Connect Campuses, Data Centers & Cloud — Fast, Resilient, and Proven
A Metropolitan Area Network (MAN) is the high-speed fabric that stitches together headquarters, campuses, data centers, cloud on-ramps, and edge sites across a city/region.
SolveForce engineers MANs as a system: optical and packet rails (DWDM, wavelengths, Ethernet, IP/MPLS), EVPN/VXLAN campus cores, SD-WAN policy, Zero-Trust edges, and evidence pipelines so every span, class, and change is measurable and auditable.
Related deep dives
• Campus/DC fabric → /networks-and-data-centers • Access/Fiber → /fiber-internet • Optical/DCI → /wavelength • Dark/ Lit → /dark-fiber • /lit-fiber
• WAN overlays → /sd-wan • Cloud on-ramps → /direct-connect • Campus LAN → /lan • Wide area → /wan
• Security → /ztna • /sase • /nac • Edge sites → /edge-data-centers
• Evidence/Ops → /siem-soar • /circuit-monitoring • Colo/VDC → /colocation • /virtual-data-centers
🎯 Outcomes We Optimize
- Deterministic latency & throughput — low-microsecond switching, sub-millisecond metro spans for storage, AI fabrics, and real-time apps.
- Resilience by design — protected rings/meshes, fast reroute, dual laterals/POPs, and SD-WAN brownout steering.
- Cloud adjacency — private on-ramps (DX/ER/Interconnect) with policy-driven routing and Anycast edges.
- Security by default — MACsec/L1 crypto where required, segmentation (EVPN/VXLAN), ZTNA for admin access.
- Evidence on demand — OTDR, light levels, RFC 2544/Y.1564, BGP traces and change diffs to SIEM/SOAR.
🧭 Reference Architecture (metro fabric)
Optical layer (L0/L1)
- DWDM/ROADM ring or mesh; protected spans with < 50 ms switching; coherent optics for 100/200/400G; optional L1 encryption.
→ /wavelength • /dark-fiber
Packet transport (L2/L3)
- Carrier Ethernet: EPL/EVPL/E-LAN/E-Tree for L2 private connectivity.
- IP/MPLS / Segment Routing (SR-MPLS/SRv6) for L3 VPNs with TE/FRR.
- EVPN/VXLAN stretching campus fabrics where justified (with failure-domain boundaries).
→ /fiber-internet • /networks-and-data-centers
Edge & policy
- SD-WAN across dual underlays (DIA + Metro Ethernet/WL) for application SLOs, packet duplication/FEC for voice/video, Anycast ingress.
→ /sd-wan
Cloud & colo interconnect
- Dual Direct Connect / ExpressRoute / Interconnect POPs; BGP policy/communities; private endpoints in cloud landing zones.
→ /direct-connect • /colocation
Security & identity
- MACsec on metro uplinks; ZTNA for admin/console access; NAC 802.1X at campus edges; SASE for web/SaaS.
→ /ztna • /nac • /sase
Evidence & operations
- Light/FEC/BER, OTDR, RFC 2544/Y.1564, route/label traces, policy diffs → /siem-soar; carrier escalations via /circuit-monitoring.
🧰 Service Catalog (what we design & run)
1) Wavelength Services (10/25/40/50/100/200/400G) — protected ROADM rings/mesh, jumbo MTU, fixed FEC, optional L1 crypto.
2) Dark Fiber (IRU/lease) — strand pairs you light; full control over optics, spectrum, and encryption.
3) Carrier Ethernet — EPL, EVPL, E-LAN, E-Tree; MEF-aligned CoS and OAM.
4) Metro IP/MPLS / SR — L3 VPNs with FRR/TE; Anycast services; DDoS options on Internet edges.
5) Cloud Interconnect — metro cross-connects and NNI to cloud on-ramps with BGP design and route policy.
6) EVPN/VXLAN Campus Extension — any-to-any L2 overlay when needed (with failure domain guardrails).
7) SD-WAN Overlay — per-app SLOs, packet duplication/FEC, breakout strategy, and Anycast ingress for UC/CCaaS.
8) Security — MACsec keys, ZTNA for admin, ACL/SGTs, microseg for crown-jewel VRFs; WAF/Bot at public edges.
9) Ops & Evidence — acceptance suites, monitoring, QBR packs, RCAs, and savings (TEM) where transport is optimized.
📊 Transport & Use-Case Matrix
| Technology | Speeds | Typical Latency (metro one-way) | Best For | Notes |
|---|---|---|---|---|
| Wavelength (DWDM) | 10/25/40/50/100/200/400G | ≤ 1–2 ms | DCI, storage (NVMe-oF), AI fabrics, media | Jumbo MTU; coherent optics; L1 crypto optional |
| Dark Fiber | You choose | ≤ 1–2 ms | Full control, hyperscale AI, bespoke TE | Requires optics/ROADM; diversity critical |
| EPL (L2 P2P) | 1–100G | ≤ 1–3 ms | L2 private line, storage, voice backhaul | VLAN-transparent; dedicated path |
| EVPL (L2 Hub/Spoke) | 1–10G (typ.) | ≤ 1–3 ms | Multi-site spokes, service multiplexing | Multiple EVCs per UNI |
| E-LAN (L2 Any-to-Any) | 1–100G | ≤ 1–3 ms | Multi-campus L2 domains | Control failure domains carefully |
| IP/MPLS / SR | 1G–400G | ≤ 1–5 ms | L3 VPNs, Anycast services | FRR/TE; Internet/DDoS edge ready |
| SD-WAN Overlay | Per underlay | Adds ≤ 5–10 ms | App-aware SLOs, brownout steer | Packet dup/FEC for real-time apps |
🛡️ Security & Trust (baked in)
- MACsec/L1 crypto on private transport; TLS/IPsec for targeted flows; DDoS posture on Internet edges.
- Segmentation with EVPN/VXLAN, VRFs, ACL/SGT; crown-jewel isolation.
- Admin access via ZTNA, not flat VPNs; device posture checks; PAM JIT for privileged sessions.
- Policy-as-code and config drift watch to keep the binder == build.
→ /ztna • /pam • /siem-soar
📐 SLO Guardrails (targets you can tune)
| Domain | KPI / SLO (p95 unless noted) | Target (Metro) |
|---|---|---|
| Optical span | Protection switch time | < 50 ms |
| Wavelength/EPL one-way latency | Metro | ≤ 1–2 ms |
| EVPL/E-LAN L2 loss | Sustained | < 0.05% |
| IP/MPLS jitter | One-way | ≤ 1–3 ms |
| SD-WAN brownout steer | Path change | ≤ 1–3 s |
| MACsec coverage | Protected uplinks | = 100% (as scoped) |
| Cloud on-ramp attach | Metro→region edge | ≤ 2–5 ms |
| Availability | Monthly | ≥ 99.99% protected core |
| Evidence pipeline | Test/artifact → SIEM | ≤ 60–120 s |
| Unapproved changes | Policy gate | = 0 |
Breaches open a case and trigger SOAR (reroute, enable packet-dup, adjust TE, rotate keys, roll back config) with artifacts. → /siem-soar
🔁 Topology Patterns (pick your fit)
| Pattern | Pros | Considerations | Typical Use |
|---|---|---|---|
| Ring (ROADM) | Fast <50 ms protection, efficient fiber | Shared risk on adjacent spans | 3–8 site metro loops |
| Mesh | Multiple disjoint paths, high resilience | Cost/complexity | Core DCI across city |
| Hub-and-Spoke | Simple ops, clear control | Hub dependency | Branches ↔ DC/Cloud |
| Dual-Hub Anycast | Resilient ingress, easy SD-WAN | Requires Anycast design | UC/CCaaS, Internet edges |
📦 QoS Classes (metro quick table)
| Class | Traffic | Metro Target |
|---|---|---|
| EF | RTP/voice, critical control | Jitter ≤ 1 ms, loss < 0.05% |
| AF31/41 | Signaling, prioritized apps | Jitter ≤ 2–3 ms |
| BE | Bulk/backup | Best effort; schedule windows |
Mark at source, trust at edge, verify end-to-end over MAN and SD-WAN.
🧪 Acceptance Tests & Artifacts (we keep the receipts)
- Optical — OTDR traces (distance, splice/connector loss), Rx/Tx light levels, BER/FEC counters, ROADM maps.
- Service activation — RFC 2544/Y.1564 throughput, latency, jitter, frame loss; CoS verification.
- Security — MACsec enablement logs, ZTNA admin admits, ACL/SGT policy tests, WAF/Bot events at Internet edges.
- Routing — BGP/OSPF/SR policies, Anycast failover tests, FRR timing; cloud on-ramp reachability proofs.
- SD-WAN — brownout steer and packet-dup/FEC effectiveness; policy diffs.
All artifacts stream to /siem-soar and bundle into QBR/audit packs.
🧱 Design Notes & Best Practices
- Diversity matters — separate laterals, providers, bridges/tunnels; request diversity letters and validate with as-builts.
- Bound your L2 domains — prefer routed access and EVPN/VXLAN boundaries; avoid spanning tree across the metro.
- Jumbo MTU — align end-to-end for storage/AI movers; test fragmentation behavior.
- MACsec at edges — especially for PHI/CUI/PCI or multi-tenant routes.
- Anycast edges — improve ingress for UC/CCaaS and APIs; health-gated withdraw.
- Policy-as-code — configs in Git with lint/tests; drift watchers; golden builds per device role.
📝 MAN Intake (copy-paste & fill)
- Sites & addresses (HQ/campuses/DCs/colos/on-ramps) + target RFS
- Transport preferences (Wavelength speeds, Dark vs Lit, EPL/EVPL/E-LAN, IP/MPLS)
- Topology goal (ring/mesh/hub-spoke) + diversity requirements (laterals/POPs/providers)
- Cloud (DX/ER/Interconnect POPs, regions, Private Endpoints only?)
- QoS & MTU (EF/AF classes, jumbo needs, packet-dup/FEC)
- Security (MACsec scope, ZTNA admin, ACL/SGT, WAF/DDoS posture)
- Operations (managed vs co-managed, SIEM destination, change windows)
- Compliance overlays (HIPAA/PCI/NIST/CJIS/etc.) & artifact retention
- Budget & timeline (ROM vs build-ready), success metrics (latency, availability, cost)
We’ll return a design-to-quote with carrier options, optical/packet designs, SLO-mapped pricing, acceptance plan, and an evidence pipeline you can reuse in audits and QBRs.
Or jump to /customized-quotes.
📞 Build a MAN That’s Fast, Resilient, and Auditable
- Call: (888) 765-8301
- Email: contact@solveforce.com
From campuses and colos to cloud on-ramps and edge sites, we’ll deliver the metro fabric your business can measure, trust, and prove.