The options available to you will necessarily be limited by your specific needs and requirements, the cost for transport, and what is available for service delivery at any particular location.
A true private WAN infrastructure contains resources that are dedicated to a single customer. This contrasts with a public WAN, such as the general Internet, where all services are delivered on a best-effort basis with no individually-dedicated resources.
WAN technologies can be divided into three general categories, based on which layer of the Open Systems Interconnection (OSI) model the service is accessible from: Layer 1, 2 or 3. Within each of those general categories, you can subcategorise based on the actual type of service delivered, with some services overlapping among multiple categories. Layer 1 services include leased lines, dark fibre, and optical wavelength services. Layer 2 includes different types of Ethernet connectivity, such as point-to-point (P2P) and point-to-multipoint (P2MP). Layer 3 includes MPLS L3VPN and IPsec VPN. Finally, SD WAN, while considered a Layer 3 service, is a new method to simultaneously utilise each of the previously-mentioned service types simultaneously.
Layer 1: Leased Lines
For many years, leased lines were the only technology available to build a private WAN infrastructures. Leased lines are typically associated with older serial-based technologies like E1 and E3. They are dedicated to individual customers, where the full bandwidth of the circuit is always available end-to-end and are typically delivered over twisted-pair or coaxial copper cables, though fibre options are also available. Leased lines have fallen out of favour over the years for newer technologies. Service providers are beginning to phase out leased lines due to the cost of maintaining the infrastructure.
Layer 1: Dark Fibre
When it comes to building a private WAN infrastructure, dark fibre represents one of the most expensive, but fastest and most flexible options available. When you lease dark fibre from a carrier, you are responsible for terminating each end with your own transponder equipment. This can represent a major cost to use the service, along with requiring knowledgeable staff to maintain the link and equipment. With dark fibre, you can use technologies like Dense Wavelength Division Multiplexing (DWDM) to create multiple separate channels across the fibre link. Depending on the terminating DWDM equipment, you can have over 100 channels (wavelengths), each running at 10 Gb/s up to 100 Gb/s or more. Dark fibre also allows you to use different framing across each wavelength, such as Fibre Channel or FICON for Storage Area Network (SAN) traffic.
Layer 1 / Layer 2: Optical Wavelength Service
When you purchase an optical wavelength service, you are leasing one or more channels on a fibre optic connection, as compared to dark fibre where you have access to the entire capacity of the fibre link. When delivered as a Layer 1 service, you have the advantages of dark fibre in that you can provide your own framing, so you can run multiple types of traffic over the connection. When delivered as a Layer 2 service, the carrier becomes involved in the framing and normally provides an Ethernet-based handoff. This has the advantage of requiring less equipment at your location, along with the carrier having more responsibility on the operational aspects of maintaining the connection.
Layer 2: Ethernet P2P
Ethernet point-to-point is in itself a very broad category. Technically, the three previously-described Layer 1 services can be (and typically are) provisioned as Ethernet point-to-point circuits. The difference with the Layer 1 services is that they all have resources dedicated entirely to the customer. The bandwidth of the individual wavelength or the entire circuit is dedicated to the customer. Most Ethernet P2P services are delivered over shared technologies like Multi-Protocol Label Switching (MPLS) using a concept called pseudowires. Ethernet P2P is sometimes referred to as “E-LINE”. Depending on the technology used to deliver the service, it can also be referred to as Metro Ethernet (MetroE) or Carrier Ethernet.
A pseudowire is an MPLS configuration that establishes a Label-Switched Path (LSP) though the carrier network from one endpoint to another. While the service may be backed by a Service-Level Agreement (SLA) and a guaranteed amount of available bandwidth, the service itself is shared between multiple customers across the carrier backbone. It is still considered private, though, because the traffic remains inside the carrier’s network, or within a few carriers when inter-carrier agreements are in place, along with being logically separated from other customers.
There are other types of Ethernet P2P services available as well. For locations where it is difficult to run a physical copper or fibre connection, a wireless “line of sight” connection may also be available. These types of connections normally rely on directional wireless antennas, such as a parabolic dish, and an unobstructed view from the location to a central tower. Wireless line of sight connections can have a range of up to several miles between the location and the centralised tower.
Layer 2: Ethernet P2MP
With an Ethernet point-to-multipoint service, which is available in both multipoint-to-multipoint (“E-LAN”) and rooted multipoint (“E-TREE”) varieties, the carrier essentially acts as a large virtual switch for the customer. That is, an Ethernet frame enters the carrier network from one location and is then forwarded to one or more other customer sites through the carrier, as appropriate. These services are delivered through the provider’s core network through different technologies, both switched and routed. For example, a carrier could deliver the service entirely at Layer 2 using Provider Backbone Bridging (PBB) or 802.1ad (also known as “QinQ”) where two VLAN tags are used to provide customer separation through the carrier network.
More commonly, Ethernet P2MP services are delivered as an MPLS L2VPN service known as Virtual Private LAN Service (VPLS). VPLS is essentially a collection of point-to-point MPLS pseudowires with extra intelligence to support forwarding frames to multiple destinations simultaneously, which makes the carrier’s network appear to the customer as a virtual switch. Behind the scenes, traditional LSPs are established across the carrier between the customer sites, and MAC learning is used to keep track of which devices are located at which sites. One of the tradeoffs with this type of service is that most carriers will limit the number of devices (or MAC addresses) that can be directly attached to the service for each location. This is to prevent the customer from overwhelming the shared resources of the carrier network.
Layer 3: MPLS L3VPN
MPLS Layer 3 VPN service is extremely common. For several years prior to the introduction of SD WAN, MPLS L3VPN was probably the most popular method of private WAN infrastructure. With MPLS L3VPN, the carrier provides a routed service where all of your locations on the WAN can communicate directly with each other in an “any-to-any” fashion, though other topologies like hub-and-spoke and inter-customer extranets are also available.
With a Layer 2 VPN service, you maintain control of your Layer 3 routing topology, which may require a higher level of staff knowledge, depending on the configuration. When an MPLS Layer 3 VPN service is used, you peer your customer edge router directly with the carrier, who then handles the details of routing between all of your locations. This relieves the customer organisation from requiring more advanced knowledge, again depending on the configuration. MPLS L3VPN services can be very basic, or they can be advanced depending on what sorts of extra services the carrier may provide, such as the ability to perform multicast routing and path selection based on multi-homing.
Layer 3: IPsec VPN
IPsec in itself is a method of encrypting IP and IPv6 traffic, but can also be used to build a private WAN infrastructure. With IPsec, you have the option of using both traditional private circuits as well as public connections like the general Internet to build your WAN. One of the advantages of planning a private WAN infrastructure using IPsec is that you can maintain a consistent pattern of routing and IP address allocation, since your traffic is ultimately sent through the established IPsec tunnels across the underlying infrastructure.
Most carrier-provided circuits have some level of resource sharing involved, especially with technologies based on MPLS. While you are guaranteed privacy across the network, this privacy ultimately comes down to configuration using concepts that are somewhat like how a VLAN tag keeps different networks separate on a traditional LAN. Configurations are susceptible to mistakes, which could accidentally cause multiple customers’ information to be leaked to each other. Granted, with operational experience, this is an unlikely scenario. However, for very high-security environments where privacy must be absolutely guaranteed, establishing an IPsec VPN over private circuits is a common practice. This way, even if the carrier accidentally misconfigures something, you still have ultimate control over the privacy of your organisation’s data. IPsec or other encryption technologies are required as part of using public shared resources to build your WAN, such as with the Internet.
Layer 3: SD WAN
Currently, SD WAN is strictly a Layer 3 service. In some ways, SD WAN is an extension of the IPsec VPN model in that most SD WAN platforms automate the establishment of encrypted tunnels over multiple transports, most typically using some variation of IPsec. SD WAN is somewhat transport agnostic in that it can use any Layer 3 service to carry data between the WAN endpoints. SD WAN appliances can use the aforementioned Layer 3 services directly, as long as they are presented with an Ethernet handoff. Likewise, any of the Layer 1 and Layer 2 services can also be used, as long as there is some other terminating equipment in front of the SD WAN appliance that can provide an Ethernet connection. For instance, a private serial E1 WAN circuit can be used with SD WAN as long as a router is sitting in front to convert from serial to Ethernet.
SD WAN as a technology makes sense to build a private WAN, whether you are using private or public circuits, because in addition to maintaining a consistent IP address allocation scheme across your WAN, you can also apply consistent traffic policies using the orchestration engine of the SD WAN platform. Private circuits are almost always more performant than public connections, if not from a bandwidth perspective then nearly always from a latency perspective.
SD WAN appliances are able to simultaneously use multiple circuits to reliably deliver your traffic across your WAN using policies that you define. For example, a common policy is to always use the link that has the least latency, regardless of bandwidth utilisation, for Voice over IP (VoIP) traffic. For instance, if your SD WAN appliance is connected to both a Direct Internet Access (DIA) circuit as well as an MPLS L3VPN service, VoIP traffic may be sent over the DIA link instead of the MPLS circuit if the SD WAN appliance determines it has better latency across the entire path at that particular time. Likewise, if conditions change, SD WAN should be able to detect this and steer the traffic across the other link, as appropriate.
Which option is right for your organisation?
Like most technology decisions, the correct option depends on what you require, how much you can spend, and what is actually available. Some options are a perfect fit for a particular location, but are not available in the area. Other options might be available, but are too expensive. Layer 1 services allow you the most control over your own traffic, such as Quality of Service (QoS) and prioritization, though certain Layer 2 and Layer 3 services may also deliver such features.
Services delivered over fibre optics typically have the highest bandwidth and lowest latency, especially dark fibre and optical wavelength services. MPLS-based connections offer potentially less bandwidth and higher latency than direct fibre, but are still usually more performant for a private WAN architecture compared to using the public Internet for your WAN.
Finally, you may realise that not every location connected to your WAN has high requirements for large bandwidth or very low latency: using IPsec VPNs and SD WAN may be all that you need, and you will save money by using those options.
*Flexibility is defined as having the ability to customise the service, such as running different protocols, different transport rates, different topologies