Overview
A WAN connects geographically dispersed LANs. Organizations choose dedicated private links, provider MPLS services, or VPN overlays across the public Internet. GRE adds a virtual point-to-point tunnel that can carry multiple protocols — usually wrapped in IPsec for encryption on untrusted paths.
Panagiss images embed below from GitHub. jdepew88 markdown exports use  placeholders — the original figures are in the PDF notes; we link those where the markdown had a diagram and use a flow diagram for the GRE lab topology.
LAN, WAN, and MAN
These terms describe scope, not a specific technology:
| Network | Scope | Typical use |
|---|---|---|
| LAN | Building or campus | Switched Ethernet, Wi-Fi |
| WAN | Cities, countries, continents | Branch connectivity, Internet |
| MAN | Metropolitan area | City-wide fiber or wireless |
In the source notes, a row like |---|---|---| is only a table separator for rendering — it is not content. If you ever see raw pipes on a page, the table formatter was missing; this site now renders them as proper tables.
Private WAN vs VPN
A private WAN uses links dedicated to one organization (leased lines, MPLS VPN). A VPN builds an encrypted virtual tunnel across shared infrastructure — usually the Internet — so remote sites appear logically connected.
| Approach | Cost | Security | Typical use |
|---|---|---|---|
| Leased line / dedicated fiber | High | Physical isolation | HQ data-center links |
| MPLS VPN (provider) | Medium–high | Provider-separated labels/VPN | Multi-site enterprise |
| Ethernet WAN (fiber) | Medium–high | Dedicated or provider Ethernet handoff | Modern branch uplinks |
| Internet + site-to-site IPsec | Lower | Encryption required | Branch offices, backup links |
jdepew88 notes that VPNs have largely replaced leased-line-only designs for cost reasons, while leased lines remain where guaranteed bandwidth and SLA matter.

Site-to-site VPN — encrypted tunnel between private networks across the Internet.
Supplementary figure from Panagiss CCNAmd

Remote access VPN — individual users connect with SSL or IPsec client software.
Supplementary figure from Panagiss CCNAmd
| VPN type | Terminates on | User experience |
|---|---|---|
| Site-to-site | Routers/firewalls at each site | Transparent to end hosts |
| Remote access | Concentrator at HQ | Laptop/phone runs VPN client or browser SSL |
MPLS VPN (CCNA awareness)
MPLS uses label switching in the provider core — forwarding decisions use labels, not destination IP alone, inside the SP network.
| Term | Role |
|---|---|
| CE router | Customer edge — your router |
| PE router | Provider edge — adds/removes labels |
| P router | Provider core — switches labels |
CE routers do not run MPLS; only PE/P routers do.
| Type | Behavior |
|---|---|
| Layer 3 MPLS VPN | CE peers with PE (e.g. OSPF) — routes exchanged via provider |
| Layer 2 MPLS VPN | Transparent L2 — CE routers peer directly as if on same subnet |
Internet access technologies
| Technology | Notes |
|---|---|
| DSL | Internet over phone lines — DSL modem required |
| Cable (DOCSIS) | Internet over CATV plant — cable modem required |
| Fiber Ethernet | Growing for enterprise and consumer — high speed, long reach |
| Redundant Internet | Dual ISP paths for resilience — common branch pattern |
Legacy leased lines (serial PPP/HDLC) still appear in exam scenarios but Ethernet/fiber and Internet VPN are more common in modern designs.
Site-to-site IPsec process
- Sending router encrypts original packet with session key
- Encapsulates with VPN header + new outer IP header
- Sends across Internet to peer router
- Receiving router decrypts and forwards original packet to destination
Only tunnel endpoints (typically Internet-facing routers) build the VPN — internal hosts send plain IP to their site router.
Standard IPsec supports unicast only — not broadcast/multicast. OSPF adjacencies over pure IPsec need GRE over IPsec or a different design.
GRE over IPsec
GRE alone is not encrypted but carries multicast/broadcast and multiple L3 protocols. GRE over IPsec wraps GRE inside encrypted IPsec — flexibility plus security.
DMVPN (awareness)
DMVPN lets spokes build a full mesh of IPsec tunnels dynamically via a hub — combines hub-and-spoke configuration simplicity with spoke-to-spoke efficiency. CCNA awareness only; configuration is beyond scope.
Site-to-site vs remote-access VPN
| Site-to-site | Remote-access | |
|---|---|---|
| Typical protocol | IPsec | TLS (SSL VPN) / IPsec client |
| Terminates on | Site routers/firewalls | User laptop/phone |
| Serves | Entire site | One end device |
| Use case | Permanent branch connectivity | Work-from-home on-demand access |
Remote-access often uses Cisco AnyConnect or browser TLS (HTTPS) to a concentrator — distinct from branch CAPWAP tunnels to a WLC (Wireless Configuration).
WAN connection options
Enterprise / primary links (Panagiss + jdepew88):
| Technology | Characteristics |
|---|---|
| Leased line (point-to-point serial) | Dedicated bandwidth, symmetric speeds, SLA; HDLC/PPP encapsulation on serial |
| MPLS | Provider shared core; L3 or L2 VPN; full mesh by default |
| Fiber (FTTx) | FTTH, FTTP, FTTB — increasing business and consumer access |
| Satellite | Remote areas; expensive, higher latency |
Backup / branch / home: DSL, cable, 4G/5G — lower cost, often no corporate SLA; common as Internet VPN backup.

WAN technology landscape — dedicated, MPLS, and Internet-based options.
Supplementary figure from Panagiss CCNAmd

Fiber delivery models — to the home, premises, or building.
Supplementary figure from Panagiss CCNAmd

Backup WAN paths — DSL, cable, and wireless Internet circuits.
Supplementary figure from Panagiss CCNAmd

WAN backup and primary link relationship at a branch.
Supplementary figure from Panagiss CCNAmd
Leased lines and serial encapsulation (jdepew88 WAN.md)
Point-to-point serial links provide a dedicated permanent connection between two sites. jdepew88 walks through encapsulation change at the WAN edge:
- LAN (Ethernet) — IP packet inside Ethernet frame
- Router strips L2 — forwards across WAN using HDLC or PPP on the serial link
- Remote router — strips HDLC/PPP, re-encapsulates in Ethernet toward the destination host
CCNA focus: HDLC (Cisco default on serial) and PPP (LCP/NCP, authentication). Physical WAN connectors are often V.35 or X.21, not RJ-45.
Diagram from jdepew88 notes (WAN.md). The markdown export uses image placeholders — open the PDF for the original figure.
CSU/DSU sits at the customer demarc on digital leased lines — connects the telco circuit to the router (DTE). The CSU/DSU provides clocking (DCE) for synchronous serial. A modem converts analog phone lines; CSU/DSU connects digital lines to digital routers.
Telco demarc — the boundary where provider responsibility ends and customer responsibility begins.

Leased line — dedicated point-to-point WAN between two sites.
Supplementary figure from Panagiss CCNAmd
MPLS VPN
MPLS runs on provider P (provider) and PE (provider edge) routers. Customer CE routers peer at Layer 3 with PE — the provider core is transparent to customer routing.

MPLS provider cloud — CE routers attach at the edge.
Supplementary figure from Panagiss CCNAmd
| MPLS flavor | Behavior |
|---|---|
| L3 MPLS VPN | Each site in a different subnet; PE routers route between customer VRFs |
| L2 MPLS VPN | Single subnet extended across sites (VPLS/VPWS style) |

Layer 3 MPLS VPN — separate IP subnets per site.
Supplementary figure from Panagiss CCNAmd

L3 MPLS VPN routing between customer sites via provider PE routers.
Supplementary figure from Panagiss CCNAmd

Layer 2 MPLS VPN — same broadcast domain stretched across locations.
Supplementary figure from Panagiss CCNAmd
WAN topology patterns
| Topology | Advantages | Disadvantages |
|---|---|---|
| Hub-and-spoke | Simple; centralized security policy | Spoke-to-spoke hairpins through hub; single hub risk |
| Redundant hub-and-spoke | Removes single hub failure | Higher cost |
| Full mesh | Optimal paths | Complex and expensive |
| Partial mesh | Balance of cost and performance | Design-dependent |

Hub-and-spoke (star) WAN topology.
Supplementary figure from Panagiss CCNAmd

Redundant hub-and-spoke — dual hubs for resilience.
Supplementary figure from Panagiss CCNAmd

Full mesh — every site connects to every other site.
Supplementary figure from Panagiss CCNAmd

Partial mesh — selective direct links between sites.
Supplementary figure from Panagiss CCNAmd

Internet redundancy — dual ISP paths for VPN or DIA backup.
Supplementary figure from Panagiss CCNAmd
IPsec (jdepew88 VPNs.md)
IPsec protects IP packets at the network layer. Three protocols to know:
| Protocol | Encryption | Role |
|---|---|---|
| IKE | — | Negotiates security associations and keys |
| AH | No | Authenticates entire packet (integrity, origin) |
| ESP | Yes | Encrypts payload; optional authentication |
Modes:
- Transport — encrypts payload; original IP header visible. Host-to-host when endpoints are VPN peers.
- Tunnel — new outer IP header (gateway public IPs). Site-to-site default when routers build the tunnel.
If the devices building the VPN are not the original source/destination hosts, use tunnel mode — typical site-to-site between Internet-facing routers.
Diagram from jdepew88 notes (VPNs.md). The markdown export uses image placeholders — open the PDF for the original figure.
Key exchange: IKE with Diffie-Hellman groups lets peers derive a shared secret over an insecure channel. Attackers cannot feasibly compute the secret without private values. The shared key feeds symmetric ciphers (AES) for bulk encryption.
Authentication: pre-shared key (simple labs) or digital certificates (scale).
Out-of-band key delivery — exchanging secrets via a separate channel (phone call) — contrasts with in-band IKE negotiation.
Diagram from jdepew88 notes (VPNs.md). The markdown export uses image placeholders — open the PDF for the original figure.
! Phase 1 — IKE policy crypto isakmp policy 10 encr aes authentication pre-share group 2
! Phase 2 — IPsec transform set crypto ipsec transform-set TS1 esp-aes esp-sha-hmac mode tunnel
! Crypto map on Internet interface crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set TS1 match address VPN-TRAFFIC
| IPsec | SSL/TLS VPN | |
|---|---|---|
| Layer | Network (whole IP packet) | Application data |
| Client | Often dedicated software | Browser often sufficient |
| Best for | Site-to-site, full tunnel | Remote access, web apps |
GRE overlay tunnels (jdepew88 GRE Tunnels.md)
GRE (Generic Routing Encapsulation, RFC 2784) builds a virtual point-to-point link:
- Carries multiple Layer 3 protocols (IPv4, IPv6, multicast)
- Supports routing protocols across the tunnel
- No encryption or authentication — clear text on the Internet
- Common pattern: GRE inside IPsec — GRE transports; IPsec encrypts
Packet structure: outer delivery IP header (tunnel endpoint public IPs) + 4-byte GRE header + inner payload.
jdepew88 lab pattern: R1/R5 act as PCs (no ip routing, ip default-gateway). R2/R4 build Tunnel0 between public IPs 4.1.1.1 and 4.1.2.2. R3 routes only on the outer header — inner traffic is invisible to path logic but not encrypted without IPsec.
Diagram from jdepew88 notes (GRE Tunnels.md). The markdown export uses image placeholders — open the PDF for the original figure.
interface Tunnel0 ip address 10.1.3.1 255.255.255.252 tunnel mode gre ip tunnel source 4.1.1.1 tunnel destination 4.1.2.2 ! router eigrp 100 network 10.0.0.0
Never deploy GRE alone across the public Internet for sensitive traffic. Pair with IPsec or use IPsec tunnel mode directly.
Design patterns
Typical branch (CCNA scenario):
- Primary WAN — MPLS or dedicated link to HQ
- Internet circuit — site-to-site IPsec backup or primary VPN
- Optional GRE over IPsec — carry multicast routing or dynamic IGP across the tunnel
- Wireless at branch — lightweight APs join HQ WLC over CAPWAP (often inside site-to-site IPsec); FlexConnect can switch guest/staff VLANs locally (Wireless Configuration)
Troubleshooting
| Symptom | Check |
|---|---|
| Tunnel won't come up | Peer reachability, ACL blocking ESP/UDP 500, PSK mismatch |
| One-way traffic | Asymmetric crypto ACL, NAT-T, missing return route |
| GRE up, no end-to-end ping | Routes missing over tunnel interface |
| High latency on satellite/MPLS | Expected — design apps for WAN RTT |
Exam checklist
- Compare leased line, MPLS, Ethernet WAN, and Internet VPN tradeoffs
- Name CE, PE, and P router roles in MPLS
- Explain site-to-site vs remote-access VPN
- Describe IPsec encapsulation steps at a high level
- Explain why GRE over IPsec exists (multicast + encryption)
- Identify hub-and-spoke hairpin limitation
- Know HDLC/PPP role on serial WAN links and CSU/DSU clocking