Bandwidth Requirements:

One of the primary considerations in WAN design is determining the bandwidth requirements for each location. The bandwidth needed will depend on the number of users, applications used, and data transfer volume. Accurately assessing these requirements is essential to avoid bottlenecks and ensure reliable connectivity.

Several key factors influence the bandwidth requirements of a WAN. Understanding these variables is essential for optimizing network performance and ensuring smooth data transmission. Some factors include the number of users, types of applications being used, data transfer volume, and the geographical spread of the network.

Calculating the precise bandwidth requirements for a WAN can be a complex task. However, some general formulas and guidelines can help determine the approximate bandwidth needed. These calculations consider user activity, application requirements, and expected data traffic.

Network Topology:

Choosing the correct network topology is crucial for a well-designed WAN. Several options include point-to-point, hub-and-spoke, and full-mesh topologies. Each has advantages and disadvantages, and the choice should be based on cost, scalability, and the organization’s specific needs.

With the advent of cloud computing, increased reliance on real-time applications, and the need for enhanced security, modern WAN network topologies have emerged to address the changing requirements of businesses. Some of the contemporary topologies include:

• Hybrid WAN Topology
• Software-defined WAN (SD-WAN) Topology
• Meshed Hybrid WAN Topology

These modern topologies leverage technologies like virtualization, software-defined networking, and intelligent routing to provide greater flexibility, agility, and cost-effectiveness.

Redundancy and High Availability:

Redundancy and high availability are vital considerations in WAN design to ensure uninterrupted connectivity. Implementing redundant links, multiple paths, and failover mechanisms can help mitigate the impact of network failures or outages. Redundancy also plays a crucial role in load balancing and optimizing network performance.

• Diverse Connection Paths

One of the primary components of WAN redundancy is the establishment of diverse connection paths. This involves utilizing multiple carriers or network providers offering different physical transmission routes. By having diverse connection paths, businesses can reduce the risk of a complete network outage caused by a single point of failure.

• Automatic Failover Mechanisms

Another crucial component is the implementation of automatic failover mechanisms. These mechanisms monitor the primary connection and instantly switch to the redundant connection if any issues or failures are detected. Automatic failover ensures minimal downtime and enables seamless transition without manual intervention.

• Redundant Hardware and Equipment

Businesses must invest in redundant hardware and equipment to achieve adequate WAN redundancy. This includes redundant routers, switches, and other network devices. By having duplicate hardware, businesses can ensure that a failure in one device does not disrupt the entire network. Redundant hardware also facilitates faster recovery and minimizes the impact of failures.

• Load Balancing and Traffic Optimization

WAN redundancy provides failover capabilities and enables load balancing and traffic optimization. Load balancing distributes network traffic across multiple connections, maximizing bandwidth utilization and preventing congestion. Traffic optimization algorithms intelligently route data through the most efficient paths, ensuring optimal performance and minimizing latency.

Security:

Securing data transmission over the WAN is of utmost importance. Encryption protocols, firewalls, and intrusion detection systems should be implemented to protect sensitive information from unauthorized access. Additionally, implementing Virtual Private Networks (VPNs) can provide a secure connection between different locations over the public internet.

• Encryption and Data Privacy

One of the primary concerns in WAN security is protecting data during transmission. This section explores the importance of encryption protocols, such as SSL/TLS, IPsec, and VPNs, in safeguarding data privacy and discusses best practices for implementing strong encryption methods across WAN connections.

• Access Control and Authentication

Controlling access to the WAN infrastructure is vital to prevent unauthorized access and potential breaches. This section explores the significance of access control lists (ACLs), network segmentation, and multifactor authentication (MFA) in ensuring that only authenticated users gain access to the network.

• Intrusion Detection and Prevention Systems

Detecting and preventing intrusions in real time is crucial to maintaining the integrity of a WAN. This section discusses the role of intrusion detection and prevention systems (IDPS) in monitoring network traffic, identifying potential threats, and taking proactive measures to mitigate risks promptly.

• Continuous Monitoring and Incident Response

In the ever-evolving landscape of cyber threats, constant monitoring and effective incident response are essential. This section highlights the significance of implementing security information and event management (SIEM) systems, conducting regular network audits, and establishing an incident response plan to minimize potential damages.

Quality of Service (QoS):

Different types of traffic, such as voice, video, and data, coexist in a WAN. Implementing quality of service (QoS) mechanisms allows for prioritizing and allocating network resources based on the specific requirements of each traffic type. This ensures critical applications receive the bandwidth and latency to perform optimally.

• Identifying QoS Requirements

Every organization has unique requirements regarding WAN QoS. It is essential to identify these requirements to tailor the QoS implementation accordingly. Key factors include application sensitivity, traffic volume, and network topology. By thoroughly analyzing these factors, organizations can determine the appropriate QoS policies and configurations that align with their specific needs.

• Bandwidth Allocation and Traffic Prioritization

Bandwidth allocation plays a vital role in QoS implementation. Different applications have varying bandwidth requirements, and allocating bandwidth based on priority is essential. By categorizing traffic into different classes and assigning appropriate priorities, organizations can ensure that critical applications receive sufficient bandwidth while non-essential traffic is regulated to prevent congestion.

• QoS Mechanisms for Latency and Packet Loss

Latency and packet loss can significantly impact application performance in WAN environments. To mitigate these issues, QoS mechanisms such as traffic shaping, traffic policing, and queuing techniques come into play. Traffic shaping helps regulate traffic flow, ensuring it adheres to predefined limits. Traffic policing, on the other hand, monitors and controls the rate of incoming and outgoing traffic. Proper queuing techniques ensure that real-time and mission-critical traffic is prioritized, minimizing latency and packet loss.

• Network Monitoring and Optimization

Implementing QoS is not a one-time task; it requires continuous monitoring and optimization. Network monitoring tools provide valuable insights into traffic patterns, performance bottlenecks, and QoS effectiveness. With this data, organizations can fine-tune their QoS configurations, adjust bandwidth allocation, and optimize traffic management to meet evolving requirements.

Related: Before you proceed, you may find the following posts helpful:

1. SD-WAN Overlay
2. WAN Virtualization
3. Software-Defined Perimeter Solutions
4. IDS IPS Azure
5. SD WAN Security
6. Data Center Design Guide

Defining the WAN edge

Wide Area Network (WAN) edge is a term used to describe the outermost part of a vast area network. It is the point at which the network connects to the public Internet or private networks, such as a local area network (LAN). The WAN edge is typically comprised of customer premises equipment (CPE) such as routers, firewalls, and other types of hardware. This hardware connects to other networks, such as the Internet, and provides a secure connection.

The WAN Edge also includes software such as network management systems, which help maintain and monitor the network. Standard network solutions at the WAN edge are SD-WAN and DMVPN. In this post, we will address an SD-WAN design guide. For details on DMVPN and its phases, including DMVPN phase 3, visit the links.

An Enterprise WAN edge consists of several functional blocks, including Enterprise WAN Edge Distribution and Aggregation. The WAN Edge Distribution provides connectivity to the core network and acts as an integration point for any edge service, such as IPS and application optimization. The WAN Edge Aggregation is a line of defense that performs aggregation and VPN termination. The following post focuses on integrating IPS for the WAN Edge Distribution-functional block.

1st Lab Guide: DMVPN acting at the WAN

DMVPN, or Dynamic Multipoint VPN, is a networking solution that has gained popularity recently due to its ability to provide secure and scalable connectivity for remote sites. In this blog post, we will explore the features and benefits of DMVPN and why it is a valuable tool for businesses.

At its core, DMVPN is a technology that allows multiple sites to communicate securely over a public or private network. It achieves this by establishing a virtual network overlay on the existing infrastructure, creating a secure tunnel between the sites. This tunnel is dynamically created and torn down as needed, hence the “dynamic” aspect of DMVPN. This guide has R11 as the hub and R31 and R41 as the spokes. When running DMVPN over the WAN, you can tunnel routing protocols over GRE.

The following screenshot shows an EIGRP neighbor relationship over the tunnel, allowing route propagation over the WAN. In this design, we send a summary route from the hub to the spokes to preserve routing table efficiency. A split horizon is usually needed in this case; however, it is not when sending a summary route.

Back to Basic with the WAN Edge

Concept of the wide-area network (WAN)

A WAN connects your offices, data centers, applications, and storage. It is called a wide-area network because it spans outside a single building or large campus to enclose numerous locations across a specific geographic area. Since WAN is an extensive network, the speed of data transmission is lower than that of other networks. An is connects you to the outside world; it’s an integral part of the infrastructure to have integrated security. You could say the WAN is the first line of defense.

Topologies of WAN (Wide Area Network)

1. Firstly, we have a point-to-point topology. A point-to-point topology utilizes a point-to-point circuit between two endpoints.
2. We also have a hub-and-spoke topology. 
3. Full mesh topology. 
4. Finally, a dual-homed topology.

Concept of SD-WAN

SD-WAN (Software-Defined Wide Area Network) technology enables businesses to create a secure, reliable, and cost-effective WAN (Wide Area Network) connection. SD-WAN can provide enterprises with various benefits, including increased security, improved performance, and cost savings. SD-WAN provides a secure tunnel over the public internet, eliminating the need for expensive networking hardware and services. Instead, SD-WAN relies on software to direct traffic flows and establish secure site connections. This allows businesses to optimize network traffic and save money on their infrastructure.

SD-WAN Design Guide

An SD-WAN design guide is a practice that focuses on designing and implementing software-defined wide-area network (SD-WAN) solutions. SD-WAN Design requires a thorough understanding of the underlying network architecture, traffic patterns, and applications. It also requires an understanding of how the different components of the network interact and how that interaction affects application performance.

To successfully design an SD-WAN solution, an organization must first determine the business goals and objectives for the network. This will help define the network’s requirements, such as bandwidth, latency, reliability, and security. The next step is determining the network topology: the network structure and how the components connect.

Once the topology is determined, the organization must decide on the hardware and software components to use in the network. This includes selecting suitable routers, switches, firewalls, and SD-WAN controllers. The hardware must also be configured correctly to ensure optimal performance.

Once the components are selected and configured, the organization can design the SD-WAN solution. This involves creating virtual overlays, which are the connections between the different parts of the network. The organization must also develop policies and rules to govern the network traffic.

Key WAN Design Considerations

1. Dynamic multi-pathing. Being able to load-balance traffic over multiple WAN links isn’t new.
2. Policy. There is a broad movement to implement a policy-based approach to all aspects of IT, including networking.
3. Visibility.
4. Integration. The ability to integrate security such as the IPS

Intrusion Prevention System

An IPS uses signature-based detection, anomaly-based detection, and protocol analysis to detect malicious activities. Signature-based detection involves comparing the network traffic against a known list of malicious activities. In contrast, anomaly-based detection consists in identifying activities that deviate from the expected behavior of the network. Finally, protocol analysis detects malicious activities by analyzing the network protocol and the packets exchanged.

An IPS includes network access control, virtual patching, and application control. Network access control restricts access to the network by blocking malicious connections and allowing only trusted relationships. Virtual patching detects any vulnerability in the system and provides a temporary fix until the patch is released. Finally, application control restricts the applications users can access to ensure that only authorized applications are used.

The following design guide illustrates EtherChannel Load Balancing ( ECLB ) for Intrusion Prevention System ( IPS ) high availability and traffic symmetry through Interior Gateway Protocol ( IGP ) metric manipulation. Symmetric traffic ensures the IPS system has visibility of the entire traffic path. However, IPS can lose visibility into traffic flows with asymmetrical data paths. 

IPS key points

• Two VLANs on each switch logically insert IPS into the data path. VLANs 9 and 11 are the outside VLANs that face Wide Area Networks ( WAN ), and VLANs 10 and 12 are the inside VLANs that meet the protected Core.
• VLAN pairing on each IPS bridges traffic back to the switch across its VLANs.

• Etherchannel Load balancing ( ECLB ) allows the split of flows over different physical paths to and from the Intrusion Prevention System ( IPS ). It is recommended that load balance on flows be used as opposed to individual packets.
•  ECLB performs a hash on the flow’s source and destination IP address to determine what physical port a flow should take. It’s a form of load splitting as opposed to load balancing.
• IPS does not maintain a state if a sensor goes down. TCP flow will be reset and forced through a different IPS appliance.
• Layer 3 routed point-to-point links implemented between switches and ASR edge routers. Interior Gateway Protocol ( IGP ) path costs are manipulated to influence traffic to and from each ASR. We are ensuring traffic symmetry.

• OSPF deployed IGP; the costs are manipulated per interface to influence traffic flow. OSPF calculates costs in the outbound direction. Selection EIGRP as the IGP, destinations are chosen based on minimum path bandwidth and accumulative delay.
• All interfaces between WAN distribution and WAN edge, including the outside VLANs ( 9 and 11 ), are placed in a Virtual Routing and Forwarding ( VRF ) instance. VRFs force all traffic between the WAN edge and the internal Core via an IPS device.

WAN Edge Considerations with the IPS

A recommended design would be to centralize the IPS for a hub and spokes where all branch office traffic is forced through the WAN edge. In addition, a distributed IPS model should be used if local branch sites use split tunneling for local internet access.

The IPS should receive unmodified and clear text traffic. To ensure this, integrate the IPS inside the WAN edge after any VPN termination or application optimization techniques. When using route manipulation to provide traffic symmetry, a single path ( via one ASR ) should have sufficient bandwidth to accommodate the total traffic capacity of both links.

ECLB performs hashing on the source and destination address, not the flow’s bandwidth. If there are high traffic volumes between a single source and destination, all traffic passes through a single IPS.