Understanding WAN Architecture: How Wide Area Networks Connect the World

PitsPits
18 min read

When we think about networks, most of us picture the internet or the connection in our home or office. But behind the scenes, there’s a bigger system that connects multiple locations across cities, countries, or even continents. This system is called a Wide Area Network, or WAN. WAN architecture is the way these large networks are designed and organized to ensure data moves efficiently, securely, and reliably between different sites.

In this blog, we’ll break down the main types of WAN architectures, how they work, and the advantages and challenges of each. By the end, you’ll have a clear understanding of how WANs keep our world connected.

What is WAN?

A Wide Area Network (WAN) is a network that connects multiple smaller networks, like local area networks (LANs), over a large geographic area. Unlike a LAN, which is limited to a single building or campus, a WAN can span cities, countries, or even continents.

The main purpose of a WAN is to allow users and devices in different locations to communicate and share resources as if they were on the same local network. This is the backbone of the internet and the technology that lets companies connect offices in different cities or countries.

WANs use different types of connections, like leased lines, broadband, or even satellite links, and rely on routers and other devices to manage traffic between sites efficiently and securely.

Leased Lines

A leased line is a dedicated, private connection between two locations. Unlike regular internet connections, which are shared with many users, a leased line is reserved entirely for the organization using it. This means it provides a consistent speed, low latency, and a reliable connection, which is important for businesses that need stable communication between offices.

Leased lines are typically used for connecting branch offices, data centers, or for internet access where high reliability is required. Because they are private and always on, they are more expensive than regular internet connections, but the performance and security benefits often justify the cost.

MPLS (Multiprotocol Label Switching)

MPLS is a WAN technology that directs data from one network node to another based on short path labels rather than long network addresses. This helps data travel faster and more efficiently across complex networks.

One of the key advantages of MPLS is that it can prioritize certain types of traffic. For example, voice or video calls can be given higher priority over regular data to reduce delays and improve quality. MPLS also allows companies to connect multiple sites securely and reliably, even over a shared infrastructure managed by a service provider.

Compared to traditional WANs like leased lines, MPLS can be more flexible and cost-effective, especially for businesses with many branch offices that need a consistent connection.

Important WAN Terms: CE, PE, and P Routers

When talking about WANs, especially MPLS networks, you’ll often hear the terms CE, PE, and P routers. These are different types of routers that play specific roles in moving data across a WAN.

1. CE Router (Customer Edge Router)
The CE router is located at the customer’s site, like an office or branch. It connects the customer’s network to the service provider’s network. The CE router does not need to know the entire provider network. It only communicates with the provider’s edge router.

2. PE Router (Provider Edge Router)
The PE router is on the service provider’s side, at the edge of their network. It connects directly to CE routers and handles routing between the customer network and the provider’s WAN. In MPLS, the PE router also assigns labels to packets so they can travel efficiently through the provider’s network.

3. P Router (Provider Router or Core Router)
The P router sits inside the provider’s network and moves data across the backbone. It does not connect directly to the customer; its main job is to forward labeled packets between PE routers quickly and reliably.

These three types of routers work together to ensure that data travels smoothly and efficiently across a WAN, especially in large, complex networks like MPLS.

How MPLS Forwarding Works

In an MPLS-based WAN, when a PE (Provider Edge) router receives frames from a CE (Customer Edge) router, it adds a label to each frame. This label is like a tag that tells the service provider’s network how to handle and forward the data.

The key point is that the label, not the destination IP, is used by the provider’s network (the P routers) to make forwarding decisions. This allows the network to move data quickly and efficiently because routers don’t need to inspect the full IP address or routing table for every packet, they just follow the labels.

Once the frame reaches the destination PE router, the label is removed, and the data is delivered to the CE router at the customer site.

This labeling system makes MPLS faster, more scalable, and better at handling traffic priorities like voice or video.

MPLS and the Role of CE Routers

In an MPLS WAN, the CE (Customer Edge) router does not use MPLS. MPLS is only used inside the service provider network by PE (Provider Edge) and P (Provider/Core) routers. This means that from the CE router’s perspective, it’s just talking to another router over a normal IP network, even though the data is traveling across an MPLS network.

There are two main types of MPLS VPNs: Layer 3 and Layer 2, and the behavior of CE and PE routers differs between them.

1. Layer 3 MPLS VPN:

  • In this setup, the CE and PE routers form a routing peer, usually using a protocol like OSPF.

  • The CE router sends its routes to the PE router, which then distributes them across the MPLS network to other PE routers.

  • The MPLS network uses labels to forward traffic, but the CE routers are aware of each other’s networks because they exchange routing information with the PE routers.

2. Layer 2 MPLS VPN:

  • Here, the CE and PE routers do not form a routing peer.

  • The service provider network is completely transparent to the CE routers, which makes it feel as if the CE routers are directly connected.

  • Their WAN interfaces are in the same subnet, and if a routing protocol is used, the CE routers can peer directly with each other, ignoring the provider network in between.

In short, CE routers don’t need to know about MPLS. The service provider handles all the label forwarding inside the network, while CE routers just operate as if they are directly connected to each other, depending on whether it’s a Layer 2 or Layer 3 MPLS VPN.

Internet Connections as WAN

Not all WANs rely on leased lines or MPLS. Many organizations also use regular internet connections as part of their WAN. Instead of paying for private circuits, they connect their branch offices to the public internet and then use technologies like VPN (Virtual Private Network) to secure the traffic.

The main advantage here is cost. Internet connections are usually cheaper and more widely available than leased lines or MPLS. This makes them a practical choice for small offices, remote workers, or businesses that don’t need the strict performance guarantees of private WAN services.

The downside is that internet-based WANs don’t always provide the same reliability, speed, or security as dedicated services. Since the internet is a shared network, performance can vary depending on traffic conditions. That’s why companies often use encryption (like IPsec VPN) to keep their data secure.

Today, many businesses combine internet links with private WAN services to balance cost and performance. This is also where SD-WAN comes into play, since it can intelligently manage traffic over multiple connection types.

DSL (Digital Subscriber Line)

DSL is one of the older technologies used to provide internet connections over traditional telephone lines. It allows both voice calls and data to travel at the same time without interfering with each other.

For WAN use, DSL is often chosen by small offices or home offices because it’s affordable and widely available. The main advantage of DSL is that it can deliver a permanent connection without needing expensive leased lines.

However, DSL has limitations. The speed is usually slower compared to modern options like fiber, and the performance depends on how far the user is from the telephone company’s central office. The farther away, the weaker the signal and the lower the speed.

Because of these limits, DSL is less common in large enterprise WANs today, but you might still see it in smaller setups or as a backup connection.

Cable Internet

Cable internet is another common way to connect to the WAN, and it uses the same coaxial cables that deliver cable TV. Unlike DSL, which is distance-sensitive, cable internet usually provides faster speeds and more stable performance.

For businesses or home offices, cable internet is often a step up from DSL because it can handle higher bandwidth, making it better for video calls, cloud applications, and large file transfers.

One thing to keep in mind is that cable internet is a shared connection. This means that the bandwidth is shared with other subscribers in the same area. During peak hours, like evenings, the speed may drop because many people are using the network at the same time.

Despite that, cable internet is still widely used because of its balance between cost and performance. For many small to medium-sized businesses, it provides a reliable WAN connection without the higher cost of fiber or leased lines.

Redundant Internet Connections

In WAN design, reliability is just as important as speed. That’s where redundant internet connections come in. Redundancy means having more than one internet link, so if one fails, the other can take over.

For example, a business might use a fiber connection as the primary link and keep a cable or DSL connection as backup. If the fiber line goes down, the traffic automatically switches to the secondary link. This prevents downtime and keeps the business running smoothly.

Some organizations even use multiple active connections at the same time, balancing traffic between them. This setup not only provides backup but can also improve performance by spreading the load.

Redundant connections are especially important for companies that rely heavily on cloud services, online transactions, or constant communication. Even a short outage can disrupt operations, so having a backup link ensures continuous connectivity.

WAN Redundancy Designs: Single-Homed, Dual-Homed, Multi-Homed, and Dual Multi-Homed

When we talk about redundant internet connections, you’ll often hear these terms. They describe how a business connects to one or more Internet Service Providers (ISPs) to achieve reliability and redundancy. Let’s break them down.

1. Single-Homed

  • The simplest setup.

  • The organization connects to only one ISP through a single link.

  • This is the cheapest option but also the most vulnerable—if the ISP or the link goes down, the site loses connectivity.

2. Dual-Homed

  • Still connected to only one ISP, but with two links.

  • If one link fails, the second one can take over.

  • This improves reliability but still depends on a single provider, so if the ISP itself goes down, both links fail.

3. Multi-Homed

  • The organization connects to two or more ISPs, but only with a single link to each.

  • If one ISP fails, traffic can still go through the other.

  • This setup protects against a provider outage but each ISP link is still a single point of failure.

4. Dual Multi-Homed

  • The most robust option.

  • The organization connects to two or more ISPs and has two or more links to each provider.

  • This design provides full redundancy: if one ISP or link fails, the others can keep the network running.

  • It’s more expensive but ideal for businesses where uptime is critical.

In short:

  • Single-homed = one ISP, one link.

  • Dual-homed = one ISP, two links.

  • Multi-homed = multiple ISPs, one link each.

  • Dual multi-homed = multiple ISPs, multiple links each.

Internet VPNs

When organizations use the public internet as part of their WAN, security becomes a big concern. This is where VPNs (Virtual Private Networks) come in. A VPN creates an encrypted tunnel over the internet, allowing data to travel securely between sites or users, just like it would over a private leased line.

There are two common types of internet VPNs:

1. Site-to-Site VPN

  • Used to connect entire office networks together over the internet.

  • For example, a branch office router can build a VPN tunnel to the headquarters router, making it seem like both offices are on the same private network.

2. Remote Access VPN

  • Used by individual users who connect to the company network from home, while traveling, or on a public Wi-Fi.

  • The VPN client on their laptop or phone creates a secure tunnel back to the company network, protecting sensitive data from prying eyes.

The advantage of internet VPNs is cost. Instead of paying for dedicated private circuits, businesses can use the internet and still get secure communication. The main challenge, however, is that performance depends on internet quality, which can vary.

Site-to-Site VPN (IPsec)

A site-to-site VPN securely connects two or more networks over the public internet, making them act like one private network. The most common way to build this is with IPsec, which encrypts traffic so that outsiders can’t read it.

Here’s how it works:

  1. IKE negotiation: The two routers/firewalls agree on encryption and authentication settings.

  2. Tunnel setup: A secure tunnel (IPsec SA) is created to protect traffic.

  3. Traffic flow: Packets matching the VPN policy are encrypted, sent across the internet, then decrypted at the other end.

  4. Routing: You can use static routes for small sites or dynamic routing protocols for larger, multi-site setups.

There are two approaches:

  • Policy-based VPN: Uses access lists to decide what traffic is protected.

  • Route-based VPN: Uses a tunnel interface and routing, more flexible and common today.

The main benefit is cost savings compared to leased lines, while still ensuring privacy and security. The challenge is that performance depends on internet quality.

How a Site-to-Site IPsec VPN Works (Process)

  1. Trigger: Traffic between the two networks (like 10.1.0.0/16 to 10.2.0.0/16) triggers the VPN setup.

  2. IKE Negotiation: The two devices exchange keys, agree on encryption/authentication settings, and build a secure control channel.

  3. IPsec Tunnel Established: Security Associations (SAs) are created to define which subnets are protected and how data will be encrypted.

  4. Data Transfer: Packets that match the VPN policy are encrypted with IPsec, sent across the internet, and decrypted at the remote site.

  5. Rekeying: After a set time, new keys are negotiated to keep the tunnel secure.

The end result is that devices in different locations communicate as if they’re on the same private network, but with all traffic protected by encryption.

Limitations of Standard IPsec

While IPsec is widely used for secure site-to-site VPNs, it does come with a few limitations:

  1. Performance depends on hardware: Encryption and decryption require processing power. Without hardware acceleration, IPsec can slow down at higher speeds.

  2. Scalability issues: Managing many site-to-site IPsec tunnels can be complex, especially with policy-based VPNs. It doesn’t scale well for large networks compared to MPLS or SD-WAN.

  3. NAT challenges: IPsec doesn’t naturally work well with devices behind NAT. NAT-T (NAT Traversal) is needed, which can add complexity.

  4. Static and rigid: Standard IPsec often requires static configurations. Any change in IP addresses, subnets, or ISPs can break the tunnel.

  5. Quality of service (QoS): Since IPsec encrypts headers, it can make traffic prioritization (like for voice/video) harder without extra setup.

  6. Single path use: Traditional IPsec tunnels usually use one internet link at a time, lacking built-in load balancing or intelligent path selection (this is where SD-WAN improves things).

GRE over IPsec

Standard IPsec site-to-site VPNs are good at securing traffic, but they have some limitations. For example, they don’t easily support multicast, broadcast, or running dynamic routing protocols across the tunnel. This is where GRE over IPsec comes in.

GRE (Generic Routing Encapsulation) creates a virtual tunnel between two routers. This tunnel can carry many types of traffic, including multicast and routing protocols like OSPF or EIGRP. On its own, GRE does not provide encryption. It only encapsulates the packets.

To make it secure, GRE is often combined with IPsec:

  • GRE handles flexibility (allowing routing protocols, multicast, and multiple subnets).

  • IPsec provides security (encrypting and authenticating the GRE packets as they travel over the internet).

How it works:

  1. GRE builds a tunnel between two sites, making them look directly connected.

  2. IPsec is applied to the GRE traffic, encrypting it before it goes across the internet.

  3. At the other end, the IPsec layer decrypts the traffic, then the GRE tunnel delivers the original packets into the local network.

This setup is common in enterprise WANs where dynamic routing and secure communication are both required.

GRE Tunnel Configuration (Without IPsec)

GRE is supported in Packet Tracer, but IPsec is not. That means we can only configure GRE tunnels. Here’s a basic example:

Topology:

  • Router0 <--> Internet (Cloud) <--> Router1

On Router0:

interface tunnel0
 ip address 10.0.0.1 255.255.255.252
 tunnel source 192.168.1.1
 tunnel destination 192.168.2.1

On Router1:

interface tunnel0
 ip address 10.0.0.2 255.255.255.252
 tunnel source 192.168.2.1
 tunnel destination 192.168.1.1

Now, both routers can communicate through the GRE tunnel using the 10.0.0.0/30 network.

GRE Tunnel with IPsec (Concept Only)

Packet Tracer does not support IPsec configuration, so you won’t be able to test this in the simulator. But in real Cisco IOS, you would combine GRE with IPsec by:

  1. Creating a GRE tunnel (same as above).

  2. Defining ISAKMP and IPsec policies.

  3. Applying a crypto map to the physical interface.

Example (conceptual, not supported in Packet Tracer):

crypto isakmp policy 10
 encr aes
 hash sha
 authentication pre-share
 group 2
crypto isakmp key MYKEY address 192.168.2.1

crypto ipsec transform-set MYSET esp-aes esp-sha-hmac

crypto map MYMAP 10 ipsec-isakmp
 set peer 192.168.2.1
 set transform-set MYSET
 match address 100

access-list 100 permit gre host 192.168.1.1 host 192.168.2.1

interface s0/0/0
 crypto map MYMAP

NOTE: So in Packet Tracer*, stick with GRE tunnels only. If you want to try GRE over IPsec, you’ll need **GNS3 or real Cisco hardware**.*

Dynamic Multipoint VPN (DMVPN)

DMVPN is a Cisco solution that simplifies building secure, scalable VPNs. Instead of creating multiple static site-to-site VPN tunnels between branch offices, DMVPN allows dynamic, on-demand tunnels to be formed when needed. This reduces configuration effort and makes the network more efficient.

How it Works

  • Uses a hub-and-spoke design (hub is always known, spokes can connect to each other dynamically).

  • Spokes initially communicate through the hub, but once they learn each other’s IPs, they can form direct tunnels (spoke-to-spoke) without going through the hub.

  • It combines three key technologies:

    1. mGRE (Multipoint GRE): Allows one tunnel interface to support multiple destinations.

    2. NHRP (Next Hop Resolution Protocol): Works like ARP for tunnels, letting spokes discover each other’s public IP addresses.

    3. IPsec: Provides encryption and security for the tunnels.

Benefits

  • Easy to scale (no need for configuring tunnels between every pair of sites).

  • Reduces bandwidth use at the hub (spokes can talk directly).

  • Simplifies configuration compared to traditional full mesh VPNs.

Note for Packet Tracer:
DMVPN is not supported in Cisco Packet Tracer*, since it requires **mGRE and NHRP**, which are only available in real IOS or GNS3/EVENG labs.*

Remote Access VPNs

Remote Access VPNs allow individual users to securely connect to a private network (such as a company’s network) over the internet. Unlike site-to-site VPNs that connect entire branch offices, remote access VPNs are made for single devices like laptops, phones, or home PCs.

They work by installing VPN client software on the user’s device, which establishes an encrypted tunnel to the VPN server or firewall. This ensures that data sent and received is secure, even when the user is on public Wi-Fi.

Key Features:

  • Supports mobility (users can connect from anywhere).

  • Uses encryption and authentication for security.

  • Provides access to internal resources (like email servers, files, or applications).

Common Protocols:

  • SSL/TLS VPN (web-based or client-based)

  • IPsec VPN (using client software)

In Packet Tracer, we can’t fully configure remote access VPNs since it doesn’t support client VPN software, but in real devices, configuration involves:

  1. Setting up the VPN server (on a router/firewall).

  2. Defining authentication (username/password, certificates).

  3. Installing client software on the user’s device.

Site-to-Site VPN vs Remote Access VPN

Site-to-Site VPN

  • Definition: Connects two or more networks (e.g., branch office to headquarters) over the internet securely.

  • Who uses it: Organizations with multiple sites needing a constant connection.

  • Connection type: Always-on tunnel between routers/firewalls.

  • Configuration: Done on network devices, not on individual computers.

  • Scalability: Great for connecting whole networks, but not ideal for individual users working remotely.

  • Example use case: A company’s branch office accessing internal servers at the main office.

Remote Access VPN

  • Definition: Allows individual users to securely connect to a private network from anywhere using the internet.

  • Who uses it: Remote workers, traveling employees, or contractors.

  • Connection type: Users connect through VPN client software installed on their device.

  • Configuration: Done per user/device.

  • Scalability: Easy for individual users, but harder to manage if the number of users becomes very large.

  • Example use case: An employee working from home securely accessing company email, file servers, or internal apps.

Site-to-Site VPN vs Remote-Access VPN

FeatureSite-to-Site VPNRemote-Access VPN
Typical ProtocolIPsecTLS (SSL/TLS-based)
Number of Devices ServedMany devices behind the connected sitesUsually one device (the VPN client installed)
Use CasePermanently connects two or more sites over the internetProvides secure, on-demand access for end devices (laptops, phones) to company resources
Connection TypeRouter-to-router or firewall-to-firewallClient-to-VPN gateway
DeploymentConfigured between gateways, transparent to end usersRequires VPN client software on the end device
Best ForBranch office to headquarters connectivityRemote workers, travelers, or mobile employees

Wrap Up

We started this blog by looking at what a VPN is and why it matters, especially in securing communication over public networks. From there, we explored the different types of VPNs including IPsec, SSL, MPLS, GRE, and DMVPN each with its own use case and strengths. We also covered how Remote-Access VPNs allow individuals to connect securely, and how Site-to-Site VPNs connect entire networks together. To tie it all together, we compared Site-to-Site vs Remote-Access VPNs, pointing out when each is the right choice.

Learning VPNs isn’t just about memorizing definitions. It’s about understanding how these technologies secure data, enable remote work, and keep networks connected across the globe. If you’re aiming to grow in networking or cybersecurity, mastering VPN concepts will give you a strong foundation for more advanced topics.

Keep going. You’ll find that the deeper you dive into networking security, the more everything starts to connect. VPNs are just the beginning of securing communication in the modern world.

0
Subscribe to my newsletter

Read articles from Pits directly inside your inbox. Subscribe to the newsletter, and don't miss out.

WAN Architecturenetworkingnetworking for beginners

Written by

Pits
Pits