WAN design

Circuit Switching -  the circuit comes up for the duration. Phone and ISDN
leased lines - dedicated to you by the service provider   TDM  T1
Packet and Cell -  Frame and ATM

Hub and spoke to the HQ. However if the router at HQ fails all are affected.
Full mesh  -  expensive to maintain. N(N-1)/2
Partial Mesh -  flexible to where you want it.

VPN over public networks is  limited to a Best effort as you cannot control the traffic in the ISP

Access VPN for users-    You can also use a NAC to connect to first which will then set up the VPN
The NAC is a public facing device Portal where you http to it and then type a user password.

Intranet VPN  -  this is from site to site. Using public or WAN.

Extranet VPN  is   for business partners so they can access the DMZ


Enterprise VPN is when you set it up.
IPSEC is one VPN  usually from firewall to firewall.
It can use ESP  to encrypt the data    or   AH  which only encrypts the headers (not secure for data)
HMAC codes in it will protect from man in the middle attacks and replay.
You can also use PKI  certificates for an added layer.

Cisco Easy VPN - you set up a server which is the head.   Then the remote configuration is easy.
                           the remote devices are ISRs.

GRE - works for encapsulation all protocols. Does not have any security.
           you must add IPSEC tunnel to it in order to have security.

DMVPN  - dynamic VPN
                   NHRP  next hop resolution protocol     which will point to the HQ.
                    mGRE   Multipoint GRE   supports multipoint tunnels.
                   IP multicast  , routing   , dynamic spokes  all QoS
Each remote site is connected using a GRE tunnel to the HQ.
For redundancy you will need two heads.
DPD dead peer detection can be used to verify tunnel is alive  (keepalive)


VTI virtual tunnel interface
Can run routing  , does not need GRE or mGRE.

L2tpv3
can run frame relay and ppp  ethernet

Service provider VPN.
Can run MetroEthernet

VPLS is a VPN  over MPLS
it allows you to run Layer 2  from one location to the next.
Useful for Storage redundancy for example.

MPLS
Uses Labels instead of routing  and can run over a variety of media.
Uses VRF

Layer 3 MPLS  Tight SLA and QoS.

VPNs are flexible and cost effective.

Dial Backup used for ISDN  so it will ring a floating route.

Secondary WAN link  - backup  or load sharing.

Shadow PVC  - used in frame relay.

IPSEC VPN backup tunnel can be used in case the ISP MAN fails.

Load balancing.
Cna be per packet. usually 56kbps or below.
Per flow or destination is better. also called fast switching.

Decision influence.
High Availability - backup power, backup devices, backup WAN
Growth
Expenses -
Complexity -  Metro is easier.
Cost to implement -
Network Segmentation to separate traffic.
Voice and Video QoS.

Private WAN - Frame relay and ATM . You own lease the circuit
ISP WAN - basically the internet
SP MPLS/IP VPN -   they are good
Private WAN with MPLS -  jeez hiring some CCIE's to maintain it is expensive.

considerations
Port Density
Port Type
Modular
throughput
REdundancy   / Supervisor or power
Future growth

Software
Bandwidth
Security

ISR can do wan video , voice, security
800 ISR  remote user
1800 ISR  branch
7200 - 10000  medium routing
7600  high end routing
12000 CSR - service provider grade.
29xx  35xx 37xx  are access switches.
45xx  chassis
65xx  high end chassis.

Router - WAN
Switch LAN
Security appliance  at the branch
AP wireless for mobility
CUCM   for voice
IP phones and desktops

Small office  50 users  1 TIER
medium office 50-100  2 tier
Large 100 +     3 tier

ISR G2 is better

Small can use an ISR with ports  or one switch.

Medium branch  redundant routers.
Switches with Stacking.

Large Branch
Dual links
Dual routers
Dual ASA
Dual switches with stacking.

ISR 800 for teleworker.