Your LAN ends at the building. The WAN connects everything beyond it.
Your company opens a branch office 500 miles away. The new office needs access to the same file servers, databases, and applications as headquarters.
You need a WAN link. But which one? MPLS, broadband VPN, SD-WAN? The answer depends on bandwidth, reliability, cost, and latency requirements.
Before choosing a WAN technology, understand the physical boundary points.
WAN vs LAN
LAN: local, high speed, you own the infrastructure. WAN: long distance, lower speed relative to LAN, a service provider owns the physical medium. MAN (Metropolitan Area Network) falls between -- city-scale, often fiber-based.
Demarcation Point (Demarc)
The physical point where the ISP's responsibility ends and yours begins. Usually a box on the side of the building. Everything on the ISP side is their problem. Everything on your side is yours.
Smart Jack (NIU)
An intelligent demarc device the ISP can remotely test and loop back. Helps the ISP diagnose whether the problem is on their side or yours without sending a technician.
CSU/DSU
Channel Service Unit / Data Service Unit. Converts between LAN framing and WAN signaling. Sits between your router and the provider's circuit. Legacy T1/T3 technology -- less common today but still tested.
CPE (Customer Premises Equipment)
Any equipment on your side of the demarc. Routers, switches, firewalls -- anything you own or lease. The ISP may provide a managed CPE device (their router on your site).
Exam tip: "Where does the ISP's responsibility end?" -- at the demarcation point. If the smart jack tests clean, the problem is on your side.
Slide 3 of 8
Dedicated WAN: MPLS & Metro Ethernet
Premium connections with guaranteed performance -- for a premium price.
MPLS (Multiprotocol Label Switching)
Provider-managed WAN that routes traffic using labels instead of IP lookups.
Supports QoS classes -- voice traffic gets priority over file transfers.
Full mesh connectivity between sites without individual point-to-point links.
Expensive but reliable. Being replaced by SD-WAN in many deployments.
Metro Ethernet
Ethernet-based WAN service within a metropolitan area.
Familiar technology -- same Ethernet frames, just carried over the provider's fiber.
Scalable: start at 10 Mbps, increase to 10 Gbps without changing equipment.
Lower cost than MPLS within a metro area.
MPLS Label Stack
MPLS inserts a 32-bit label between the Layer 2 and Layer 3 headers. Routers (Label Switch Routers) make forwarding decisions based on the label, not the IP header. This is faster and enables traffic engineering -- the provider can steer specific traffic classes along specific paths.
Your company's VoIP calls between HQ and the branch are choppy on the Internet VPN. You upgrade to MPLS with a voice QoS class. The provider guarantees latency under 30ms and zero packet loss for voice. Problem solved -- at $2,000/month more.
Slide 4 of 8
Broadband: DSL, Cable, Fiber
Consumer and business-grade Internet access technologies.
DSL (Digital Subscriber Line)
Uses existing phone lines. Asymmetric (ADSL): faster download than upload. Symmetric (SDSL): equal both ways. Speed degrades with distance from the central office. Max ~100 Mbps for VDSL2.
Cable (DOCSIS)
Uses coaxial cable TV infrastructure. Shared bandwidth in a neighborhood (contention). DOCSIS 3.1 supports up to 10 Gbps downstream. Asymmetric by design. Good availability in urban/suburban areas.
Fiber (FTTH/FTTP)
Fiber optic to the premises. Symmetric speeds, low latency, immune to electromagnetic interference. Speeds from 100 Mbps to 10 Gbps. Highest reliability. Limited availability in rural areas.
Cellular (4G LTE / 5G)
Wireless WAN via cellular networks. Good for mobile workers, temporary sites, and backup connectivity. 5G offers low latency and multi-Gbps speeds but requires proximity to towers.
Satellite
Available almost anywhere with sky visibility. High latency (600ms+ for geostationary, ~30ms for LEO like Starlink). Good for remote/rural locations with no other options. Weather-sensitive.
Choosing the Right Option
Fiber for speed and reliability. Cable for cost-effective high bandwidth. DSL where cable/fiber is unavailable. Cellular for mobility or backup. Satellite as last resort due to latency.
Slide 5 of 8
SD-WAN: Software-Defined WAN
Use cheap Internet links like expensive MPLS circuits -- with intelligence.
What SD-WAN Does
Abstracts the WAN transport. You can combine MPLS, broadband, LTE, and satellite into a single overlay. A central controller decides which path each application uses based on real-time performance metrics.
Application-Aware Routing
SD-WAN identifies applications (voice, video, SaaS, web browsing) and routes them over the best available path. Voice goes over the low-latency link. File transfers go over the cheap broadband link.
Why It Matters
Reduces WAN costs by 50-70% by replacing expensive MPLS with broadband. Centralized management across all sites. Built-in encryption for all traffic. Faster deployment of new branches.
SD-WAN vs Traditional WAN
Traditional: each site has an MPLS circuit, configuration is per-device, changes take weeks.
SD-WAN: each site has broadband + optional MPLS, configuration is centralized, new sites deploy in hours. The controller pushes policies to all edge devices simultaneously.
Slide 6 of 8
VPN Types: Site-to-Site & Client-to-Site
Encrypt traffic across untrusted networks. Two models, different use cases.
Site-to-Site VPN
Connects two networks (HQ to branch) permanently. IPSec tunnel between two routers or firewalls.
Users at each site access resources as if they are on the same LAN.
Always-on -- no user interaction required. Transparent to end users.
Client-to-Site (Remote Access VPN)
Individual user connects from a laptop/phone to the corporate network.
Uses VPN client software (AnyConnect, GlobalProtect, WireGuard).
User authenticates, gets a tunnel, receives a corporate IP address.
Common for remote workers and traveling employees.
Full Tunnel
All traffic from the client goes through the VPN tunnel, including Internet browsing. The corporate network inspects everything. More secure, but higher bandwidth consumption on the VPN concentrator.
Split Tunnel
Only corporate-destined traffic goes through the tunnel. Internet traffic goes directly out the user's local connection. Lower bandwidth usage, but the corporate network cannot inspect Internet traffic. Security trade-off.
Exam tip: Full tunnel = more secure, more bandwidth. Split tunnel = less bandwidth, less visibility. If the question mentions "security concern with VPN" -- split tunnel is usually the answer.
Slide 7 of 8
VPN Protocols & Encryption
The protocols that build the tunnel and protect the data inside it.
IPSec
Industry standard for site-to-site VPNs. Two modes: Transport (encrypts payload only) and Tunnel (encrypts entire original packet). Uses AH (authentication) and ESP (encryption + authentication). Operates at Layer 3.
SSL/TLS VPN
Uses HTTPS (port 443) for the tunnel. Works through most firewalls since port 443 is rarely blocked. Commonly used for client-to-site (remote access). No special client needed for clientless mode -- just a browser.
WireGuard
Modern, lightweight VPN protocol. Smaller codebase (~4,000 lines vs hundreds of thousands for OpenVPN/IPSec). Fast, uses modern cryptography (ChaCha20, Curve25519). Growing adoption for both site-to-site and remote access.
PPTP -- Deprecated
Point-to-Point Tunneling Protocol. Uses TCP port 1723. Encryption is broken (MS-CHAPv2 vulnerabilities). Do not use. If you see it on the exam, it is the wrong answer for "secure VPN."
GRE (Generic Routing Encapsulation)
Tunneling protocol that encapsulates packets. No encryption by itself. Often paired with IPSec (GRE over IPSec) to get both multicast support (GRE) and encryption (IPSec).
DMVPN
Dynamic Multipoint VPN. Cisco technology that creates a hub-and-spoke VPN topology with dynamic spoke-to-spoke tunnels. Combines GRE, IPSec, and NHRP. Scales well for multi-site deployments.
Slide 8 of 8 | N10-009 Obj 1.2
WAN Technologies -- Key Takeaways
You recommend to leadership: "We replace the $4,000/month MPLS with SD-WAN over two broadband links per site. Voice gets priority routing over the fiber link. File transfers use the cable backup. A site-to-site IPSec tunnel encrypts everything. We deploy the branch in two days instead of six weeks."
5 Facts to Carry Out of This Presentation
1The demarcation point separates ISP responsibility from yours. Smart jack allows remote testing. CSU/DSU converts LAN framing to WAN signaling.
2MPLS = label-switched, QoS-capable, provider-managed. Metro Ethernet = Ethernet over provider fiber within a city. Both are premium services.