. Provides optimal path selection and maximum resilience.

Characteristics:

Number of connections: n(n-1)/2 for n sites
Example: 10 sites = 45 connections; 50 sites = 1,225 connections
Optimal path selection: direct route between any two sites
Maximum resilience: multiple paths survive any single failure
Very high cost and complexity beyond 10-15 sites

3. Partial Mesh Topology

Strategic subset of sites have direct connectivity based on traffic patterns and business requirements. Balance between hub-and-spoke simplicity and full mesh optimization.

Design Approach:

Analyze traffic patterns: which sites communicate most frequently/heavily
Connect high-traffic site pairs directly
Regional hubs with local full mesh; inter-regional via hub-to-hub
Accept sub-optimal paths for low-traffic site pairs

Converting Mermaid diagram...

4. Hierarchical/Regional Hub Topology

Large enterprises often adopt multi-tier WANs with regional aggregation:

Tier 1: Global backbone connecting primary datacenters and HQ
Tier 2: Regional hubs (EMEA, APAC, Americas) aggregating local sites
Tier 3: Local sites connect to nearest regional hub

This hierarchy limits inter-continental traffic, keeps latency-sensitive applications regional, and enables localized management while maintaining global connectivity.

Modern Trend: Cloud-Centric Topology

With applications migrating to cloud (AWS, Azure, GCP), topology increasingly centers on cloud rather than enterprise datacenters. Sites connect to nearest cloud on-ramp (Direct Connect, ExpressRoute), with cloud backbone carrying inter-site traffic. This shifts WAN complexity to cloud providers and enables consistent global performance for cloud-native applications.

Carrier WAN Services

Enterprises purchase WAN connectivity from telecommunications carriers (AT&T, Verizon, BT, NTT, etc.). Understanding carrier service offerings is essential for procurement decisions:

Layer 1 Services: Physical Transport

•Dark Fiber — Lit-only fiber strands; customer provides optical equipment. Maximum flexibility and bandwidth but requires capital investment and expertise. Typically metro only.
•Wavelength Services (DWDM) — Carrier provides specific wavelength(s) on shared fiber infrastructure. Fixed bandwidth (10G, 100G, 400G), carrier manages optical layer. For high-bandwidth, stable requirements.
•Circuit-Switched Transport (T1/E1, T3/E3, OC-3/12/48) — Legacy TDM-based services. Expensive per-Mbps, declining availability, but still found in some regions.

Layer 2 Services: Ethernet and Beyond

Layer 2 WAN Service Types
Service Type	Description	Use Case	Typical Bandwidth
E-Line (Point-to-Point)	Dedicated Ethernet connection between two sites	Datacenter interconnect, high-bandwidth site pairs	10 Mbps - 100 Gbps
E-LAN (Multipoint)	Layer 2 connectivity between multiple sites (virtual LAN)	Sites needing direct L2 adjacency (stretched VLANs)	10 Mbps - 10 Gbps
E-Tree (Hub-and-Spoke L2)	Hub site can reach all spokes; spokes only reach hub	Datacenter with multiple branch access	10 Mbps - 10 Gbps
VPLS (Virtual Private LAN Service)	MPLS-based multipoint Ethernet emulation	Geographically dispersed L2 domains	1 Mbps - 10 Gbps

Layer 3 Services: Managed Routing

MPLS VPN (IP VPN)

The dominant managed WAN service for enterprises. Carrier manages routing within their MPLS backbone; customer receives IP connectivity.

Three MPLS VPN Classes:

Class of Service (CoS) with SLA: Carrier guarantees latency, jitter, and packet loss for different traffic classes. Essential for real-time applications (voice, video).
Standard: Best-effort forwarding within carrier network. Lower cost but no performance guarantees.
Burstable: Committed Information Rate (CIR) with ability to burst above during low utilization. Pay base rate plus overages.

Typical MPLS VPN SLAs:

Latency: ≤50ms domestic, ≤100-200ms continental, ≤300ms global
Jitter: ≤10ms
Packet Loss: ≤0.1%
Availability: 99.9% (8.76 hours/year downtime) to 99.99% (52 minutes/year)

Carrier SLA Reality Check

SLAs are contractual promises with financial penalties, but they don't prevent outages—they provide credits when outages occur. A 99.9% SLA permits nearly 9 hours of yearly downtime. If your business requires higher availability, design redundancy using multiple carriers/paths rather than relying solely on SLA guarantees.

Internet as WAN Transport

The public internet, once considered unsuitable for enterprise WAN, is increasingly viable as primary or hybrid transport:

Internet Advantages:

Cost: 5-10x cheaper per Mbps than MPLS
Availability: Ubiquitous, even in developing regions
Bandwidth: Can exceed affordable MPLS bandwidth
Provisioning: Days vs. weeks for carrier services
Cloud optimization: Direct paths to cloud/SaaS providers

Internet Challenges:

No SLAs: Performance varies with congestion, peering, and routing changes
Security: Must encrypt all traffic; exposed to DDoS attacks
Latency variability: Routing changes can cause path changes
Last-mile diversity: Business internet often shares physical plant with MPLS

Hybrid WAN Strategy: Most organizations now deploy hybrid WAN—combining MPLS (for critical, real-time applications) with internet (for cloud access, bandwidth-heavy transfers, backup). SD-WAN orchestrates traffic steering between these transports.

WAN Routing Design

Routing protocol selection and design profoundly impact WAN behavior—convergence time, path selection, scalability, and troubleshooting complexity. WAN routing must address challenges absent from campus environments: variable link quality, asymmetric paths, and scale across potentially thousands of sites.

Routing Protocol Options for Enterprise WAN:

WAN Routing Protocol Comparison
Protocol	Type	Scalability	Convergence	Best Suited For
OSPF	Link-State (IGP)	Medium (areas required)	Fast (sub-second with tuning)	Single-carrier MPLS, medium WAN
EIGRP	Advanced Distance Vector (IGP)	High (summarization)	Very Fast (DUAL)	Cisco-only environments
IS-IS	Link-State (IGP)	Very High	Fast	Service provider, large enterprise
BGP	Path Vector (EGP)	Unlimited	Slower (by design)	Internet connectivity, MPLS VPN, SD-WAN
Static	Manual	Low	N/A (manual)	Stub sites, backup paths

OSPF WAN Design Considerations:

OSPF is commonly used for enterprise WANs, particularly over MPLS VPN where it interfaces with carrier-provided PE-CE routing.

Key Design Principles:

Area Design: Place all sites in Area 0 for simple deployments (< 100 sites). For larger WANs, use multiple areas with hub sites as ABRs.
Network Types:
- MPLS VPN: Point-to-multipoint → OSPF Point-to-Point network type (avoids DR/BDR election)
- Broadcast Ethernet: Use Point-to-Point subinterfaces or carefully manage DR election
Summarization: Summarize at area boundaries to reduce LSA propagation and routing table size.
Stub Areas: Configure stub or totally-stubby areas for branch sites that don't need full routing table.
Timer Tuning: Default OSPF Hello (10s) / Dead (40s) timers may be too slow. Consider 1s/4s for fast convergence, balanced against stability.

ospf-wan-design-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
! OSPF WAN Design - Hub Router Configuration
! Demonstrates enterprise WAN best practices
 
router ospf 1
 router-id 10.255.0.1
 
 ! Passive-interface default prevents unintended adjacencies
 passive-interface default
 no passive-interface GigabitEthernet0/0/0  ! WAN interface
 no passive-interface GigabitEthernet0/0/1  ! WAN interface
 
 ! Summarize branch prefixes toward core
 area 10 range 10.10.0.0 255.255.0.0
 
 ! Stub area for branch sites (no external routes needed)
 area 20 stub no-summary
 
 ! Auto-cost reference for modern link speeds
 auto-cost reference-bandwidth 100000  ! 100 Gbps reference
 
 ! Fast convergence timers
 timers throttle spf 50 100 5000
 timers throttle lsa 50 100 5000
 
! WAN Interface Configuration
interface GigabitEthernet0/0/0
 description MPLS-VPN-Primary
 ip ospf 1 area 0
 ip ospf network point-to-point
 ip ospf hello-interval 1
 ip ospf dead-interval 4
 ip ospf cost 10  ! Prefer over backup
 
interface GigabitEthernet0/0/1
 description Internet-VPN-Backup
 ip ospf 1 area 0
 ip ospf network point-to-point
 ip ospf hello-interval 1
 ip ospf dead-interval 4
 ip ospf cost 100  ! Higher cost = backup path

BGP for WAN Design:

BGP, while traditionally an internet routing protocol, increasingly appears in enterprise WANs:

When to Use BGP:

Multi-homed internet connectivity (mandatory for receiving provider routes)
MPLS VPN PE-CE routing (common carrier requirement)
Large-scale WAN (BGP scales better than IGPs for 500+ sites)
SD-WAN overlays (many SD-WAN platforms use BGP internally)
Multi-datacenter environment requiring traffic engineering

BGP WAN Design Principles:

Use iBGP within the enterprise, eBGP toward carriers
Implement route reflectors for iBGP scalability (avoid full mesh)
Apply consistent BGP communities for policy (traffic engineering, backup paths)
Tune BGP timers for faster convergence (BFD recommended)
Filter routes carefully—don't accept/advertise unintended prefixes

BFD: Essential for Fast Failover

Bidirectional Forwarding Detection (BFD) provides sub-second failure detection independent of routing protocol timers. Deploy BFD on all WAN links and integrate with OSPF/BGP for rapid convergence without aggressive (potentially unstable) protocol timer tuning. Typical BFD timers: 100ms transmit, 300ms detect.

WAN Performance Optimization

WAN links are expensive and constrained compared to LAN. Performance optimization techniques extract maximum value from WAN investments and ensure acceptable application experience despite distance and bandwidth limitations.

Quality of Service (QoS)

QoS ensures critical applications receive priority under congestion. Without QoS, a large file transfer can starve a voice call, causing unacceptable quality.

QoS Building Blocks:

QoS Components

•Classification — Identify traffic by application (DSCP, NBAR, port, ACL). Must happen at network edge (access layer or branch router).
•Marking — Set DSCP/IP Precedence or CoS values for consistent treatment across network. Preserve markings end-to-end.
•Queuing — Assign traffic to queues with different service levels. Strict priority queue for voice; weighted fair queuing for other classes.
•Scheduling — Determine how queues are serviced. Priority queuing, Weighted Round Robin (WRR), Deficit Weighted Round Robin (DWRR).
•Shaping/Policing — Limit bandwidth per class or total. Shaping delays excess traffic; policing drops it.
•Congestion Avoidance — WRED drops packets probabilistically before queue overflow, signaling TCP to slow down.

Enterprise QoS Classification Model (RFC 4594 Aligned)
Traffic Class	DSCP Value	Treatment	Examples
Network Control	CS6 (48)	Priority (protected)	Routing protocols, network management
Voice (EF)	EF (46)	Strict Priority, <10% BW	VoIP bearer traffic
Video Conferencing	AF41 (34)	Priority, <23% BW	Real-time video
Call Signaling	CS3 (24)	Guaranteed	SIP, H.323, SCCP signaling
Transactional Data	AF21 (18)	Guaranteed, low drop	Database, ERP, interactive
Bulk Data	AF11 (10)	Best Effort+	Email, file transfer, backup
Default/Scavenger	BE (0) / CS1 (8)	Best Effort/Low	Internet, social media, P2P

WAN Optimization (WAN-X)

WAN optimization appliances (Riverbed Steelhead, Cisco WAAS, Silver Peak) improve application performance over WAN through:

Data Deduplication: Eliminate redundant data across transfers. Byte-level deduplication can reduce transferred data by 70-95% for repeated patterns (documents, code, backups).
Compression: Compress unique data using LZ-based algorithms. Additional 40-60% reduction on compressible content.
Protocol Optimization: Overcome protocol inefficiencies:
- CIFS/SMB: Prefetch, read-ahead, compound commands
- HTTP: Connection pooling, persistent connections
- TCP: Overcome bandwidth-delay product limitations
SSL/TLS Optimization: Decrypt, optimize, re-encrypt for protocols with end-to-end encryption. Requires certificate management.
Application Caching: Cache frequently accessed content locally (video streams, software updates).

WAN Optimization Deployment Models:

In-Path: Appliances inline between LAN and WAN; intercept all traffic
Out-of-Path (WCCP): Redirect traffic via WCCP; appliance failure doesn't break connectivity
Cloud-Based: Optimization as cloud service; no on-premises appliances

WAN Optimization and Cloud

Traditional WAN optimization was designed for client-server traffic to enterprise datacenters. Cloud/SaaS traffic often bypasses optimization appliances (direct internet breakout) or uses different optimization (CDNs, cloud provider networks). Evaluate whether WAN-X investments remain relevant as traffic patterns shift to cloud. SD-WAN platforms often include comparable capabilities.

WAN Resilience and High Availability

WAN circuits traverse infrastructure outside your control—carrier networks, third-party fiber, shared conduits, and internet exchanges. Resilience design must account for failures at multiple levels.

Failure Domains and Redundancy Strategies:

WAN Failure Points and Mitigation
Failure Point	Impact	Mitigation Strategy
Last-Mile Circuit	Site isolated from WAN	Dual circuits from diverse paths/carriers
Carrier Network	All sites on that carrier affected	Multi-carrier strategy; backup via alternative carrier
CE Router	Site isolated (single device)	Dual routers with HSRP/VRRP and diverse uplinks
PE Router	Multiple customers affected	Carrier responsibility; connect to diverse PEs
Fiber Cut	All circuits in that path	Request physically diverse paths from carrier
Building Entry	All connectivity to building	Dual building entry points for critical sites
Regional Event	All sites in region affected	Geographically distributed redundancy

Carrier Diversity Best Practices:

True Diversity Assessment: Carriers often share underlying infrastructure. Two "different" circuits may travel the same fiber. Request diversity reports showing physical path separation.
Entrance Facility Separation: For critical sites, bring circuits into different building entrance points, ideally on different sides of the building.
Last-Mile Technology Mix: Combine fiber and LTE, or different fiber providers, to reduce common-mode failures.
Carrier Selection Strategy: Use different carriers for primary and backup. Reduces exposure to carrier-specific outages or business issues.

Active-Active vs. Active-Standby:

Active-Active Design

•Both circuits carry traffic simultaneously
•Equal-cost multipath (ECMP) for load sharing
•Failure removes capacity but doesn't cause outage
•Validates both paths continuously
•Requires careful traffic engineering
•Best for sites with high bandwidth needs

Active-Standby Design

•Primary circuit carries all traffic
•Backup circuit activated only on primary failure
•Simpler routing and policy
•Standby capacity may be cheaper (less bandwidth)
•Backup path not continuously validated
•Good for cost-sensitive sites with lower bandwidth

LTE as Strategic Backup

4G/5G cellular provides excellent WAN backup due to completely independent infrastructure (towers vs. fiber). Modern enterprise routers include integrated LTE. For critical sites, LTE backup activates automatically on primary failure. Design policies to limit non-essential traffic over metered cellular connections.

Modern WAN Evolution: SD-WAN and SASE

The enterprise WAN is undergoing fundamental transformation. Traditional architectures—designed when applications lived in enterprise datacenters—struggle with cloud-centric traffic patterns. Two converging trends are reshaping WAN design:

SD-WAN: Software-Defined Wide Area Network

SD-WAN (introduced in Branch Connectivity, expanded here) transforms WAN architecture by:

Abstracting Transport: Multiple underlying transports (MPLS, internet, LTE) appear as a unified fabric. Traffic steered based on application requirements and real-time path quality.
Centralizing Control: Policies defined once in central controller, deployed automatically to all sites. Enables enterprise-wide consistency and rapid change.
Enabling Direct Cloud Access: Sites access cloud/SaaS directly via local internet breakout, reducing latency and avoiding backhaul costs.
Simplifying Operations: Zero-touch deployment, automated configuration, and comprehensive visibility reduce operational burden.

SASE: Secure Access Service Edge

SASE (pronounced "sassy"), defined by Gartner in 2019, converges SD-WAN with cloud-delivered security into a unified service:

SASE Components:

SD-WAN: Network connectivity and optimization
CASB (Cloud Access Security Broker): Visibility and control for SaaS applications
SWG (Secure Web Gateway): Web filtering and threat protection
ZTNA (Zero Trust Network Access): Application access without traditional VPN
FWaaS (Firewall as a Service): Cloud-delivered firewall capabilities

SASE Benefits:

Consistent security regardless of user/site location
Reduced attack surface (cloud enforcement, not perimeter)
Simplified architecture (fewer on-premises appliances)
Better cloud/SaaS performance (security at cloud edge)
Support for remote/hybrid workforce

Converting Mermaid diagram...

SASE Maturity Consideration

While SASE represents the strategic direction, the market remains early and fragmented. Few vendors offer complete, mature SASE stacks. Most enterprises adopt gradually—starting with SD-WAN, adding cloud security components over time. Evaluate vendors carefully; marketing claims often exceed delivery capabilities.

Summary: WAN Design Essentials

We've covered substantial ground in WAN architecture. Let's consolidate the key takeaways:

Key Takeaways

•WAN connects geographically distributed sites across carrier infrastructure — Economics, scale, and control differ fundamentally from LAN environments.
•Topology selection balances cost, performance, and complexity — Hub-and-spoke is simple but creates bottlenecks; mesh optimizes paths at higher cost; hierarchical combines benefits.
•Carrier services span Layer 1 through Layer 3 — Understand your options: dark fiber, Ethernet services, MPLS VPN, and internet-based connectivity each have distinct tradeoffs.
•Routing design impacts convergence and scale — Apply OSPF/EIGRP/BGP best practices; tune timers appropriately; deploy BFD for sub-second failover.
•QoS is essential for application experience — Classify, mark, queue, and shape traffic to ensure critical applications perform under congestion.
•Resilience requires addressing multiple failure domains — Carrier diversity, last-mile redundancy, and router redundancy work together for high availability.
•SD-WAN and SASE are reshaping enterprise WAN — Application-aware routing, cloud integration, and converged security represent the strategic direction for modern WANs.

What's Next:

With campus, branch, and WAN design understood, we'll next explore Security Zones—how to segment enterprise networks to contain threats, enforce access policies, and align network architecture with security requirements. Security zone design integrates network and security architecture into a cohesive defense strategy.

Page Complete

You now understand the principles and practices of WAN design—from topology selection and carrier services to routing protocols and modern SD-WAN evolution. This knowledge enables you to architect, evaluate, and optimize Wide Area Networks connecting enterprise sites across any distance.

3 / 5

Loading learning content...

Computer NetworksNetwork Design & Interview

Enterprise Network Design

LevelAdvanced

Duration90 mins

TopicNetwork Design & Interview

3 / 5

WAN Design

Connecting the Enterprise Across Distances

What You Will Learn

WAN Fundamentals

WAN vs. LAN: Key Differences:

LAN vs. WAN Characteristics
Characteristic	LAN (Campus/Branch)	WAN
Ownership	Organization owns infrastructure	Carrier owns infrastructure
Geography	Single building or campus (<5km)	Cities, countries, continents (km to 1000s km)
Bandwidth	1-400 Gbps common	10 Mbps - 100 Gbps (cost-dependent)
Latency	<1ms typical	5-300ms (distance-dependent)
Cost Model	CapEx (equipment, cabling)	OpEx (recurring monthly)
Bandwidth Cost	~$0.01/Mbps/month (amortized)	~$1-100/Mbps/month (varies by technology, location)
Provisioning	Days (internal project)	Weeks to months (carrier processes)
Control	Complete control	Limited to equipment at site edges

WAN Design Objectives:

Effective WAN design balances multiple competing objectives:

Performance: Minimize latency, maximize available bandwidth, and ensure consistent application response times.
Reliability: Provide redundant paths to eliminate outages from single component failures. Target 99.9-99.99% availability.
Security: Protect data in transit across untrusted carrier infrastructure through encryption and access control.
Cost Efficiency: Optimize bandwidth investments; WAN costs often exceed $1M annually for large enterprises.
Scalability: Support business growth without architectural redesign. Add sites, increase bandwidth, extend to cloud.
Manageability: Enable centralized visibility and control despite distributed infrastructure.
Agility: Provision and modify connectivity quickly to support business changes.

The Economics of Distance

WAN Topology Options

WAN topology determines how sites interconnect and how traffic flows between locations. The choice profoundly impacts performance, cost, resilience, and operational complexity.

1. Hub-and-Spoke (Star) Topology

All remote sites (spokes) connect to a central hub (typically headquarters or primary datacenter). Traffic between spokes traverses the hub.

Hub-and-Spoke Advantages

•Simplified routing and policy management
•Centralized security inspection at hub
•Minimized WAN circuits (n-1 for n sites)
•Easy to scale by adding spoke connections
•Centralized services (applications, internet) at hub

Hub-and-Spoke Disadvantages

•Hub is single point of failure (SPOF)
•Spoke-to-spoke traffic inefficient (double-tromboning)
•Hub link may become bottleneck
•Increased latency for inter-spoke traffic
•Hub capacity must scale with spoke count

2. Full Mesh Topology

Every site has direct connectivity to every other site. Provides optimal path selection and maximum resilience.

Characteristics:

Number of connections: n(n-1)/2 for n sites
Example: 10 sites = 45 connections; 50 sites = 1,225 connections
Optimal path selection: direct route between any two sites
Maximum resilience: multiple paths survive any single failure
Very high cost and complexity beyond 10-15 sites

3. Partial Mesh Topology

Strategic subset of sites have direct connectivity based on traffic patterns and business requirements. Balance between hub-and-spoke simplicity and full mesh optimization.

Design Approach:

Analyze traffic patterns: which sites communicate most frequently/heavily
Connect high-traffic site pairs directly
Regional hubs with local full mesh; inter-regional via hub-to-hub
Accept sub-optimal paths for low-traffic site pairs

Converting Mermaid diagram...

4. Hierarchical/Regional Hub Topology

Large enterprises often adopt multi-tier WANs with regional aggregation:

Tier 1: Global backbone connecting primary datacenters and HQ
Tier 2: Regional hubs (EMEA, APAC, Americas) aggregating local sites
Tier 3: Local sites connect to nearest regional hub

This hierarchy limits inter-continental traffic, keeps latency-sensitive applications regional, and enables localized management while maintaining global connectivity.

Modern Trend: Cloud-Centric Topology

Carrier WAN Services

Enterprises purchase WAN connectivity from telecommunications carriers (AT&T, Verizon, BT, NTT, etc.). Understanding carrier service offerings is essential for procurement decisions:

Layer 1 Services: Physical Transport

•Dark Fiber — Lit-only fiber strands; customer provides optical equipment. Maximum flexibility and bandwidth but requires capital investment and expertise. Typically metro only.
•Wavelength Services (DWDM) — Carrier provides specific wavelength(s) on shared fiber infrastructure. Fixed bandwidth (10G, 100G, 400G), carrier manages optical layer. For high-bandwidth, stable requirements.
•Circuit-Switched Transport (T1/E1, T3/E3, OC-3/12/48) — Legacy TDM-based services. Expensive per-Mbps, declining availability, but still found in some regions.

Layer 2 Services: Ethernet and Beyond

Layer 2 WAN Service Types
Service Type	Description	Use Case	Typical Bandwidth
E-Line (Point-to-Point)	Dedicated Ethernet connection between two sites	Datacenter interconnect, high-bandwidth site pairs	10 Mbps - 100 Gbps
E-LAN (Multipoint)	Layer 2 connectivity between multiple sites (virtual LAN)	Sites needing direct L2 adjacency (stretched VLANs)	10 Mbps - 10 Gbps
E-Tree (Hub-and-Spoke L2)	Hub site can reach all spokes; spokes only reach hub	Datacenter with multiple branch access	10 Mbps - 10 Gbps
VPLS (Virtual Private LAN Service)	MPLS-based multipoint Ethernet emulation	Geographically dispersed L2 domains	1 Mbps - 10 Gbps

Layer 3 Services: Managed Routing

MPLS VPN (IP VPN)

The dominant managed WAN service for enterprises. Carrier manages routing within their MPLS backbone; customer receives IP connectivity.

Three MPLS VPN Classes:

Class of Service (CoS) with SLA: Carrier guarantees latency, jitter, and packet loss for different traffic classes. Essential for real-time applications (voice, video).
Standard: Best-effort forwarding within carrier network. Lower cost but no performance guarantees.
Burstable: Committed Information Rate (CIR) with ability to burst above during low utilization. Pay base rate plus overages.

Typical MPLS VPN SLAs:

Latency: ≤50ms domestic, ≤100-200ms continental, ≤300ms global
Jitter: ≤10ms
Packet Loss: ≤0.1%
Availability: 99.9% (8.76 hours/year downtime) to 99.99% (52 minutes/year)

Carrier SLA Reality Check

Internet as WAN Transport

The public internet, once considered unsuitable for enterprise WAN, is increasingly viable as primary or hybrid transport:

Internet Advantages:

Cost: 5-10x cheaper per Mbps than MPLS
Availability: Ubiquitous, even in developing regions
Bandwidth: Can exceed affordable MPLS bandwidth
Provisioning: Days vs. weeks for carrier services
Cloud optimization: Direct paths to cloud/SaaS providers

Internet Challenges:

No SLAs: Performance varies with congestion, peering, and routing changes
Security: Must encrypt all traffic; exposed to DDoS attacks
Latency variability: Routing changes can cause path changes
Last-mile diversity: Business internet often shares physical plant with MPLS

WAN Routing Design

Routing Protocol Options for Enterprise WAN:

WAN Routing Protocol Comparison
Protocol	Type	Scalability	Convergence	Best Suited For
OSPF	Link-State (IGP)	Medium (areas required)	Fast (sub-second with tuning)	Single-carrier MPLS, medium WAN
EIGRP	Advanced Distance Vector (IGP)	High (summarization)	Very Fast (DUAL)	Cisco-only environments
IS-IS	Link-State (IGP)	Very High	Fast	Service provider, large enterprise
BGP	Path Vector (EGP)	Unlimited	Slower (by design)	Internet connectivity, MPLS VPN, SD-WAN
Static	Manual	Low	N/A (manual)	Stub sites, backup paths

OSPF WAN Design Considerations:

OSPF is commonly used for enterprise WANs, particularly over MPLS VPN where it interfaces with carrier-provided PE-CE routing.

Key Design Principles:

Area Design: Place all sites in Area 0 for simple deployments (< 100 sites). For larger WANs, use multiple areas with hub sites as ABRs.
Network Types:
- MPLS VPN: Point-to-multipoint → OSPF Point-to-Point network type (avoids DR/BDR election)
- Broadcast Ethernet: Use Point-to-Point subinterfaces or carefully manage DR election
Summarization: Summarize at area boundaries to reduce LSA propagation and routing table size.
Stub Areas: Configure stub or totally-stubby areas for branch sites that don't need full routing table.
Timer Tuning: Default OSPF Hello (10s) / Dead (40s) timers may be too slow. Consider 1s/4s for fast convergence, balanced against stability.

ospf-wan-design-example.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
! OSPF WAN Design - Hub Router Configuration
! Demonstrates enterprise WAN best practices
 
router ospf 1
 router-id 10.255.0.1
 
 ! Passive-interface default prevents unintended adjacencies
 passive-interface default
 no passive-interface GigabitEthernet0/0/0  ! WAN interface
 no passive-interface GigabitEthernet0/0/1  ! WAN interface
 
 ! Summarize branch prefixes toward core
 area 10 range 10.10.0.0 255.255.0.0
 
 ! Stub area for branch sites (no external routes needed)
 area 20 stub no-summary
 
 ! Auto-cost reference for modern link speeds
 auto-cost reference-bandwidth 100000  ! 100 Gbps reference
 
 ! Fast convergence timers
 timers throttle spf 50 100 5000
 timers throttle lsa 50 100 5000
 
! WAN Interface Configuration
interface GigabitEthernet0/0/0
 description MPLS-VPN-Primary
 ip ospf 1 area 0
 ip ospf network point-to-point
 ip ospf hello-interval 1
 ip ospf dead-interval 4
 ip ospf cost 10  ! Prefer over backup
 
interface GigabitEthernet0/0/1
 description Internet-VPN-Backup
 ip ospf 1 area 0
 ip ospf network point-to-point
 ip ospf hello-interval 1
 ip ospf dead-interval 4
 ip ospf cost 100  ! Higher cost = backup path

BGP for WAN Design:

BGP, while traditionally an internet routing protocol, increasingly appears in enterprise WANs:

When to Use BGP:

Multi-homed internet connectivity (mandatory for receiving provider routes)
MPLS VPN PE-CE routing (common carrier requirement)
Large-scale WAN (BGP scales better than IGPs for 500+ sites)
SD-WAN overlays (many SD-WAN platforms use BGP internally)
Multi-datacenter environment requiring traffic engineering

BGP WAN Design Principles:

Use iBGP within the enterprise, eBGP toward carriers
Implement route reflectors for iBGP scalability (avoid full mesh)
Apply consistent BGP communities for policy (traffic engineering, backup paths)
Tune BGP timers for faster convergence (BFD recommended)
Filter routes carefully—don't accept/advertise unintended prefixes

BFD: Essential for Fast Failover

WAN Performance Optimization

Quality of Service (QoS)

QoS ensures critical applications receive priority under congestion. Without QoS, a large file transfer can starve a voice call, causing unacceptable quality.

QoS Building Blocks:

QoS Components

•Classification — Identify traffic by application (DSCP, NBAR, port, ACL). Must happen at network edge (access layer or branch router).
•Marking — Set DSCP/IP Precedence or CoS values for consistent treatment across network. Preserve markings end-to-end.
•Queuing — Assign traffic to queues with different service levels. Strict priority queue for voice; weighted fair queuing for other classes.
•Scheduling — Determine how queues are serviced. Priority queuing, Weighted Round Robin (WRR), Deficit Weighted Round Robin (DWRR).
•Shaping/Policing — Limit bandwidth per class or total. Shaping delays excess traffic; policing drops it.
•Congestion Avoidance — WRED drops packets probabilistically before queue overflow, signaling TCP to slow down.

Enterprise QoS Classification Model (RFC 4594 Aligned)
Traffic Class	DSCP Value	Treatment	Examples
Network Control	CS6 (48)	Priority (protected)	Routing protocols, network management
Voice (EF)	EF (46)	Strict Priority, <10% BW	VoIP bearer traffic
Video Conferencing	AF41 (34)	Priority, <23% BW	Real-time video
Call Signaling	CS3 (24)	Guaranteed	SIP, H.323, SCCP signaling
Transactional Data	AF21 (18)	Guaranteed, low drop	Database, ERP, interactive
Bulk Data	AF11 (10)	Best Effort+	Email, file transfer, backup
Default/Scavenger	BE (0) / CS1 (8)	Best Effort/Low	Internet, social media, P2P

WAN Optimization (WAN-X)

WAN optimization appliances (Riverbed Steelhead, Cisco WAAS, Silver Peak) improve application performance over WAN through:

Data Deduplication: Eliminate redundant data across transfers. Byte-level deduplication can reduce transferred data by 70-95% for repeated patterns (documents, code, backups).
Compression: Compress unique data using LZ-based algorithms. Additional 40-60% reduction on compressible content.
Protocol Optimization: Overcome protocol inefficiencies:
- CIFS/SMB: Prefetch, read-ahead, compound commands
- HTTP: Connection pooling, persistent connections
- TCP: Overcome bandwidth-delay product limitations
SSL/TLS Optimization: Decrypt, optimize, re-encrypt for protocols with end-to-end encryption. Requires certificate management.
Application Caching: Cache frequently accessed content locally (video streams, software updates).

WAN Optimization Deployment Models:

In-Path: Appliances inline between LAN and WAN; intercept all traffic
Out-of-Path (WCCP): Redirect traffic via WCCP; appliance failure doesn't break connectivity
Cloud-Based: Optimization as cloud service; no on-premises appliances

WAN Optimization and Cloud

WAN Resilience and High Availability

Failure Domains and Redundancy Strategies:

WAN Failure Points and Mitigation
Failure Point	Impact	Mitigation Strategy
Last-Mile Circuit	Site isolated from WAN	Dual circuits from diverse paths/carriers
Carrier Network	All sites on that carrier affected	Multi-carrier strategy; backup via alternative carrier
CE Router	Site isolated (single device)	Dual routers with HSRP/VRRP and diverse uplinks
PE Router	Multiple customers affected	Carrier responsibility; connect to diverse PEs
Fiber Cut	All circuits in that path	Request physically diverse paths from carrier
Building Entry	All connectivity to building	Dual building entry points for critical sites
Regional Event	All sites in region affected	Geographically distributed redundancy

Carrier Diversity Best Practices:

True Diversity Assessment: Carriers often share underlying infrastructure. Two "different" circuits may travel the same fiber. Request diversity reports showing physical path separation.
Entrance Facility Separation: For critical sites, bring circuits into different building entrance points, ideally on different sides of the building.
Last-Mile Technology Mix: Combine fiber and LTE, or different fiber providers, to reduce common-mode failures.
Carrier Selection Strategy: Use different carriers for primary and backup. Reduces exposure to carrier-specific outages or business issues.

Active-Active vs. Active-Standby:

Active-Active Design

•Both circuits carry traffic simultaneously
•Equal-cost multipath (ECMP) for load sharing
•Failure removes capacity but doesn't cause outage
•Validates both paths continuously
•Requires careful traffic engineering
•Best for sites with high bandwidth needs

Active-Standby Design

•Primary circuit carries all traffic
•Backup circuit activated only on primary failure
•Simpler routing and policy
•Standby capacity may be cheaper (less bandwidth)
•Backup path not continuously validated
•Good for cost-sensitive sites with lower bandwidth

LTE as Strategic Backup

Modern WAN Evolution: SD-WAN and SASE

SD-WAN: Software-Defined Wide Area Network

SD-WAN (introduced in Branch Connectivity, expanded here) transforms WAN architecture by:

Abstracting Transport: Multiple underlying transports (MPLS, internet, LTE) appear as a unified fabric. Traffic steered based on application requirements and real-time path quality.
Centralizing Control: Policies defined once in central controller, deployed automatically to all sites. Enables enterprise-wide consistency and rapid change.
Enabling Direct Cloud Access: Sites access cloud/SaaS directly via local internet breakout, reducing latency and avoiding backhaul costs.
Simplifying Operations: Zero-touch deployment, automated configuration, and comprehensive visibility reduce operational burden.

SASE: Secure Access Service Edge

SASE (pronounced "sassy"), defined by Gartner in 2019, converges SD-WAN with cloud-delivered security into a unified service:

SASE Components:

SD-WAN: Network connectivity and optimization
CASB (Cloud Access Security Broker): Visibility and control for SaaS applications
SWG (Secure Web Gateway): Web filtering and threat protection
ZTNA (Zero Trust Network Access): Application access without traditional VPN
FWaaS (Firewall as a Service): Cloud-delivered firewall capabilities

SASE Benefits:

Consistent security regardless of user/site location
Reduced attack surface (cloud enforcement, not perimeter)
Simplified architecture (fewer on-premises appliances)
Better cloud/SaaS performance (security at cloud edge)
Support for remote/hybrid workforce

Converting Mermaid diagram...

SASE Maturity Consideration

Summary: WAN Design Essentials

We've covered substantial ground in WAN architecture. Let's consolidate the key takeaways:

Key Takeaways

•WAN connects geographically distributed sites across carrier infrastructure — Economics, scale, and control differ fundamentally from LAN environments.
•Topology selection balances cost, performance, and complexity — Hub-and-spoke is simple but creates bottlenecks; mesh optimizes paths at higher cost; hierarchical combines benefits.
•Carrier services span Layer 1 through Layer 3 — Understand your options: dark fiber, Ethernet services, MPLS VPN, and internet-based connectivity each have distinct tradeoffs.
•Routing design impacts convergence and scale — Apply OSPF/EIGRP/BGP best practices; tune timers appropriately; deploy BFD for sub-second failover.
•QoS is essential for application experience — Classify, mark, queue, and shape traffic to ensure critical applications perform under congestion.
•Resilience requires addressing multiple failure domains — Carrier diversity, last-mile redundancy, and router redundancy work together for high availability.
•SD-WAN and SASE are reshaping enterprise WAN — Application-aware routing, cloud integration, and converged security represent the strategic direction for modern WANs.

What's Next:

Page Complete

3 / 5