This chapter covers Wide Area Network (WAN) technologies and connections, a core topic for the CompTIA Network+ N10-009 exam. WAN technologies enable connectivity between geographically dispersed local area networks (LANs), forming the backbone of enterprise and carrier networks. Approximately 15-20% of exam questions touch on WAN topics, including leased lines, MPLS, VPNs, and wireless WANs. Understanding the differences, speeds, and use cases of each technology is critical for passing the exam and for real-world network implementation.
Jump to a section
Imagine a company with offices in New York, Chicago, and Los Angeles. Each office has its own internal local area network (LAN), like a city's local streets. To connect these cities, you need a railway system—a Wide Area Network (WAN). The railway tracks are like dedicated leased lines (e.g., T1, E1) that provide a fixed, private path between cities. Each train car carries data packets, and the railway schedule ensures trains run at regular intervals (like TDM frames on a T1 line). When you need to send a large shipment (a file transfer), you can lease an entire train (a dedicated line) for exclusive use. Alternatively, you can use a shared railway (like MPLS or Frame Relay) where multiple companies' trains use the same tracks but are tagged with different labels (like MPLS labels) to ensure they reach the correct destination. A satellite link is like a long, high-latency bridge over an ocean—it works but has delay. A DSL connection is like a local commuter rail that only covers short distances. The key is that the railway system (WAN) connects the city LANs, but the internal streets (LAN) remain separate. The network engineer decides which type of rail (technology) to use based on cost, distance, speed, and reliability requirements.
What is a WAN?
A Wide Area Network (WAN) spans a large geographical area, connecting multiple LANs across cities, countries, or continents. WANs are typically owned and operated by service providers (carriers), and enterprises lease connectivity from them. The key difference from a LAN is that WAN links have higher latency, lower bandwidth, and often incur recurring costs based on distance and speed. WAN technologies are classified by the type of connection: dedicated leased lines, circuit-switched, packet-switched, and wireless.
Leased Lines (Dedicated Connections)
Leased lines are permanent, private connections between two sites. They provide fixed bandwidth and are always active. Common types: - T1 (DS1): 1.544 Mbps, uses two pairs of copper wire. Often used for enterprise internet access or site-to-site connectivity. - E1: 2.048 Mbps, common outside North America. - T3 (DS3): 44.736 Mbps (often rounded to 45 Mbps). Uses coaxial cable or fiber. - E3: 34.368 Mbps. - SONET/SDH: Optical carrier (OC) levels: OC-3 (155.52 Mbps), OC-12 (622.08 Mbps), OC-48 (2.488 Gbps), OC-192 (9.953 Gbps).
Leased lines use Time Division Multiplexing (TDM), where the bandwidth is divided into fixed time slots. For example, a T1 line has 24 DS0 channels (each 64 Kbps) plus 8 Kbps for framing, totaling 1.544 Mbps. The framing standard for T1 is Extended Super Frame (ESF), and signaling uses Alternate Mark Inversion (AMI) or B8ZS line coding. Leased lines are private, secure, and provide consistent performance, but they are expensive and require long provisioning times (weeks to months).
Packet-Switched WANs
Instead of dedicated circuits, packet-switched networks share bandwidth among multiple customers. Data is broken into packets, and each packet is routed independently. Key technologies: - Frame Relay: Older technology that uses virtual circuits (PVCs) and DLCI (Data Link Connection Identifier) numbers to identify connections. Speeds up to 45 Mbps (T3). Committed Information Rate (CIR) guarantees minimum throughput, but burst rates (EIR) are allowed. Frame Relay is deprecated but still appears on the exam for historical context. - ATM (Asynchronous Transfer Mode): Uses fixed-size cells (53 bytes: 5 header, 48 payload) for predictable latency. Supports multiple traffic classes (CBR, VBR, ABR, UBR). Speeds from T1 to OC-192. ATM is also legacy but tested. - MPLS (Multiprotocol Label Switching): The modern standard. MPLS adds a label (4 bytes) between the Layer 2 and Layer 3 headers. Routers (LSRs) forward based on labels, not IP addresses, enabling traffic engineering, VPNs, and QoS. MPLS supports multiple protocols (IPv4, IPv6, Ethernet). Labels are distributed using LDP or RSVP-TE. MPLS VPNs (Layer 3 VPNs) use VRF (Virtual Routing and Forwarding) instances to keep customer traffic separate. MPLS can carry any payload (Ethernet, PPP, etc.) via AToM (Any Transport over MPLS).
Circuit-Switched WANs
PSTN (Public Switched Telephone Network): Traditional analog phone lines used for dial-up connections (up to 56 Kbps via V.92 modems). Rare today but tested.
ISDN (Integrated Services Digital Network): Digital circuit-switched connection. Basic Rate Interface (BRI) has two 64 Kbps B channels and one 16 Kbps D channel (total 144 Kbps). Primary Rate Interface (PRI) in North America has 23 B channels + 1 D channel (T1 frame, 1.544 Mbps). ISDN is also legacy.
Wireless WANs
Cellular: 4G LTE (up to 100 Mbps), 5G (up to 10 Gbps). Used for remote site connectivity, failover, and IoT. Requires a cellular modem and SIM card. Latency is higher (20-50 ms for LTE, <10 ms for 5G).
Satellite: Geostationary (GEO) orbit (35,786 km) with latency ~250 ms round-trip. Low Earth Orbit (LEO) systems like Starlink have lower latency (20-40 ms). Bandwidth varies (10-100 Mbps). Used in remote areas.
WiMAX: IEEE 802.16, up to 70 Mbps, range up to 50 km. Mostly superseded by LTE.
VPN Connections
Virtual Private Networks (VPNs) create secure tunnels over public networks (e.g., the internet). Types: - Site-to-Site VPN: Connects two or more networks using IPsec or GRE tunnels. Typically uses IPsec in tunnel mode with ESP encryption. IKEv1 or IKEv2 for key exchange. - Remote Access VPN: Allows individual clients to connect to the network. Uses IPsec, SSL/TLS (OpenVPN, AnyConnect), or PPTP (obsolete). - DMVPN (Dynamic Multipoint VPN): Cisco proprietary, uses mGRE and NHRP for dynamic spoke-to-spoke tunnels. - MPLS VPN: Provider-provisioned VPN using MPLS labels and VRFs.
Last Mile Connections
DSL (Digital Subscriber Line): Uses existing telephone lines. ADSL (asymmetric) provides up to 24 Mbps downstream, 1.4 Mbps upstream. VDSL up to 100 Mbps. Distance-limited (18,000 feet for ADSL).
Cable (Broadband): Uses coaxial cable (DOCSIS 3.1) up to 1 Gbps downstream, 50 Mbps upstream. Shared bandwidth among neighborhood users.
Fiber (FTTH): Passive Optical Network (PON) or Active Ethernet. GPON provides 2.5 Gbps downstream, 1.25 Gbps upstream. Speeds up to 10 Gbps with XGS-PON.
Metro Ethernet: Ethernet over fiber or copper within a metropolitan area. Uses E-Line (point-to-point) or E-LAN (multipoint). Speeds from 10 Mbps to 100 Gbps.
Connection Speeds and Standards
T1: 1.544 Mbps (24 DS0 channels)
E1: 2.048 Mbps (32 DS0 channels)
T3: 44.736 Mbps (672 DS0 channels)
E3: 34.368 Mbps
OC-3: 155.52 Mbps
OC-12: 622.08 Mbps
OC-48: 2.488 Gbps
OC-192: 9.953 Gbps
Fast Ethernet: 100 Mbps
Gigabit Ethernet: 1 Gbps
10 Gigabit Ethernet: 10 Gbps
WAN Termination and CPE
Customer Premises Equipment (CPE) includes: - CSU/DSU: Channel Service Unit/Data Service Unit. Converts LAN signals to WAN signals (e.g., T1). Often integrated into routers. - Modem: Modulator-demodulator for analog lines (dial-up, DSL, cable). - ONT: Optical Network Terminal for fiber. - Router: Connects LAN to WAN, performs routing and NAT. - Firewall: Provides security at the WAN edge.
WAN Protocols
PPP (Point-to-Point Protocol): Used over serial links (T1, dial-up). Provides authentication (PAP, CHAP), multilink (MLPPP), and compression. Default MTU 1500 bytes.
HDLC (High-Level Data Link Control): Cisco proprietary default on serial interfaces. No authentication.
Frame Relay: Uses LMI (Local Management Interface) for signaling and DLCI for virtual circuits.
ATM: Uses VPI/VCI for virtual circuits.
Ethernet: Increasingly used in WANs (Metro Ethernet). Uses VLAN tagging (802.1Q).
Establishing a T1 Leased Line
1. The enterprise orders a T1 circuit from a carrier. The carrier installs a smart jack (demarcation point) on the customer premises. 2. The customer connects a CSU/DSU to the smart jack using a T1 crossover cable (RJ-48C). The CSU/DSU is configured with framing (ESF) and line coding (B8ZS). 3. The router's serial interface is connected to the CSU/DSU. The router interface is configured with the IP address, encapsulation (PPP or HDLC), and clock rate if it's the DCE side (in back-to-back testing). 4. The carrier tests the circuit end-to-end. Once the circuit is up, the router shows interface status as 'Serial0/0/0 is up, line protocol is up'. 5. Traffic flows over the 24 DS0 channels. The CSU/DSU handles TDM framing and ensures timing synchronization.
MPLS Label Switching
1. An IP packet enters the MPLS network at the ingress Label Edge Router (LER). The LER performs a routing lookup and assigns a label based on the FEC (Forwarding Equivalence Class). The label is pushed onto the packet. 2. The packet is forwarded to the next Label Switching Router (LSR). The LSR uses the label to look up the next hop and outgoing label in its Label Information Base (LIB). It swaps the incoming label with the outgoing label. 3. This label swap continues at each LSR. The packet never undergoes IP routing lookups inside the MPLS core, only label lookups. 4. At the egress LER, the label is popped (or the packet is forwarded as IP). The packet exits the MPLS domain. 5. MPLS can carry multiple protocols (IPv4, IPv6, Ethernet) using different label stacks. Traffic engineering uses RSVP-TE to reserve bandwidth along explicit paths.
IPsec Site-to-Site VPN Establishment
1. The VPN gateway at Site A initiates IKE Phase 1 (Main or Aggressive mode) to authenticate and establish a secure channel. It uses pre-shared keys or certificates. Diffie-Hellman (DH) group 14 (2048-bit) or higher is used for key exchange. 2. IKE Phase 1 creates an ISAKMP SA (Security Association) with parameters like encryption (AES 256), hash (SHA256), and lifetime (86400 seconds default). 3. IKE Phase 2 (Quick Mode) negotiates the IPsec SA for data protection. It specifies the traffic selectors (source/destination subnets), protocol (ESP), and mode (tunnel). 4. The gateways generate transient keys using DH or from the Phase 1 key. The IPsec SA is installed with a lifetime (3600 seconds default). 5. Data packets are encapsulated with ESP headers, encrypted, and sent over the public internet. The receiving gateway decrypts and forwards the original packet to the internal network.
Cable Broadband Internet Connection
1. The cable modem connects to the coaxial cable from the cable company. The modem scans for downstream channels (QAM256) and upstream channels (QAM16 or QAM64). It uses DOCSIS 3.0 or 3.1. 2. The modem sends a ranging request to the Cable Modem Termination System (CMTS) at the headend. The CMTS assigns an IP address via DHCP. 3. The modem registers with the CMTS, and the CMTS configures the service flows (bandwidth limits). 4. The customer's router connects to the modem via Ethernet (usually 1 Gbps). The router obtains a public IP (or private IP with CGNAT). 5. Data is transmitted over the shared coaxial medium. The CMTS schedules time slots for upstream transmission to avoid collisions.
DSL Connection Setup
1. The DSL modem connects to the telephone line via a microfilter (to separate voice and data). The modem initiates handshake with the DSLAM (Digital Subscriber Line Access Multiplexer) at the central office. 2. The modem negotiates the line rate based on line quality (SNR, attenuation). ADSL2+ can achieve up to 24 Mbps downstream depending on distance (< 18,000 feet). 3. The modem establishes a PPPoE (Point-to-Point Protocol over Ethernet) session with the ISP's access concentrator. The user enters username and password. 4. The ISP assigns an IP address to the modem/router. The PPPoE session is maintained with keepalive packets. 5. Data is transmitted using DMT (Discrete Multi-Tone) modulation, dividing the frequency spectrum into 256 subchannels. The DSLAM aggregates multiple DSL lines and forwards traffic to the ISP backbone.
Enterprise Scenario 1: Multi-site MPLS VPN
A large retail chain with 200 stores nationwide uses an MPLS VPN from a carrier to connect all stores to the data center and to each other. The carrier provisions a Layer 3 MPLS VPN with VRF instances for each customer. Each store has a CPE router that runs BGP with the carrier's PE router. The carrier uses MPLS labels to forward traffic between sites. The enterprise can prioritize traffic (e.g., credit card transactions over email) using QoS markings that map to MPLS EXP bits. The service provides SLAs with 99.99% uptime and CIR per site (e.g., 10 Mbps for small stores, 100 Mbps for distribution centers). Common issues: BGP route flapping due to misconfigured prefix lists, or VRF leakage causing cross-customer traffic. The network team monitors MPLS LSP (Label Switched Path) health using MPLS ping and traceroute.
Enterprise Scenario 2: Site-to-Site IPsec VPN with SD-WAN
A financial services company uses SD-WAN to connect its headquarters (HQ) and three branch offices. Each site has a Cisco SD-WAN edge router that establishes IPsec tunnels to the other sites over broadband internet (cable and DSL). The SD-WAN controller (vManage) provisions the tunnels and applies business-intent policies: voice traffic takes the lowest-latency path, while bulk data transfer uses the highest-bandwidth path. The IPsec tunnels use AES-256-GCM encryption and IKEv2 with certificates. The company also has a 4G LTE backup link at each site. If the primary tunnel fails, the SD-WAN router seamlessly switches to the backup path within seconds. Common misconfigurations: mismatched pre-shared keys, incorrect NAT traversal settings (UDP 4500), or overlapping IP subnets requiring NAT.
Enterprise Scenario 3: Remote Access VPN for Teleworkers
A healthcare organization allows 500 remote employees to connect to the corporate network using SSL VPN (Cisco AnyConnect). The VPN headend is a pair of ASA firewalls in active/standby failover. Employees install the AnyConnect client on their laptops and authenticate with RSA SecurID tokens. The VPN uses split-tunneling to allow internet traffic to go directly (reducing load), but all traffic to the internal network (10.0.0.0/8) is encrypted and sent through the tunnel. The ASA enforces posture assessment (host scan) before granting full access. Common issues: split-tunneling misconfiguration causing traffic to bypass the VPN, or firewall rules blocking UDP 500 and 4500 for IPsec. The help desk frequently deals with client certificate expiration.
The N10-009 exam tests WAN technologies under Domain 2.0 (Network Implementation), Objective 2.4: 'Given a scenario, configure and deploy WAN technologies and connections.' The exam expects you to know the characteristics, speeds, and use cases of each technology. Trap answers often confuse T1 (1.544 Mbps) with E1 (2.048 Mbps) or assume T3 is 45 Mbps (actually 44.736 Mbps). Another common wrong answer is choosing DSL for long distances (it's limited to ~18,000 feet). Candidates often pick PPP over HDLC for Cisco serial links by default, but HDLC is Cisco's default encapsulation, not PPP. For MPLS, the exam tests that MPLS uses labels (not IP addresses) for forwarding and that it can carry multiple protocols. The exam also loves to ask about the difference between CIR and EIR in Frame Relay, and that ATM uses fixed 53-byte cells. Specific numbers to memorize: T1=1.544 Mbps, T3=44.736 Mbps, OC-3=155.52 Mbps, DS0=64 Kbps. For VPNs, know that IPsec uses ports 500 (IKE) and 4500 (NAT-T), and that SSL VPNs use TCP 443. Edge cases: The exam may ask about 'last mile' technologies (DSL, cable, fiber) and their typical bandwidths. Also be aware that satellite latency is about 250 ms for GEO. To eliminate wrong answers, identify the technology's key characteristic: if it says 'uses fixed-size cells', it's ATM; 'uses labels' is MPLS; 'uses virtual circuits with DLCI' is Frame Relay. Always read the scenario: if it mentions a long distance and low bandwidth, think satellite; if it mentions a dedicated circuit between two sites, think leased line.
T1 = 1.544 Mbps (24 DS0 channels at 64 Kbps each), T3 = 44.736 Mbps.
E1 = 2.048 Mbps (32 DS0 channels), common outside North America.
OC-3 = 155.52 Mbps, OC-12 = 622.08 Mbps, OC-48 = 2.488 Gbps, OC-192 = 9.953 Gbps.
MPLS uses labels (4 bytes) for forwarding; operates at Layer 2.5.
IPsec VPN uses ports UDP 500 (IKE) and UDP 4500 (NAT-T); SSL VPN uses TCP 443.
DSL maximum distance is approximately 18,000 feet (5.5 km) from the central office.
Frame Relay uses DLCI numbers; ATM uses fixed 53-byte cells.
Cable broadband is shared bandwidth (DOCSIS); fiber (GPON) is dedicated per subscriber.
Satellite (GEO) latency is approximately 250 ms round-trip.
HDLC is the default encapsulation on Cisco serial interfaces; PPP must be configured explicitly.
These come up on the exam all the time. Here's how to tell them apart.
T1 Leased Line
Fixed bandwidth of 1.544 Mbps
Private dedicated circuit
No shared bandwidth
Higher cost per Mbps
Simple point-to-point topology
MPLS VPN
Flexible bandwidth (CIR + burst)
Shared infrastructure with traffic isolation
Supports any-to-any connectivity
Lower cost for multi-site
Advanced features like QoS and traffic engineering
Mistake
T1 and E1 are the same speed.
Correct
T1 is 1.544 Mbps (North America), E1 is 2.048 Mbps (Europe). They are not interchangeable.
Mistake
DSL speed is the same regardless of distance.
Correct
DSL speed decreases with distance from the central office. ADSL2+ has a maximum range of about 18,000 feet (5.5 km).
Mistake
MPLS is a Layer 2 technology.
Correct
MPLS operates between Layer 2 and Layer 3 (Layer 2.5). It uses labels to forward packets, regardless of the underlying Layer 2 protocol.
Mistake
PPP is the default encapsulation on Cisco serial interfaces.
Correct
HDLC is the default encapsulation on Cisco serial interfaces. PPP must be explicitly configured.
Mistake
Frame Relay uses IP addresses for virtual circuits.
Correct
Frame Relay uses DLCI (Data Link Connection Identifier) numbers to identify virtual circuits, not IP addresses.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
T1 (DS1) is a North American standard with a data rate of 1.544 Mbps, consisting of 24 DS0 channels (64 Kbps each). E1 is the European standard with a data rate of 2.048 Mbps, consisting of 32 DS0 channels. The extra bandwidth in E1 comes from the use of 32 time slots (30 for data, 2 for signaling and framing) versus T1's 24 time slots (23 for data, 1 for framing). For the exam, remember that T1 is 1.544 Mbps and E1 is 2.048 Mbps.
The maximum distance for ADSL (and ADSL2+) from the central office is approximately 18,000 feet (5.5 km). Beyond that, the signal degrades and the connection speed drops significantly. VDSL has a shorter range (about 4,000 feet for high speeds). For the exam, remember that DSL is distance-limited and you cannot get DSL service if you are too far from the CO.
MPLS adds a label (4 bytes) between the Layer 2 and Layer 3 headers. Instead of performing a routing lookup at every hop (as in IP routing), MPLS routers (LSRs) forward packets based on the label. This allows faster forwarding, traffic engineering, and support for multiple protocols (IPv4, IPv6, Ethernet). MPLS also enables VPNs (MPLS VPN) by using VRFs to isolate customer traffic. The exam tests that MPLS uses labels, not IP addresses, for forwarding decisions.
The default encapsulation on Cisco serial interfaces is HDLC (High-Level Data Link Control). This is a Cisco-proprietary version of HDLC. To use PPP, you must explicitly configure the interface with the 'encapsulation ppp' command. PPP supports authentication (PAP, CHAP) and multilink (MLPPP), while HDLC does not. For the exam, remember that HDLC is the default, not PPP.
IPsec uses UDP port 500 for IKE (Internet Key Exchange) and UDP port 4500 for NAT-T (NAT Traversal) when IPsec packets are encapsulated in UDP to pass through NAT devices. Additionally, IPsec ESP (Encapsulating Security Payload) uses IP protocol number 50, and AH (Authentication Header) uses IP protocol number 51. For the exam, remember UDP 500 and 4500.
CIR (Committed Information Rate) is the guaranteed minimum throughput that the carrier will provide for a virtual circuit. EIR (Excess Information Rate) is the maximum burstable rate above CIR that the carrier will attempt to deliver, but without guarantee. Traffic exceeding CIR but within EIR is marked as discard eligible (DE). If the network is congested, DE frames are dropped first. For the exam, remember that CIR is guaranteed, EIR is not.
Geostationary (GEO) satellite internet has a round-trip latency of approximately 250 ms due to the distance (35,786 km). Low Earth Orbit (LEO) satellites (e.g., Starlink) have lower latency (20-40 ms). For the exam, expect the 250 ms figure for traditional satellite. This high latency makes satellite unsuitable for real-time applications like voice or gaming.
You've just covered WAN Technologies and Connections — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?