All topic guides
Wireless & WANAmalgamated guide

WAN, VPN & GRE

WAN link types, MPLS roles, site-to-site IPsec, GRE tunnels, and remote-access VPN.

How the sources were combined

Panagiss WAN-VPN hub-and-spoke topologies plus jdepew88 WAN/VPN/GRE detail, enhanced with p-saumur WAN Architectures (leased line, MPLS CE/PE/P, DSL/cable, IPsec/GRE/DMVPN, TLS remote access).

Overview

A WAN connects geographically dispersed LANs. Organizations choose dedicated private links, provider MPLS services, or VPN overlays across the public Internet. GRE adds a virtual point-to-point tunnel that can carry multiple protocols — usually wrapped in IPsec for encryption on untrusted paths.

About the diagrams

Panagiss images embed below from GitHub. jdepew88 markdown exports use ![](data:image/png;base64...) placeholders — the original figures are in the PDF notes; we link those where the markdown had a diagram and use a flow diagram for the GRE lab topology.

LAN, WAN, and MAN

These terms describe scope, not a specific technology:

NetworkScopeTypical use
LANBuilding or campusSwitched Ethernet, Wi-Fi
WANCities, countries, continentsBranch connectivity, Internet
MANMetropolitan areaCity-wide fiber or wireless
Reading markdown tables

In the source notes, a row like |---|---|---| is only a table separator for rendering — it is not content. If you ever see raw pipes on a page, the table formatter was missing; this site now renders them as proper tables.

Private WAN vs VPN

A private WAN uses links dedicated to one organization (leased lines, MPLS VPN). A VPN builds an encrypted virtual tunnel across shared infrastructure — usually the Internet — so remote sites appear logically connected.

ApproachCostSecurityTypical use
Leased line / dedicated fiberHighPhysical isolationHQ data-center links
MPLS VPN (provider)Medium–highProvider-separated labels/VPNMulti-site enterprise
Ethernet WAN (fiber)Medium–highDedicated or provider Ethernet handoffModern branch uplinks
Internet + site-to-site IPsecLowerEncryption requiredBranch offices, backup links

jdepew88 notes that VPNs have largely replaced leased-line-only designs for cost reasons, while leased lines remain where guaranteed bandwidth and SLA matter.

Site-to-site VPN — encrypted tunnel between private networks across the Internet.

Site-to-site VPN — encrypted tunnel between private networks across the Internet.

Supplementary figure from Panagiss CCNAmd

Remote access VPN — individual users connect with SSL or IPsec client software.

Remote access VPN — individual users connect with SSL or IPsec client software.

Supplementary figure from Panagiss CCNAmd

VPN typeTerminates onUser experience
Site-to-siteRouters/firewalls at each siteTransparent to end hosts
Remote accessConcentrator at HQLaptop/phone runs VPN client or browser SSL

MPLS VPN (CCNA awareness)

MPLS uses label switching in the provider core — forwarding decisions use labels, not destination IP alone, inside the SP network.

TermRole
CE routerCustomer edge — your router
PE routerProvider edge — adds/removes labels
P routerProvider core — switches labels

CE routers do not run MPLS; only PE/P routers do.

TypeBehavior
Layer 3 MPLS VPNCE peers with PE (e.g. OSPF) — routes exchanged via provider
Layer 2 MPLS VPNTransparent L2 — CE routers peer directly as if on same subnet

Internet access technologies

TechnologyNotes
DSLInternet over phone lines — DSL modem required
Cable (DOCSIS)Internet over CATV plant — cable modem required
Fiber EthernetGrowing for enterprise and consumer — high speed, long reach
Redundant InternetDual ISP paths for resilience — common branch pattern

Legacy leased lines (serial PPP/HDLC) still appear in exam scenarios but Ethernet/fiber and Internet VPN are more common in modern designs.

Site-to-site IPsec process

  1. Sending router encrypts original packet with session key
  2. Encapsulates with VPN header + new outer IP header
  3. Sends across Internet to peer router
  4. Receiving router decrypts and forwards original packet to destination

Only tunnel endpoints (typically Internet-facing routers) build the VPN — internal hosts send plain IP to their site router.

IPsec limitation

Standard IPsec supports unicast only — not broadcast/multicast. OSPF adjacencies over pure IPsec need GRE over IPsec or a different design.

GRE over IPsec

GRE alone is not encrypted but carries multicast/broadcast and multiple L3 protocols. GRE over IPsec wraps GRE inside encrypted IPsec — flexibility plus security.

DMVPN (awareness)

DMVPN lets spokes build a full mesh of IPsec tunnels dynamically via a hub — combines hub-and-spoke configuration simplicity with spoke-to-spoke efficiency. CCNA awareness only; configuration is beyond scope.

Site-to-site vs remote-access VPN

Site-to-siteRemote-access
Typical protocolIPsecTLS (SSL VPN) / IPsec client
Terminates onSite routers/firewallsUser laptop/phone
ServesEntire siteOne end device
Use casePermanent branch connectivityWork-from-home on-demand access

Remote-access often uses Cisco AnyConnect or browser TLS (HTTPS) to a concentrator — distinct from branch CAPWAP tunnels to a WLC (Wireless Configuration).

WAN connection options

Enterprise / primary links (Panagiss + jdepew88):

TechnologyCharacteristics
Leased line (point-to-point serial)Dedicated bandwidth, symmetric speeds, SLA; HDLC/PPP encapsulation on serial
MPLSProvider shared core; L3 or L2 VPN; full mesh by default
Fiber (FTTx)FTTH, FTTP, FTTB — increasing business and consumer access
SatelliteRemote areas; expensive, higher latency

Backup / branch / home: DSL, cable, 4G/5G — lower cost, often no corporate SLA; common as Internet VPN backup.

WAN technology landscape — dedicated, MPLS, and Internet-based options.

WAN technology landscape — dedicated, MPLS, and Internet-based options.

Supplementary figure from Panagiss CCNAmd

Fiber delivery models — to the home, premises, or building.

Fiber delivery models — to the home, premises, or building.

Supplementary figure from Panagiss CCNAmd

Backup WAN paths — DSL, cable, and wireless Internet circuits.

Backup WAN paths — DSL, cable, and wireless Internet circuits.

Supplementary figure from Panagiss CCNAmd

WAN backup and primary link relationship at a branch.

WAN backup and primary link relationship at a branch.

Supplementary figure from Panagiss CCNAmd

Leased lines and serial encapsulation (jdepew88 WAN.md)

Point-to-point serial links provide a dedicated permanent connection between two sites. jdepew88 walks through encapsulation change at the WAN edge:

  1. LAN (Ethernet) — IP packet inside Ethernet frame
  2. Router strips L2 — forwards across WAN using HDLC or PPP on the serial link
  3. Remote router — strips HDLC/PPP, re-encapsulates in Ethernet toward the destination host
Info

CCNA focus: HDLC (Cisco default on serial) and PPP (LCP/NCP, authentication). Physical WAN connectors are often V.35 or X.21, not RJ-45.

Point-to-point serial link and OSI model for WAN technologies

Diagram from jdepew88 notes (WAN.md). The markdown export uses image placeholders — open the PDF for the original figure.

CSU/DSU sits at the customer demarc on digital leased lines — connects the telco circuit to the router (DTE). The CSU/DSU provides clocking (DCE) for synchronous serial. A modem converts analog phone lines; CSU/DSU connects digital lines to digital routers.

Telco demarc — the boundary where provider responsibility ends and customer responsibility begins.

Leased line — dedicated point-to-point WAN between two sites.

Leased line — dedicated point-to-point WAN between two sites.

Supplementary figure from Panagiss CCNAmd

MPLS VPN

MPLS runs on provider P (provider) and PE (provider edge) routers. Customer CE routers peer at Layer 3 with PE — the provider core is transparent to customer routing.

MPLS provider cloud — CE routers attach at the edge.

MPLS provider cloud — CE routers attach at the edge.

Supplementary figure from Panagiss CCNAmd

MPLS flavorBehavior
L3 MPLS VPNEach site in a different subnet; PE routers route between customer VRFs
L2 MPLS VPNSingle subnet extended across sites (VPLS/VPWS style)
Layer 3 MPLS VPN — separate IP subnets per site.

Layer 3 MPLS VPN — separate IP subnets per site.

Supplementary figure from Panagiss CCNAmd

L3 MPLS VPN routing between customer sites via provider PE routers.

L3 MPLS VPN routing between customer sites via provider PE routers.

Supplementary figure from Panagiss CCNAmd

Layer 2 MPLS VPN — same broadcast domain stretched across locations.

Layer 2 MPLS VPN — same broadcast domain stretched across locations.

Supplementary figure from Panagiss CCNAmd

WAN topology patterns

TopologyAdvantagesDisadvantages
Hub-and-spokeSimple; centralized security policySpoke-to-spoke hairpins through hub; single hub risk
Redundant hub-and-spokeRemoves single hub failureHigher cost
Full meshOptimal pathsComplex and expensive
Partial meshBalance of cost and performanceDesign-dependent
Hub-and-spoke (star) WAN topology.

Hub-and-spoke (star) WAN topology.

Supplementary figure from Panagiss CCNAmd

Redundant hub-and-spoke — dual hubs for resilience.

Redundant hub-and-spoke — dual hubs for resilience.

Supplementary figure from Panagiss CCNAmd

Full mesh — every site connects to every other site.

Full mesh — every site connects to every other site.

Supplementary figure from Panagiss CCNAmd

Partial mesh — selective direct links between sites.

Partial mesh — selective direct links between sites.

Supplementary figure from Panagiss CCNAmd

Internet redundancy — dual ISP paths for VPN or DIA backup.

Internet redundancy — dual ISP paths for VPN or DIA backup.

Supplementary figure from Panagiss CCNAmd

IPsec (jdepew88 VPNs.md)

IPsec protects IP packets at the network layer. Three protocols to know:

ProtocolEncryptionRole
IKENegotiates security associations and keys
AHNoAuthenticates entire packet (integrity, origin)
ESPYesEncrypts payload; optional authentication

Modes:

  • Transport — encrypts payload; original IP header visible. Host-to-host when endpoints are VPN peers.
  • Tunnel — new outer IP header (gateway public IPs). Site-to-site default when routers build the tunnel.
Exam trap

If the devices building the VPN are not the original source/destination hosts, use tunnel mode — typical site-to-site between Internet-facing routers.

VPN tunnel across the Internet — replaces dedicated leased line

Diagram from jdepew88 notes (VPNs.md). The markdown export uses image placeholders — open the PDF for the original figure.

Key exchange: IKE with Diffie-Hellman groups lets peers derive a shared secret over an insecure channel. Attackers cannot feasibly compute the secret without private values. The shared key feeds symmetric ciphers (AES) for bulk encryption.

Authentication: pre-shared key (simple labs) or digital certificates (scale).

Out-of-band key delivery — exchanging secrets via a separate channel (phone call) — contrasts with in-band IKE negotiation.

Diffie-Hellman key exchange — how VPN peers establish a shared secret

Diagram from jdepew88 notes (VPNs.md). The markdown export uses image placeholders — open the PDF for the original figure.

Site-to-site IPsec — conceptual phases

! Phase 1 — IKE policy crypto isakmp policy 10 encr aes authentication pre-share group 2

! Phase 2 — IPsec transform set crypto ipsec transform-set TS1 esp-aes esp-sha-hmac mode tunnel

! Crypto map on Internet interface crypto map VPN-MAP 10 ipsec-isakmp set peer 203.0.113.2 set transform-set TS1 match address VPN-TRAFFIC

IPsecSSL/TLS VPN
LayerNetwork (whole IP packet)Application data
ClientOften dedicated softwareBrowser often sufficient
Best forSite-to-site, full tunnelRemote access, web apps

GRE overlay tunnels (jdepew88 GRE Tunnels.md)

GRE (Generic Routing Encapsulation, RFC 2784) builds a virtual point-to-point link:

  • Carries multiple Layer 3 protocols (IPv4, IPv6, multicast)
  • Supports routing protocols across the tunnel
  • No encryption or authentication — clear text on the Internet
  • Common pattern: GRE inside IPsec — GRE transports; IPsec encrypts

Packet structure: outer delivery IP header (tunnel endpoint public IPs) + 4-byte GRE header + inner payload.

jdepew88 lab pattern: R1/R5 act as PCs (no ip routing, ip default-gateway). R2/R4 build Tunnel0 between public IPs 4.1.1.1 and 4.1.2.2. R3 routes only on the outer header — inner traffic is invisible to path logic but not encrypted without IPsec.

GRE encapsulated packet — delivery header vs inner payload

Diagram from jdepew88 notes (GRE Tunnels.md). The markdown export uses image placeholders — open the PDF for the original figure.

GRE tunnel interface

interface Tunnel0 ip address 10.1.3.1 255.255.255.252 tunnel mode gre ip tunnel source 4.1.1.1 tunnel destination 4.1.2.2 ! router eigrp 100 network 10.0.0.0

Security

Never deploy GRE alone across the public Internet for sensitive traffic. Pair with IPsec or use IPsec tunnel mode directly.

Design patterns

Typical branch (CCNA scenario):

  1. Primary WAN — MPLS or dedicated link to HQ
  2. Internet circuit — site-to-site IPsec backup or primary VPN
  3. Optional GRE over IPsec — carry multicast routing or dynamic IGP across the tunnel
  4. Wireless at branch — lightweight APs join HQ WLC over CAPWAP (often inside site-to-site IPsec); FlexConnect can switch guest/staff VLANs locally (Wireless Configuration)

Troubleshooting

SymptomCheck
Tunnel won't come upPeer reachability, ACL blocking ESP/UDP 500, PSK mismatch
One-way trafficAsymmetric crypto ACL, NAT-T, missing return route
GRE up, no end-to-end pingRoutes missing over tunnel interface
High latency on satellite/MPLSExpected — design apps for WAN RTT

Exam checklist

  • Compare leased line, MPLS, Ethernet WAN, and Internet VPN tradeoffs
  • Name CE, PE, and P router roles in MPLS
  • Explain site-to-site vs remote-access VPN
  • Describe IPsec encapsulation steps at a high level
  • Explain why GRE over IPsec exists (multicast + encryption)
  • Identify hub-and-spoke hairpin limitation
  • Know HDLC/PPP role on serial WAN links and CSU/DSU clocking

Related lessons on this site

Continue in this domain

Wireless & WAN · guide 5 of 5

Sources & further reading

Panagiss CCNAmd

jdepew88 CCNA Notes (markdown)

psaumur CCNA Course Notes

Additional references

This page is an amalgamated study guide synthesized from the markdown sources above, cross-checked against Cisco's official CCNA exam topics. Verify scope before your exam date.