Answer these questions before studying the material to establish your baseline understanding.
1. An enterprise needs centralized security inspection for all inter-branch traffic while using MPLS L3VPN. Which topology best supports this requirement?
Any-to-any with distributed firewalls
Hub-and-spoke with the hub as the inspection point
Full mesh with route reflectors
Point-to-point VPWS between all sites
2. A company needs to transport non-IP protocols (e.g., legacy SNA) between two data centers across an MPLS backbone. Which VPN type is most appropriate?
L3VPN with VRF-Lite
GRE over IPsec
L2VPN (VPWS or VPLS)
SD-WAN overlay
3. What is the primary advantage of DMVPN Phase 3 over Phase 2?
Phase 3 supports IPsec encryption while Phase 2 does not
Phase 3 allows the hub to summarize routes while still enabling spoke-to-spoke tunnels
Phase 3 eliminates the need for NHRP registration
Phase 3 uses static routing instead of dynamic routing protocols
4. In a hybrid WAN design, what is the primary design principle for assigning traffic to transport types?
All traffic should use MPLS for reliability
Match transport cost to application criticality and value
Route all traffic over the cheapest available link
Use round-robin load balancing across all transports
5. Which WAN optimization technique adds redundant data to a flow so receivers can reconstruct lost packets without retransmission?
TCP window scaling
Data deduplication
Forward Error Correction (FEC)
Application-layer caching
6. A branch office user in Tokyo accesses Microsoft 365 but experiences high latency because traffic is backhauled to a London data center first. Which branch architecture pattern would best resolve this?
Centralized internet access with higher MPLS bandwidth
Hybrid breakout or full local breakout with SD-WAN
Adding a WAN optimization appliance at the Tokyo branch
Deploying a second MPLS circuit to a closer data center
7. What is the key advantage of cloud-delivered security (SASE) over deploying NGFWs at every branch?
SASE provides faster packet inspection than hardware firewalls
SASE eliminates per-branch security hardware, enabling consistent policy at scale with lower operational overhead
SASE does not require internet connectivity at branches
SASE replaces the need for encryption on WAN links
8. In Cisco SD-WAN architecture, which component distributes routing information and policies to WAN edge devices?
vManage
vBond
vSmart
WAN Edge router
9. SD-WAN Application-Aware Routing (AAR) differs from traditional routing primarily because it selects paths based on:
Destination prefix and administrative distance only
Static cost metrics assigned during configuration
Real-time application SLA requirements including loss, latency, and jitter
The number of hops to the destination
10. Two branch circuits from different carriers share the same physical conduit into the building. A construction accident severs the conduit. What happens?
Only one circuit fails because different carriers use different fiber strands
Both circuits fail simultaneously because they share the same physical path
The carrier with the higher SLA will maintain connectivity
Traffic automatically reroutes through the carrier's backup conduit
11. An organization is migrating branches from DMVPN to SD-WAN but cannot upgrade all sites at once. Which integration approach maintains connectivity during transition?
Disable DMVPN on all branches before deploying SD-WAN
Run DMVPN tunnels between legacy branches and an SD-WAN hub site acting as a gateway
Deploy a separate parallel network for SD-WAN branches with no interconnection
Convert all DMVPN tunnels to static IPsec first, then migrate to SD-WAN
12. Which MPLS L2VPN service type provides multipoint-to-multipoint Layer 2 connectivity, effectively emulating an Ethernet LAN?
VPWS (Virtual Private Wire Service)
VPLS (Virtual Private LAN Service)
L3VPN with route targets
GRE tunneling over MPLS
13. An enterprise wants to reduce MPLS costs by 50% while maintaining application performance. Which strategy combination is most effective?
Double MPLS bandwidth and eliminate internet links
Right-size MPLS for critical apps, shift internet traffic to local breakout, and use SD-WAN for intelligent path selection
Replace all MPLS circuits with LTE/5G connections
Implement WAN optimization on MPLS circuits without changing the transport architecture
The enterprise WAN binds branch offices, data centers, cloud environments, and remote workers into a single operational network. Choosing the right transport -- or combination of transports -- affects application performance, operational cost, security posture, and cloud adoption capability.
1.1 MPLS L3VPN Design Considerations
MPLS assigns labels to packets at the network edge and forwards them along predetermined Label Switched Paths (LSPs), providing fast, deterministic forwarding with built-in QoS.
L3VPN Topology Options
| Topology | Traffic Flow | Scalability | Best For |
|---|
| Hub-and-Spoke | All inter-spoke traffic transits the hub | Moderate (centralized control) | Centralized policy enforcement, legacy migrations |
| Any-to-Any (Full Mesh) | Direct communication between all sites | High (up to ~500 remote sites) | Distributed applications, real-time collaboration |
In hub-and-spoke, spoke routers use unique Route Distinguishers (RDs) and export routes to the hub. Inter-spoke traffic must transit the hub, mirroring a centralized security model. In any-to-any, every site communicates directly, reducing latency for distributed applications and collaboration tools.
flowchart LR
subgraph HubSpoke["Hub-and-Spoke L3VPN"]
Hub["Hub Site\n(Central Policy)"]
S1["Spoke A"]
S2["Spoke B"]
S3["Spoke C"]
S1 -->|"via MPLS"| Hub
S2 -->|"via MPLS"| Hub
S3 -->|"via MPLS"| Hub
end
subgraph AnyToAny["Any-to-Any L3VPN"]
SiteA["Site A"]
SiteB["Site B"]
SiteC["Site C"]
SiteA <-->|"direct"| SiteB
SiteB <-->|"direct"| SiteC
SiteA <-->|"direct"| SiteC
end
Animation: Interactive toggle between hub-and-spoke and any-to-any topologies, showing traffic paths and latency differences for inter-branch flows
1.2 MPLS L2VPN Design Considerations
Layer 2 VPNs extend Ethernet connectivity across the provider backbone using Pseudowire (PW) technology.
- VPWS (Virtual Private Wire Service): Point-to-point L2 connectivity -- the virtual equivalent of a leased line. Ideal for connecting pairs of data centers.
- VPLS (Virtual Private LAN Service): Multipoint-to-multipoint L2 connectivity, emulating an Ethernet LAN across geographically distributed sites. Transports anything in Ethernet frames -- IPv4, IPv6, or non-IP protocols.
| Factor | L2VPN | L3VPN |
|---|
| Routing interaction with SP | None -- SP carries L2 frames only | Full -- SP participates in IP routing |
| Protocol flexibility | Any L3 protocol | IP only |
| Routing control | Customer retains full control | Shared with SP via VRF/RD/RT |
| Scalability | Lower (VPLS flooding/learning) | Higher (IP routing scales better) |
| Typical use case | Data center interconnect, non-IP protocols | Branch WAN connectivity |
flowchart LR
subgraph VPWS["VPWS -- Point-to-Point"]
DC1["Data Center 1"] <-->|"Pseudowire\n(Virtual Leased Line)"| DC2["Data Center 2"]
end
subgraph VPLS["VPLS -- Multipoint"]
SiteX["Site X"] <-->|"Emulated LAN"| SiteY["Site Y"]
SiteY <-->|"Emulated LAN"| SiteZ["Site Z"]
SiteX <-->|"Emulated LAN"| SiteZ
end
1.3 Internet-Based WAN: IPsec and DMVPN
IPsec VPN creates static, point-to-point encrypted tunnels. Simple for small deployments (5-10 sites), but configuration grows quadratically -- 50 sites in full mesh would require 1,225 tunnel configurations.
DMVPN solves this by combining three technologies:
- mGRE: A single tunnel interface supporting multiple destinations
- NHRP: Client-server protocol for dynamic tunnel endpoint discovery
- IPsec encryption: Applied via crypto profiles rather than per-tunnel crypto maps
| Phase | Spoke Interface | Spoke-to-Spoke | Hub Routing | Scale |
|---|
| Phase 1 | Point-to-point GRE | Not supported (all via hub) | Specific routes | Small |
| Phase 2 | mGRE | Direct tunnels via NHRP | Specific routes (no summarization) | Medium |
| Phase 3 | mGRE | Direct tunnels via NHRP redirect/shortcut | Summarized routes supported | Large |
flowchart LR
SpokeA["Spoke A"] -->|"1. Traffic to Spoke B\nvia hub"| Hub["Hub Router\n(NHRP Server)"]
Hub -->|"2. Forwards traffic\nto Spoke B"| SpokeB["Spoke B"]
Hub -.->|"3. NHRP Redirect\nto Spoke A"| SpokeA
SpokeA ==>|"4. Direct Shortcut\nTunnel Built"| SpokeB
Animation: Step-by-step DMVPN Phase 3 shortcut creation -- initial hub transit, NHRP redirect, then direct spoke-to-spoke tunnel establishment
1.4 Hybrid WAN with Dual Transport
Most modern enterprises deploy a hybrid WAN combining MPLS with internet-based transports. Each branch gets dual connectivity: MPLS for business-critical traffic (ERP, VoIP) and internet for commodity traffic (web browsing, SaaS, updates).
Design Principles:
- Match transport to application criticality
- Ensure failover paths exist for every application class
- Centralize policy definition and push to edge devices
- Monitor both transports continuously for real-time rerouting
1.5 WAN Optimization and Application Acceleration
| Technique | How It Works | Best For |
|---|
| TCP Optimization | Window scaling, selective ACK, local ACK spoofing | High-latency links, chatty protocols |
| Data Deduplication | Replaces repeated data blocks with fingerprint references | File transfers, backup replication |
| Caching | Stores frequently accessed content locally | Shared documents, software distribution |
| FEC | Adds redundant data so receivers reconstruct lost packets | Lossy links, real-time traffic |
| Compression | Reduces data volume algorithmically | Text-heavy protocols, database replication |
2.1 Branch Architecture Models
Branch architectures range from fully centralized to fully distributed. The right model depends on security requirements, application portfolio, regulatory constraints, and operational maturity.
Pattern 1: Centralized Internet Access (Legacy) -- All traffic backhauled to the data center via MPLS. Simplest security posture but severe cloud application performance penalties.
Pattern 2: Hybrid Breakout -- Internal traffic via MPLS to data center; cloud/internet traffic breaks out locally with local NGFW or cloud security service.
Pattern 3: Full Local Breakout with SD-WAN -- All traffic exits locally with SD-WAN path selection. Cloud security (SASE) enforces policy. Maximizes cloud performance, minimizes WAN costs.
Pattern 4: Direct Cloud Connect -- Branches connect directly to cloud providers via AWS Direct Connect, Azure ExpressRoute, or Google Cloud Interconnect.
graph TD
subgraph Centralized["Pattern 1: Centralized"]
B1["Branch"] -->|"All Traffic\nvia MPLS"| DC1["Data Center"] --> FW1["Firewall/Proxy"] --> INT1["Internet"]
end
subgraph Hybrid["Pattern 2: Hybrid Breakout"]
B2["Branch"] -->|"Internal\nTraffic"| DC2["Data Center"]
B2 -->|"Cloud/Web\nLocal Breakout"| SEC2["Local NGFW\nor Cloud Security"] --> INT2["Internet/SaaS"]
end
subgraph FullLocal["Pattern 3: Full Local Breakout"]
B3["Branch\n(SD-WAN)"] -->|"All Traffic"| SASE["Cloud Security\n(SASE)"]
SASE --> CLOUD3["SaaS/Internet"]
B3 -.->|"Compliance\nTraffic Only"| MPLS3["MPLS to DC"]
end
| Factor | Centralized | Hybrid Breakout | Full Local Breakout | Direct Cloud |
|---|
| Cloud app performance | Poor | Good | Excellent | Excellent (IaaS/PaaS) |
| Security complexity | Low | Medium | Medium-High | Medium |
| WAN bandwidth cost | High | Medium | Low | Medium |
| Operational overhead | Low | Medium | Higher | Higher |
| Regulatory compliance | Easiest | Moderate | Requires cloud security | Depends on provider |
Animation: Side-by-side comparison of traffic flows across the four branch architecture patterns, highlighting latency paths for a SaaS application request
2.2 Local Internet Breakout and Direct Cloud Access
Local Internet Breakout (LIB) routes internet-destined traffic directly to a local ISP rather than backhauling through the data center. Benefits include:
- Reduced latency: Shortest path to cloud provider's nearest PoP
- Cost reduction: Up to 50% MPLS cost reduction by offloading internet traffic
- Bandwidth optimization: Frees MPLS capacity for business-critical apps
- Improved user experience: SaaS apps perform dramatically better with direct access
Direct Cloud Access (DCA) extends LIB specifically for cloud application traffic, using SD-WAN policies to steer cloud-destined flows via dedicated interconnects when available.
2.3 Branch Security Design
Local internet breakout makes every branch an attack surface. Two approaches address this:
Traditional: Branch NGFW -- Deploy next-generation firewalls at every branch. Provides local inspection but creates significant operational overhead across hundreds of devices.
Modern: Cloud-Delivered Security (SASE) -- Route branch internet traffic through cloud security providing FWaaS, SWG, CASB, DLP, threat prevention, and TLS inspection at scale. Adding a new branch requires no security hardware -- only a policy update.
graph TD
MGR["Central Policy\nConsole"] -.->|"Policy Push"| SASE_CLOUD
subgraph SASE_CLOUD["Cloud Security - SASE"]
FWaaS["FWaaS"]
SWG["Secure Web\nGateway"]
CASB["CASB"]
DLP["DLP"]
TLS["TLS\nInspection"]
end
BR1["Branch A"] -->|"Internet Traffic"| SASE_CLOUD
BR2["Branch B"] -->|"Internet Traffic"| SASE_CLOUD
BR3["Branch C"] -->|"Internet Traffic"| SASE_CLOUD
SASE_CLOUD --> INET["Internet / SaaS"]
2.4 SD-WAN Branch Design Patterns
SD-WAN separates control, data, management, and orchestration planes for centralized policy with distributed forwarding.
- vManage: Single-pane management for configuration, monitoring, troubleshooting
- vSmart: Distributes routing information and policies to WAN edge devices
- vBond: Authenticates/authorizes SD-WAN components, distributes controller info
- WAN Edge: Handles actual packet forwarding based on policies from controllers
Application-Aware Routing (AAR)
AAR continuously monitors every transport link -- measuring loss, latency, and jitter -- and steers traffic to the path meeting its SLA requirements. The three-stage process:
- Identification: Define the application and map to an SLA class
- Monitoring: Probe each path using BFD for real-time loss, latency, and jitter
- Enforcement: When a path violates SLA thresholds, automatically reroute to a compliant path
flowchart LR
APP["Application\nTraffic"] --> ID["1. Identify App\n& SLA Class"]
ID --> MON["2. Monitor Paths\nvia BFD Probes"]
MON --> MPLS_PATH["MPLS Path\nLoss: 0% Lat: 30ms"]
MON --> INET_PATH["Internet Path\nLoss: 2% Lat: 55ms"]
MON --> LTE_PATH["LTE Path\nLoss: 1% Lat: 45ms"]
MPLS_PATH --> DECIDE["3. Enforce SLA\nPolicy Match"]
INET_PATH --> DECIDE
LTE_PATH --> DECIDE
DECIDE -->|"Best path\nselected"| DEST["Destination"]
Animation: Real-time SD-WAN path selection showing BFD probes detecting degradation on MPLS, triggering automatic failover of VoIP traffic to DIA link
3.1 Bandwidth vs. Latency vs. Cost
These three variables form the "iron triangle" of WAN design. Improving one typically comes at the expense of the others.
| Transport | Bandwidth | Latency | Cost |
|---|
| MPLS 100 Mbps | Guaranteed | Low, predictable (< 50ms) | $$$$ |
| Broadband 500 Mbps | Best-effort, burstable | Variable (20-100ms) | $ |
| DIA 1 Gbps | Committed | Low (10-30ms) | $$$ |
| LTE/5G 100 Mbps | Variable, shared | Variable (20-80ms) | $$ |
Cost Optimization Strategies
- MPLS right-sizing: Reduce circuit bandwidth as internet traffic shifts to local breakout
- Transport tiering: Classify apps into Platinum/Gold/Silver/Bronze tiers matched to transports
- Dual-carrier broadband: Two lower-cost broadband links provide more bandwidth and better availability than one MPLS circuit at comparable cost
- Cellular augmentation: LTE/5G as tertiary transport for failover without a third wired circuit
3.2 WAN Path Selection and Traffic Engineering
Link bonding aggregates multiple physical links into a single logical pipe (e.g., via MPTCP). Individual flows can span both links. Link load balancing distributes traffic across links by policy, but each flow typically uses a single link.
Dynamic Path Selection evaluates current packet loss, latency, jitter, available bandwidth, and application SLA requirements to make forwarding decisions in real time -- often rerouting within seconds.
Forward Error Correction (FEC) on a broadband link with 2% packet loss can maintain performance equivalent to a loss-free MPLS path, at 10-20% bandwidth overhead.
3.3 Last-Mile Diversity and Carrier Redundancy
| Level | Description | Protects Against | Cost |
|---|
| Single carrier, single path | One circuit from one provider | Nothing | Baseline |
| Single carrier, dual path | Two circuits, different physical paths | Cable cuts, equipment failure | 1.5-2x |
| Dual carrier, shared conduit | Two providers, same conduit | Single circuit failure, provider outage | 2x |
| Dual carrier, diverse entry | Two providers, different conduits/directions | Cable cuts, conduit damage, provider outage | 2.5-3x |
| Dual carrier + cellular | Wired diversity plus LTE/5G backup | All wired failures including building entry damage | 2.5-3x |
The critical insight: two circuits from different carriers sharing the same physical conduit are not truly redundant. A single backhoe incident severs both. True diversity requires verifying the physical path from building demarcation to carrier POP. LTE/5G or LEO satellite (Starlink) provides genuinely diverse backup sharing no terrestrial infrastructure.
Now that you have studied the material, answer the same questions again to measure your improvement.
1. An enterprise needs centralized security inspection for all inter-branch traffic while using MPLS L3VPN. Which topology best supports this requirement?
Any-to-any with distributed firewalls
Hub-and-spoke with the hub as the inspection point
Full mesh with route reflectors
Point-to-point VPWS between all sites
2. A company needs to transport non-IP protocols (e.g., legacy SNA) between two data centers across an MPLS backbone. Which VPN type is most appropriate?
L3VPN with VRF-Lite
GRE over IPsec
L2VPN (VPWS or VPLS)
SD-WAN overlay
3. What is the primary advantage of DMVPN Phase 3 over Phase 2?
Phase 3 supports IPsec encryption while Phase 2 does not
Phase 3 allows the hub to summarize routes while still enabling spoke-to-spoke tunnels
Phase 3 eliminates the need for NHRP registration
Phase 3 uses static routing instead of dynamic routing protocols
4. In a hybrid WAN design, what is the primary design principle for assigning traffic to transport types?
All traffic should use MPLS for reliability
Match transport cost to application criticality and value
Route all traffic over the cheapest available link
Use round-robin load balancing across all transports
5. Which WAN optimization technique adds redundant data to a flow so receivers can reconstruct lost packets without retransmission?
TCP window scaling
Data deduplication
Forward Error Correction (FEC)
Application-layer caching
6. A branch office user in Tokyo accesses Microsoft 365 but experiences high latency because traffic is backhauled to a London data center first. Which branch architecture pattern would best resolve this?
Centralized internet access with higher MPLS bandwidth
Hybrid breakout or full local breakout with SD-WAN
Adding a WAN optimization appliance at the Tokyo branch
Deploying a second MPLS circuit to a closer data center
7. What is the key advantage of cloud-delivered security (SASE) over deploying NGFWs at every branch?
SASE provides faster packet inspection than hardware firewalls
SASE eliminates per-branch security hardware, enabling consistent policy at scale with lower operational overhead
SASE does not require internet connectivity at branches
SASE replaces the need for encryption on WAN links
8. In Cisco SD-WAN architecture, which component distributes routing information and policies to WAN edge devices?
vManage
vBond
vSmart
WAN Edge router
9. SD-WAN Application-Aware Routing (AAR) differs from traditional routing primarily because it selects paths based on:
Destination prefix and administrative distance only
Static cost metrics assigned during configuration
Real-time application SLA requirements including loss, latency, and jitter
The number of hops to the destination
10. Two branch circuits from different carriers share the same physical conduit into the building. A construction accident severs the conduit. What happens?
Only one circuit fails because different carriers use different fiber strands
Both circuits fail simultaneously because they share the same physical path
The carrier with the higher SLA will maintain connectivity
Traffic automatically reroutes through the carrier's backup conduit
11. An organization is migrating branches from DMVPN to SD-WAN but cannot upgrade all sites at once. Which integration approach maintains connectivity during transition?
Disable DMVPN on all branches before deploying SD-WAN
Run DMVPN tunnels between legacy branches and an SD-WAN hub site acting as a gateway
Deploy a separate parallel network for SD-WAN branches with no interconnection
Convert all DMVPN tunnels to static IPsec first, then migrate to SD-WAN
12. Which MPLS L2VPN service type provides multipoint-to-multipoint Layer 2 connectivity, effectively emulating an Ethernet LAN?
VPWS (Virtual Private Wire Service)
VPLS (Virtual Private LAN Service)
L3VPN with route targets
GRE tunneling over MPLS
13. An enterprise wants to reduce MPLS costs by 50% while maintaining application performance. Which strategy combination is most effective?
Double MPLS bandwidth and eliminate internet links
Right-size MPLS for critical apps, shift internet traffic to local breakout, and use SD-WAN for intelligent path selection
Replace all MPLS circuits with LTE/5G connections
Implement WAN optimization on MPLS circuits without changing the transport architecture