Enterprise WAN connectivity requirements are dependent upon the scope of the organization’s service delivery model. Large enterprises typically require LANs, MANs, and WANs. This creates a hybrid Layer 2 and Layer 3 networking solution coupled with WAN connectivity. The following are typical enterprise business WAN requirements (see FIGURE 11-14):

• High-speed Internet access (scalable business-grade Internet access)—Must have scalable growth with redundant Internet pipes from two different service providers.
• Secure network connections (behind an IP stateful firewall)—Next-generation, scalable IP stateful firewalls for layered security if connecting a public or shared network to the enterprise environment. Next-generation firewalls (NGFWs) are chassis-based with modularity. This allows for growth and additional firewalls to be installed. For resiliency, two IP stateful firewalls are needed to ensure redundant network ingress/egress connections in a dual configuration.
• NAT with private IP addressing (10.x.x.x /16)—Dedicated Internet access is needed with NAT with private IP addressing behind the IP stateful firewall and public IP addresses on the Internet side of the router.
• VLAN capability for departmental LANs—Layer 2 VLANs are needed throughout enterprise environments to segment departmental traffic. Layer 2 VLANs can interoperate with a Layer 3 core backbone network in a hybrid environment.
• Financial analysis for WAN bandwidth versus cost—Enterprise WANs require detailed financial analysis to assess cost of bandwidth in relation to the users, applications, and data that must be accessed. For example, it may be a business strategy to move applications and data to the cloud, where remote access for users is needed instead of a high-speed WAN connection between locations. Remote access with VPN connectivity with multifactor authentication versus the cost of a high-speed WAN link must be assessed.
• Dynamic Multipoint Virtual Private Network (DMVPN)—Enterprise WANs can support point-to-point or multipoint VPN connections directly to other routers that support VPN terminations throughout the WAN. This means the point-to-point VPN does not have to terminate back at the data center or headquarters.
• Bandwidth rate limiting and threshold setting for Internet—Continuous monitoring, threat intelligence, and bandwidth limiting or alarm notification is needed to ensure unauthorized data leakage does not occur. Setting thresholds and alarm notifications helps provide visibility and control into what is happening on the network.
• SD-WAN to control and manage a hybrid WAN environment—The benefits of SD-WAN are ideal for large enterprise organizations that have LANs, MANs, and a hybrid WAN composed of different WAN technologies and different service providers.
• Wireless access with WPA2-Enterprise for mobile devices throughout the enterprise environment—Requires a password or passphrase to gain access to the WLANs. Ideally, network access control (NAC) should be used to authorize endpoints prior to allowing access controls to the network.
• IP stateful firewall (ideally with an IDS/IPS)—This can be a separate network appliance that is installed at the demilitarized zone (DMZ)/VLAN or Internet ingress/egress location.
• Remote access with VPN and multifactor authentication—Any remote access must be secure and enabled with IPSEC VPNs using two-factor authentication.
• Web content filter (URL monitor and filter)—This can be a separate network appliance that connects to the guest VLAN segment, or it can be embedded.

SMB requirements are dependent upon the scope of the SMB’s service delivery model and the various Metro Ethernet or WAN connectivity options available:

• High-speed Internet access (scalable business-grade Internet access)—Must have scalable growth with redundant Internet pipes from two different Internet service providers.
• Secure network connections (behind an IP stateful firewall)—Still need an IP stateful firewall for layered security if connecting a public or shared network to the SMB.
• NAT with private IP addressing (172.16.x.x /12)—Dedicated Internet access is needed with NAT with private IP addressing behind the IP stateful firewall and public IP addresses on the Internet side of the router.
• VLAN segmentation to logically separate departmental LANs and traffic—Departmental traffic typically stays within the department from a traffic flow perspective. Keeping traffic segmented reduces network congestion on a Layer 2 and Layer 3 network.
• Public-facing DMZ/VLAN—Public-facing servers, websites, and portals should be installed on a DMZ/VLAN.
• Extension of Layer 2 networks—Metro Ethernet allows Layer 2 networks and their broadcast domains to be extended to other geographical locations within the distance limitations of the Metro Ethernet switch. This provides wire-speed LAN connections throughout the metropolitan or wide area network. Refer to FIGURE 11-15.
• Connectivity to data centers or cloud hosting facilities—Depending on the geographical location of the data centers and cloud hosting facilities, the Metro Ethernet or WAN must extend to wherever the applications and data are hosted. This may create a hybrid metropolitan area network (MAN) and WAN connectivity requirement.
• Point-to-Point Protocol (PPP)—For remote WAN connections, Point-to-Point Protocol (PPP) provides a network connection without any host or any other networking in between. PPP supports connection authentication, transmission encryption, and compression.
• Remote access with VPN and multifactor authentication—For any remote access connectivity to an SMB network, it is recommended that IPSec VPN with multifactor authentication be deployed.
• Web content filter (URL monitor and filter)—This is typically a separate network appliance that connects to the DMZ/VLAN and Internet egress point in the network.

Most businesses and residences in the United States have broadband access. Depending on the location, service providers offer copper, coaxial cable, or fiber as the last mile connection. This allows the providers to offer voice over IP, digital television service, and high-speed Internet access all in the same network connection. Once IP became the Network Layer protocol, voice, video, and data convergence was born. Convergence is the aggregation of voice, video, and data into a common networking infrastructure—in this case, an IP network connection.

SOHO requirements include the following:

• High-speed Internet access (scalable business-grade Internet access)—Must have scalable growth, especially if there are children in the home.
• Secure network connection (behind an IP stateful firewall)—An IP stateful firewall provides a layered security solution and VLAN capability.
• NAT with private IP addressing (192.168.x.x /8)—Most cable modems, WLAN modems, and fiber optic routers support network address translation (NAT) with private IP addressing behind the IP stateful firewall and a public IP address on the Internet side of the router.
• VLAN capability to logically segment office/work LAN from guest/family LAN—It is highly recommended to logically separate the home office VLAN from the guest and family VLAN.
• Bandwidth rate limiting and threshold setting for guest/family LAN to Internet—Children have a tendency to stream video via the Internet using all available bandwidth.
• Wireless access with WPA2-Enterprise for mobile devices throughout the home—WLAN security requires enabling a password or passphrase to authenticate and gain access to the office/work WLAN and the guest/family WLAN.
• IP stateful firewall (ideally with an IDS/IPS)—The IP stateful firewall and IDS/IPS can be a separate network appliance that connects to the service provider’s network equipment or can be embedded.
• Remote access with VPN and multifactor authentication—If an office/work server is installed on the VLAN, remote access to this server is recommended via an IPSec VPN with multifactor authentication.
• Web content filter (URL monitor and filter)—A web content filter can be a separate network appliance that connects to the guest/family VLAN segment, or it can be embedded in the IP stateful firewall.

FIGURE 11-16 depicts a SOHO network with WLAN for both business and guest/family use.