Free CCNA | WAN Architectures | Day 53 | CCNA 200-301 Complete Course
Welcome to Jeremy’s IT Lab. This is a free, complete course for the CCNA. If you like these videos, please subscribe to follow along with the series. Also, please like and leave a comment, and share the video to help spread this free series of videos. Thanks for your help. In this video we’ll look at WAN architectures.
Specifically, we’ll be covering topic 1.2.d, WAN, and topic 5.5, describe remote access and site-to-site VPNs. Both of these exam topics use the term ‘describe’, so we won’t be looking at any actual configurations. You just need a basic understanding of some common WAN technologies and how they operate. Note that we’ll be looking at WANs from the perspective of an enterprise which is the customer of a service provider, not from the perspective of the service provider itself. To learn more about the service provider perspective, consider the CCNP service provider certification in the future.
Here’s what we’ll cover in this video. First I’ll give an introduction to WANs and explain what they are. Then I’ll introduce one type of connection used for WANs, known as leased lines. Then another WAN technology known as MPLS, multi protocol label switching, which provides us with a kind of VPN, virtual private network. Then I’ll introduce some options for internet connectivity, and finally explain internet VPNs, which allow us to create virtual private networks over the public Internet.
So, we’ll cover a lot of topics, but we won’t be going in depth about any of them. To cover just the topic of MPLS in depth, for example, would require a full course at least as long as this entire CCNA course. For the CCNA exam, all that’s expected is that you have a basic understanding of these technologies and their purpose.
As always, make sure to watch until the end of the video for a bonus practice question from Boson Software’s ExSim for CCNA, the best practice exams for the CCNA. Okay let me introduce the concept of WANs first. As you know already, WAN stands for Wide Area Network, and the name should give you a good idea of what a WAN is. A WAN is a network that extends over a large geographic area.
For example, between cities, between countries, etc. So, WANs are used to connect geographically separate LANs. For example, if a company has an office in New York, an office in Toronto, and an office in London, each of those offices is a LAN, Local Area Network, and the connections between them form a WAN, Wide Area Network. Although the Internet itself can be considered a WAN, the term WAN is typically used to refer to an enterprise’s private connections that connect their offices, data centers, and other sites together. So, as I said the Internet can be considered a WAN, but when we say WAN we usually aren’t referring to the Internet. Although there is another kind of technology that can be used over the Internet to create private connections.
Over public and shared connections like the Internet, VPNs, Virtual Private Networks, can be used to create private connections. I’ll show you a few kinds of VPNs in this video. Note that there have been many different WAN technologies over the years. Depending on the location, some will be available and some will not be.
I won’t cover every possible WAN technology in this video. Also, technologies which are considered legacy in one country might still be used in other countries. Legacy basically means old and no longer used or rarely used. Here’s an example of a WAN.
This enterprise has a central data center and some offices. For the purpose of this video we’re not focusing on the LAN so I won’t show all of the devices in each LAN, but each of these, office A, office B, office C, as well as the data center, is its own LAN. Each office is connected to the data center via a leased line, which is a kind of dedicated physical connection between two sites. This is not a shared connection, it’s not connected to the Internet, it’s a private connection that the company uses to connect its sites together.
By the way, do you know a word for this kind of topology, in which multiple devices connect to one central device? In the last video I introduced the term star topology, however when talking about WANs a more common term is hub and spoke. The central site, the data center, is called the hub, and the office sites which all connect to the hub are called spokes. One major advantage of a hub-and-spoke topology, as opposed to a full-mesh topology, is that it’s easier to centrally control what traffic is allowed and what isn’t. All traffic between offices can be sent to a firewall in the data center, for example, and it can control which traffic is allowed and which isn’t. So, remember that term, hub and spoke topology. Now, I have to say that this diagram is actually not exactly an accurate representation of leased lines.
This is a better representation of what’s actually going on. Rather than a single physical cable directly connecting each site, each site connects to a service provider, which connects the sites together. I will introduce leased lines soon, but these connections use serial cables. I briefly introduced serial connections in the OSPF section of the course, they use Layer 2 encapsulations like HDLC and PPP, not Ethernet. However these days WAN connections via Ethernet are more and more common. Optical fiber connections allow much longer cables than the traditional copper UTP Ethernet cables, so these days WANs using Ethernet fiber optic cables are quite common.
Note that the CCNA focuses on the WAN connection from the perspective of the enterprise, not the service provider. So we won’t spend much time talking about exactly what’s going on inside of the service provider network, the gray box in this slide and the previous one. If you want to learn more about that, consider the CCNP service provider track in your future studies.
Now, the Internet can also be used for an enterprise’s WAN connections between sites. However, the Internet itself is not a private network. It’s a shared, public network, so sending important data over the Internet unprotected is not a good idea. In this case, note that each site has a physical connection to the Internet. However, to send traffic between sites the company will set up VPNs, virtual private networks. We’ll cover these in greater detail soon, but basically the packets will be encrypted so that the contents can only be read by the intended recipients.
Then, the encrypted packet is encapsulated within a new packet and sent. This means that the original packet will remain protected even when sent over the public Internet. Okay, so that was a quick introduction to a few WAN options. Now let’s take a slightly deeper look at each one, starting with leased lines. A leased line is a dedicated physical link, typically connecting two sites.
As I mentioned before, they use serial connections with PPP or HDLC encapsulation. So, these aren’t Ethernet links. The layer 2 encapsulation is not Ethernet, but rather PPP or HDLC.
There are various standards that provide different speeds, and different standards are available in different countries. This chart from Wikipedia shows some of the standards. Now, there are a lot here and I don’t think you need to memorize them all. Of course, if you want you can make flashcards to try to memorize all of these standards and their speeds, but I think that will be unnecessary for the CCNA exam. Let me just point out a few.
In North America the standard names begin with T, as in T1, T2, and T3. I will include flashcards for these three in the deck I provide, but keep in mind no one except a few people at Cisco know exactly what will be asked on the exam so it’s up to you if you want to memorize more or not. In Europe, as well as other regions, the standards begin with E, for example E1, E2, and E3. Again, I will include flashcards for these three standards.
Now, as I mentioned before Ethernet WAN technologies are becoming more and more popular, rather than these serial leased lines. Why is that? It’s because leased lines tend to have a higher cost, higher installation lead time, meaning it takes a longer time to actually install the line, and they also have slower speeds than Ethernet connections provide. Okay let’s move on to another WAN option, MPLS. MPLS stands for Multi Protocol Label Switching. Similar to the Internet, service providers’ MPLS networks are shared infrastructure because many customer enterprises connect to and share the same infrastructure to make WAN connections.
However, the label switching in the name of MPLS allows VPNs, virtual private networks, to be created over the MPLS infrastructure through the use of labels. These labels are used to separate the traffic of different customers as it travels over the shared infrastructure, and make sure it doesn’t mix with the traffic of other customers. There are a few basic terms you should know for MPLS.
CE router means Customer Edge router. This is the customer’s router that is connected to the next kind of router, PE router, which means Provider Edge router. Finally there are P routers, these are the Provider core routers that are not at the edge of the network and don’t connect to customer routers. This diagram should make it easier to understand. Notice the CE routers are at the edge of the customer networks, and they connect to the PE routers, the provider edge routers.
Within the provider network there are also P routers which form the internal network infrastructure of the service provider’s network, but don’t connect directly to the customer routers. When the PE routers receive frames from the CE routers, they add a label to the frame. This label is actually placed in between the Layer 2 Ethernet header and the Layer 3 IP header, so sometimes MPLS is called a Layer 2.5 protocol. These labels are then used to make forwarding decisions within the service provider network, not the destination IP. In regular IP routing the router checks the destination IP and compares it to its routing table to decide where to forward the packet.
But not in MPLS. MPLS routers use the MPLS label to decide where to forward the packet. Now, the CE routers do not use MPLS, it is only used by the PE and P routers.
The CE routers do not have to run MPLS or even be able to run MPLS. Now, there are a few different kinds of VPNs that can be provided by MPLS. When using a Layer 3 MPLS VPN, the CE and PE routers peer using OSPF for example, to share routing information. Now, it doesn’t have to be OSPF, it could be another routing protocol. Or the customer could just write static routes, using the PE routers as the next hop. But let’s assume a routing protocol is being used.
For example, in the diagram below office A’s CE will peer with one PE, and office B’s CE will peer with the other PE, like this. Then, office A’s CE will learn about office B’s routes via this OSPF peering, and office B’s CE will learn about office A’s routes, too. So, this is a Layer 3 MPLS VPN. The CE routers either form dynamic routing protocol peerings with the PE routers, or they use the PE routers as the next hop of their static routes. A Layer 2 MPLS VPN can also be used, in which the CE and PE routers do not form peerings. So, the entire service provider network is transparent to the CE routers.
Although the CE routers will physically connect to a PE router, it is in effect like the two CE routers are directly connected. Their WAN interfaces will be in the same subnet. If a routing protocol is used, the two CE routers will peer directly with each other like this. In this case, the service provider network is still running MPLS just like before, but it’s doing so in a way that it’s like the entire service provider network is just a big switch connecting the two CE routers together like this. The CE routers are physically connected to the PE routers, and the entire PE network is operating like a big switch connecting the CE routers together.
Now, MPLS is a technology that runs in the service provider network, but many different technologies, many different kinds of connections, can be used to actually connect to the service provider’s MPLS network for WAN service. In this case office A and office B are connecting via fiber optic Ethernet. Perhaps office C is connecting to the service provider via wireless 4G or 5G.
Office D might be connecting via CATV, a cable TV connection as is often used for home Internet access. And office E might use a serial connection, a leased line to connect to the service provider’s MPLS infrastructure. So, these sites are connecting to the service provider with a variety of connection types, and they will all be able to communicate with each other over the service provider’s MPLS infrastructure. Okay, that’s all for MPLS. For the CCNA exam, you should know that MPLS uses labels to forward traffic, not IP addresses. You should know the terms CE router, PE router, and P router.
You should know that Layer 3 MPLS VPNs have CE routers and PE routers forming peerings using a routing protocol such as OSPF, whereas in Layer 2 MPLS VPNs it is as if the CE routers are all directly connected to each other. The service provider routers are totally transparent, acting like a big switch connecting the CE routers together. As I mentioned at the beginning of this video, just the topic of MPLS alone would require a huge course to cover in depth, but let’s move on now to talk about the Internet. Before focusing on Internet VPNs, let’s take a look at Internet connections in general. There are countless ways for an enterprise to connect to the Internet.
For example, private WAN technologies such as leased lines and MPLS VPNs can be used to connect to a service provider’s Internet infrastructure. Although the leased line or MPLS VPN itself is a private network, it can be used as a means to access the public network that is the Internet. In addition, technologies such as CATV and DSL, which are commonly used by consumers for home Internet access, can also be used by an enterprise.
I’m repeating myself, but for both enterprise and consumer internet access, fiber optic ethernet connections are growing in popularity due to the high speeds they provide over long distances. But now let’s briefly look at two Internet access technologies that I mentioned above, cable Internet and DSL. First let’s look at DSL, which stands for Digital Subscriber Line.
DSL provides internet connectivity to customers over phone lines, and can share the same phone line that is already installed in most homes. So, this is very convenient for both the service provider and the customer. Now, there is one extra device here that I haven’t really talked about in this course except for a brief mention in the previous video.
That is the modem. A modem, which stands for modulator-demodulator, is required to convert data into a format suitable to be sent over the phone lines. The modem might be a separate device, as in the diagram, or it might be incorporated into the home router. This connects the network to the service provider over the phone lines.
But there is another common kind of communication line installed in most homes that can also be used for Internet access. Let’s look at that next. Cable Internet is a similar concept to DSL, although of course if you look at the technical details it is different. But it provides Internet access via the same CATV, cable television, lines used for TV service. So, just like DSL, it takes advantage of already-installed lines and provides Internet access over them. Like DSL, a cable modem is required to convert data into a format suitable to be sent over the CATV cables.
And also like a DSL modem, the cable modem can be a separate device or built into the home router. Now, for a home user, having one connection to the Internet isn’t a problem. It’s a bit annoying if you lose Internet access, but it’s not a disaster. However, for many companies Internet access is essential to their operations. So, it’s best to have redundant Internet connections, and there are a few terms you should know. First, if you have 1 connection to 1 ISP, it’s called single homed.
This is like a standard home Internet connection. For an enterprise, this is not ideal, because there is no redundancy here. If you have 2 connections to that same ISP, it’s called dual homed.
This provides some redundancy, but still not ideal. If you have 1 connection to each of 2 ISPs, it’s called multihomed. This improves the redundancy because if something happens to 1 ISP, you still have Internet access via the other one. And finally there is dual multihomed, 2 connections to each of 2 ISPs. This provides the most redundancy.
Depending on the company, this might not be necessary or worth the cost. So, make sure you know these four terms. Single homed, dual homed, multihomed, and dual multihomed. Okay, that’s enough about Internet access for now. Let’s move on to the final topic, Internet VPNs. Private WAN services such as leased lines and MPLS provide security because each customer’s traffic is separated by using dedicated physical connections, as in leased lines, or by MPLS tags that separate the traffic.
However, when using the Internet as a WAN to connect sites together, there is no built-in security by default. So, to provide secure communications over a shared network like the Internet, VPNs (virtual private networks) are used. We will cover two kinds of Internet VPNs. First, site-to-site VPNs using IPsec, and second, remote-access VPNs using TLS. So let’s get right into the first one, site-to-site VPNs using IPsec.
A site-to-site VPN is a VPN between two devices and is used to connect two sites together over the Internet. In the diagram below office A and office B are both connected to the Internet, and we will use a site-to-site VPN between them so that the devices at each office can communicate securely with each other. In a site-to-site VPN, a VPN tunnel is created between the two devices by encapsulating the original IP packet with a VPN header and a new IP header. When using IPsec, the original packet is encrypted before being encapsulated with the new header. This is what makes IPsec secure.
So, the router will take the original packet, encrypt it so that it can’t be read, add an IPsec VPN header and a new IP header, and then forward it over the Internet. Let me demonstrate that process in the diagram. We have configured an IPsec tunnel between these two routers. The PC at office A wants to send traffic to the PC at office B, so it first sends the unencrypted data to its default gateway, the router.
The router encrypts the data, and adds a VPN header and new IP header. Then the encrypted data in the new packet is sent over the Internet to the other end of the tunnel. The receiving router decrypts the data, and sends it to the destination PC. That’s a very basic overview of how IPsec VPNs work. Let’s summarize that process. When the router receives a packet that is to be sent over the VPN, it combines the original packet and a session key, also called an encryption key, and runs them through an encryption formula.
Then the sending device, the router, encapsulates the encrypted packet with a VPN header and a new IP header. The new packet is then sent to the device on the other end of the tunnel, the receiving router. This device then decrypts the data to get the original packet, and forwards it to its destination. Of course, this is an oversimplification of the process, but at this point in your studies that is okay. Now, note that in a site-to-site VPN a tunnel is formed only between two tunnel endpoints, for example the two routers connected to the Internet.
All other devices in each site don’t need to create a VPN for themselves. They can send unencrypted data to their site’s router, which will encrypt it and forward it in the tunnel as described above. The next type of VPN we will look at, remote access VPNs, is different. Before looking at remote-access VPNs, I want to point out a few limitations of standard IPsec. First, IPsec doesn’t support broadcast and multicast traffic, only unicast.
This means that routing protocols such as OSPF can’t be used over the tunnels, because routing protocols rely on multicast traffic. We can solve this with GRE over IPsec, which we’ll look at next. Another potential problem for large networks is that configuring a full mesh of tunnels between many sites is a labor-intensive task. It takes a lot of time and careful planning to configure dozens of VPNs. This problem can be solved with Cisco’s DMVPN.
Let’s briefly look at each of the above solutions. First, GRE over IPsec. GRE, which stands for Generic Routing Encapsulation, creates tunnels like IPsec, but it does not encrypt the original packet, so it is not secure. However it has the advantage of being able to encapsulate a wide variety of Layer 3 protocols as well as broadcast and multicast messages. So, to get the flexibility of GRE with the security of IPsec, GRE over IPsec can be used.
The original packet will be encapsulated by a GRE header and a new IP header, and then the GRE packet will be encrypted and encapsulated within an IPsec VPN header and a new IP header. So, here’s the original IP packet. A GRE header and new IP header are added to it. Then this new packet is encrypted, and an IPsec header and new IP header are added.
We have combined GRE with IPsec. That’s all I’ll say about GRE over IPsec for now. You don’t need to know more than this for the CCNA.
Now, regarding the problem of configuring full-mesh IPsec tunnels, let’s look at DMVPN. DMVPN, which stands for Dynamic Multipoint VPN, is a Cisco-developed solution that allows routers to dynamically create a full mesh of IPsec tunnels without having to manually configure every single tunnel. This is a major oversimplification, but let me demonstrate it in two steps. First, you configure IPsec tunnels to a hub site. Notice that the router at the top is the hub, and each spoke router has an IPsec tunnel to that hub router, but not to the other spoke routers. That’s part 1.
Then, the hub router gives each router information about how to form an IPsec tunnel with the other routers. So, we only configured hub-and-spoke tunnels, but the routers were able to form a full mesh of IPsec tunnels on their own. To summarize, DMVPN provides the configuration simplicity of hub-and-spoke, meaning each router only needs one tunnel to be configured, and the efficiency of spoke-to-spoke communication, because spoke routers can communicate directly without traffic passing through the hub.
Some companies might want all traffic to flow through the hub site so that a central firewall can control the traffic, but other companies might want the efficient direct spoke-to-spoke communication that a full mesh provides. Now let’s move on to the other major type of VPN, remote-access VPNs. Whereas site-to-site VPNs are used to make a point-to-point connection between two sites over the Internet, remote VPNs are used to allow end devices such as PCs and mobile phones to access the company’s internal resources securely over the Internet. Remote-access VPNs typically use TLS, transport layer security, as opposed to site-to-site VPNs which typically use IPsec. TLS is also what provides security for HTTPS, HTTP secure.
It was formerly known as SSL, Secure Sockets Layer and developed by Netscape, but it was renamed to TLS when it was standardized by the IETF. VPN client software, for example Cisco AnyConnect, is installed on end devices, for example company-provided laptops that employees use to work from home. If you work for a company from home, your device almost certainly has a kind of VPN client software installed. These end devices then form secure tunnels to one of the company’s routers or firewalls acting as a TLS server. This allows the end users to securely access resources on the company’s internal network without being directly connected to the company network. Here’s a diagram to help you visualize it.
The end devices on the left want to access resources on the company’s server in the data center on the right. They all have Cisco AnyConnect installed, and it is also configured on the firewall at the data center. So, the devices each form a TLS VPN tunnel to the firewall, and then they are able to securely communicate with the company’s internal servers through the tunnel.
Note that, just like IPsec, TLS involves encrypting packets and adding additional headers, but for the sake of time we’ll skip over those details. So, finally let’s briefly compare site-to-site and remote-access VPNs. Site-to-site VPNs typically use IPsec, and remote-access VPNs typically use TLS. Both of them are protocols that you don’t need to know in detail for the CCNA exam, but you should definitely know their names and have a basic understanding of their purposes. Site-to-site VPNs provide service to many devices within the sites they are connecting.
One IPsec tunnel between two routers or firewalls provides traffic security for all hosts within the sites they are connecting. On the other hand, remote-access VPNs provide service to the one end device the VPN client software is installed on. Instead of connecting two sites together, they connect one end device to a site. Site-to-site VPNs are typically used to permanently connect two sites securely over the Internet.
And remote-access VPNs are typically used to provide on-demand access for end devices that want to securely access company resources while connected to a network which is not secure. These two types of VPNs are specifically mentioned in the CCNA exam topics, so make sure you know the differences between them. Okay, before moving on to the quiz let’s review what we covered.
This video was just a shallow look at various different WAN technologies. Each topic in this video is very important for network engineers to understand, but when you’re just starting your journey you don’t have to learn all of the details right away, and the CCNA exam doesn’t expect you to know them all. So, first I introduced WANs.
Wide Area Networks are used to connect geographically distant LANs, Local Area Networks, together. For example, to connect two offices together which are located in different cities or countries. Then, we looked at leased lines. Leased lines are dedicated physical connections that can be used to connect sites together to form a WAN. For many reasons they are being replaced by newer technologies, but you should still know about them. Then we looked at MPLS VPNs.
MPLS allows enterprises to form WANs over a service provider’s MPLS infrastructure. Although the traffic of many different customers will be passing over this infrastructure, the label-switching aspect of MPLS allows secure VPNs to be formed over the shared infrastructure. If you want to really learn how MPLS works, consider the CCNP service provider track in the future. Then we looked at a few ways to connect to the Internet, for example DSL and cable Internet. And finally Internet VPNs, specifically site-to-site VPNs using IPsec and remote-access VPNs using TLS. These provide secure connectivity over the Internet, which is a shared public network and not secure by default.
Make sure to watch until the end of the quiz for a bonus question from Boson Software’s ExSim for CCNA, the best practice exams for the CCNA. Okay, let’s go to quiz question 1. Which of the following leased line standards provides 1.544 Mbps of bandwidth? Pause the video now to select the correct answer. The answer is B, T1.
Here’s that wikipedia chart again. I doubt that you’ll have to memorize all of these for the CCNA exam, but it doesn’t hurt to be familiar with them. Okay, let’s go to quiz question 2. Jeremy’s IT Lab Professional IT Training Inc. uses an MPLS VPN to connect its various
offices together. Which of the following routers does NOT run MPLS? Pause the video to select the correct answer. The answer is C, CE. In MPLS, PE, provider edge, and P, provider core routers run MPLS to provide MPLS VPN services for their customers.
However, there is no need for the CE, customer edge, routers to run MPLS. Okay, let’s go to question 3. Which of the following MPLS VPN types allows CE routers to directly form OSPF peerings with each other? Pause the video to select the best answer.
Okay, the answer is A, Layer 2 MPLS VPN. Although MPLS is sometimes called a Layer 2.5 protocol because the labels are inserted between the Layer 2 and Layer 3 headers, there is no such thing as a Layer 2.5 MPLS VPN. And in Layer 3 MPLS VPNs, the OSPF peerings would be made with PE routers, not between CE routers. In a Layer 2 MPLS VPN, the entire service provider network is transparent to the customer, and it is as if the service provider network is a switch connecting the two CE routers together.
Okay, let’s go to question 4. Which of the following Internet access technologies takes advantage of already-installed phone lines? Pause the video to select the best answer. Okay, the answer is B, DSL.
Digital Subscriber Line provides connectivity to a service provider’s Internet infrastructure over phone lines, which are typically already installed in most modern homes. As a bonus, it allows users to access the Internet and use the phone at the same time, which was not allowed in previous technologies that used the phone lines for Internet access. Okay, let’s go to question 5. Which of the following protocols can be used in combination with IPsec to provide more flexibility by allowing multicast traffic to be forwarded in the tunnel? Pause the video now to select the best answer.
Okay, the answer is C, GRE. Generic Routing Encapsulation is more flexible than IPsec because it allows multicast as well as broadcast packets to be encapsulated and sent in the tunnel. However, GRE isn’t secure because it doesn’t encrypt the original packet. So, the GRE packet can be encrypted and then encapsulated using IPsec to provide the benefits of both IPsec and GRE.
Okay, that’s all for the quiz. Now let’s take a look at a bonus question from Boson Software’s ExSim for CCNA.