Cisco SD-WAN Hub and Spoke Topology

In a Cisco SD-WAN network, vEdge routers build a full-mesh topology with vEdge routers in other sites.  This is the default behavior, and it means that all devices within a service VPN can communicate with each other. However, a full mesh topology is not always required, and with many vEdge routers, it can even become a scalability issue.

This lesson will explain how you can use a centralized policy to configure a hub and spoke topology. The hub site will be able to communicate with all spoke sites. However, spoke sites can only communicate with the hub and not with other spoke sites.

This is the topology we’ll use:

Cisco Sd Wan Hub And Spoke Topology

We have three sites, and I assigned the Gi0/3 interfaces of all vEdge routers to service VPN 10. We’ll do a “before and after” scenario so you can see the difference between the default (full mesh) and a hub and spoke topology. I am using Cisco SD-WAN version 19.3.0.

Configurations

Want to take a look for yourself? Here you will find the startup configuration of each device.

vEdge1

system
 host-name               vEdge1
 system-ip               172.16.1.1
 site-id                 2
 organization-name       nwl-lab-sdwan
 vbond 10.1.0.2
!
omp
 no shutdown
 graceful-restart
 advertise connected
 advertise static
!
banner
 motd "Welcome to the vEdge router!"
!
vpn 0
 interface ge0/0
  ip address 10.65.91.1/24
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
  !
  no shutdown
 !
 interface ge0/1
  ip address 10.65.92.1/24
  tunnel-interface
   encapsulation ipsec
   color public-internet
   allow-service all
  !
  no shutdown
 !
 ip route 10.1.0.0/24 10.65.91.100
 ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
 interface ge0/3
  ip address 10.2.0.254/24
  no shutdown
 !
 omp
  advertise connected
 !
!
vpn 512
 interface eth0
  shutdown
 !
!

vEdge3

system
 host-name               vEdge3
 system-ip               172.16.1.3
 site-id                 3
 organization-name       nwl-lab-sdwan
 vbond 10.1.0.2
!
omp
 no shutdown
 graceful-restart
 advertise connected
 advertise static
!
banner
 motd "Welcome to the vEdge router!"
!
vpn 0
 interface ge0/0
  ip address 10.65.91.3/24
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
  !
  no shutdown
 !
 interface ge0/1
  ip address 10.65.92.3/24
  tunnel-interface
   encapsulation ipsec
   color public-internet
   allow-service all
  !
  no shutdown
 !
 ip route 10.1.0.0/24 10.65.91.100
 ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
 interface ge0/3
  ip address 10.3.0.254/24
  no shutdown
 !
 omp
  advertise connected
 !
!
vpn 512
 interface eth0
  shutdown
 !
!

vEdge4

system
 host-name               vEdge4
 system-ip               172.16.1.4
 site-id                 4
 organization-name       nwl-lab-sdwan
 vbond 10.1.0.2
!
omp
 no shutdown
 graceful-restart
 advertise connected
 advertise static
!
banner
 motd "Welcome to the vEdge router!"
!
vpn 0
 interface ge0/0
  ip address 10.65.91.4/24
  tunnel-interface
   encapsulation ipsec
   color biz-internet
   allow-service all
  !
  no shutdown
 !
 interface ge0/1
  ip address 10.65.92.4/24
  tunnel-interface
   encapsulation ipsec
   color public-internet
   allow-service all
  !
  no shutdown
 !
 ip route 10.1.0.0/24 10.65.91.100
 ip route 10.1.0.0/24 10.65.92.100
!
vpn 10
 interface ge0/3
  ip address 10.4.0.254/24
  no shutdown
 !
 omp
  advertise connected
 !
!
vpn 512
 interface eth0
  shutdown
 !
!

SW1

hostname SW1
!         
no ip routing
!
interface GigabitEthernet0/0
 no switchport
 ip address 10.2.0.101 255.255.255.0
!
ip default-gateway 10.2.0.254
!
end

SW3

hostname SW3
!         
no ip routing
!
interface GigabitEthernet0/0
 no switchport
 ip address 10.3.0.103 255.255.255.0
!
ip default-gateway 10.3.0.254
!
end

SW4

hostname SW3
!         
no ip routing
!
interface GigabitEthernet0/0
 no switchport
 ip address 10.4.0.104 255.255.255.0
!
ip default-gateway 10.4.0.254
!
end









Full Mesh Topology

The default is a full mesh topology. This means that all sites can reach each other. So, for example, I can ping from SW3 to both SW1 and SW4:

SW3#ping 10.2.0.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 51/63/79 ms
SW3#ping 10.4.0.104
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.4.0.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 52/65/74 ms

SW4 can also ping SW1:

SW4#ping 10.2.0.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.101, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 55/63/72 ms

We have full connectivity because each vEdge router advertises its prefix through OMP to the vSmart controller. The vSmart controller advertises all prefixes to the vEdge routers.

In the show ip routes omp and show ipsec outputs below, I removed non-relevant columns to keep it readable.

You can see the OMP routes below:

vEdge1# show ip routes omp | begin VPN
VPN    PREFIX              PROTOCOL     TLOC IP          COLOR            ENCAP  STATUS  
---------------------------------------------------------------------------------------
10     10.3.0.0/24         omp          172.16.1.3       biz-internet     ipsec  F,S     
10     10.3.0.0/24         omp          172.16.1.3       public-internet  ipsec  F,S     
10     10.4.0.0/24         omp          172.16.1.4       biz-internet     ipsec  F,S     
10     10.4.0.0/24         omp          172.16.1.4       public-internet  ipsec  F,S
vEdge3# show ip routes omp | begin VPN 
VPN    PREFIX              PROTOCOL     TLOC IP          COLOR            ENCAP  STATUS  
---------------------------------------------------------------------------------------
10     10.2.0.0/24         omp          172.16.1.1       biz-internet     ipsec  F,S     
10     10.2.0.0/24         omp          172.16.1.1       public-internet  ipsec  F,S     
10     10.4.0.0/24         omp          172.16.1.4       biz-internet     ipsec  F,S     
10     10.4.0.0/24         omp          172.16.1.4       public-internet  ipsec  F,S
vEdge4# show ip routes omp | begin VPN
VPN    PREFIX              PROTOCOL     TLOC IP          COLOR            ENCAP  STATUS  
----------------------------------------------------------------------------------------
10     10.2.0.0/24         omp          172.16.1.1       biz-internet     ipsec  F,S     
10     10.2.0.0/24         omp          172.16.1.1       public-internet  ipsec  F,S     
10     10.3.0.0/24         omp          172.16.1.3       biz-internet     ipsec  F,S     
10     10.3.0.0/24         omp          172.16.1.3       public-internet  ipsec  F,S

In the output above, you can see that all prefixes are learned and installed. One for each WAN connection.

This also means that all vEdge routers establish IPSec connections with each other. Between TLOCs on one WAN interface and TLOCs of different WAN interfaces (if there is reachability between the two WAN clouds). That is the case with two Internet connections like I have, but not if you have a private WAN connection (like MPLS).  You can see the IPSec connections below:

vEdge1# show ipsec outbound-connections
SOURCE       SOURCE  DEST         DEST                  REMOTE         REMOTE               
IP           PORT    IP           PORT    SPI  TUN MTU  TLOC ADDRESS   TLOC COLOR            
-------------------------------------------------------------------------------------
10.65.91.1   12346   10.65.91.3   12346   259  1441    172.16.1.3      biz-internet     
10.65.91.1   12346   10.65.91.4   12346   256  1441    172.16.1.4      biz-internet
10.65.91.1   12346   10.65.92.3   12346   259  1442    172.16.1.3      public-internet        
10.65.91.1   12346   10.65.92.4   12346   256  1442    172.16.1.4      public-internet       
10.65.92.1   12346   10.65.91.3   12346   259  1442    172.16.1.3      biz-internet   
10.65.92.1   12346   10.65.91.4   12346   256  1442    172.16.1.4      biz-internet       
10.65.92.1   12346   10.65.92.3   12346   259  1441    172.16.1.3      public-internet    
10.65.92.1   12346   10.65.92.4   12346   256  1441    172.16.1.4      public-internet
vEdge3# show ipsec outbound-connections
SOURCE       SOURCE  DEST         DEST                  REMOTE         REMOTE                
IP           PORT    IP           PORT    SPI  TUN MTU  TLOC ADDRESS   TLOC COLOR            
--------------------------------------------------------------------------------------
10.65.91.3   12346   10.65.91.1   12346   257  1441     172.16.1.1     biz-internet            
10.65.91.3   12346   10.65.91.4   12346   256  1441     172.16.1.4     biz-internet             
10.65.91.3   12346   10.65.92.1   12346   257  1442     172.16.1.1     public-internet         
10.65.91.3   12346   10.65.92.4   12346   256  1442     172.16.1.4     public-internet         
10.65.92.3   12346   10.65.91.1   12346   257  1442     172.16.1.1     biz-internet            
10.65.92.3   12346   10.65.91.4   12346   256  1442     172.16.1.4     biz-internet      
10.65.92.3   12346   10.65.92.1   12346   257  1441     172.16.1.1     public-internet        
10.65.92.3   12346   10.65.92.4   12346   256  1441     172.16.1.4     public-internet
vEdge4# show ipsec outbound-connections
SOURCE      SOURCE  DEST          DEST                  REMOTE         REMOTE   
IP          PORT    IP            PORT   SPI   TUN MTU  TLOC ADDRESS   TLOC COLOR      
----------------------------------------------------------------------------------
10.65.91.4  12346   10.65.91.1   12346   257   1441     172.16.1.1     biz-internet        
10.65.91.4  12346   10.65.91.3   12346   259   1441     172.16.1.3     biz-internet           
10.65.91.4  12346   10.65.92.1   12346   257   1442     172.16.1.1     public-internet      
10.65.91.4  12346   10.65.92.3   12346   259   1442     172.16.1.3     public-internet         
10.65.92.4  12346   10.65.91.1   12346   257   1442     172.16.1.1     biz-internet         
10.65.92.4  12346   10.65.91.3   12346   259   1442     172.16.1.3     biz-internet         
10.65.92.4  12346   10.65.92.1   12346   257   1441     172.16.1.1     public-internet        
10.65.92.4  12346   10.65.92.3   12346   259   1441     172.16.1.3     public-internet

Each vEdge router has 8 IPSec connections, and we only have three routers (with two WAN interfaces). This can become a scalability issue with large topologies, especially if you have low-end branch vEdge routers.

Configuration

Let’s change our topology from full mesh to a hub and spoke topology.

Centralized Policy

Go to Configuration > Policies > Centralized Policy and click on Add Policy:

Cisco Sd Wan Centralized Policy New

Groups of Interest

We need to create two items:

  • Site List: A list so we know which site will be the hub and which sites will be the spokes.
  • VPN List: The VPN that we want to create a hub and spoke topology for.
Site List

Under Groups of Interest, add a New Site List:

Cisco Sd Wan Centralized Policy Site

We create two lists here:

  • HUB: site 2.
  • SPOKES: site 3 and 4.

Create the lists, so your overview looks like this:

Cisco Sd Wan Centralized Policy Site List Overview

VPN

Let’s create the VPN list. Under Groups of Interest, select VPN. Enter a name and the VPN number (10) here:

Cisco Sd Wan Centralized Policy Vpn

Click on Add to continue. Then, under Topology, click on Add Topology and select Hub-and-Spoke:

Cisco Sd Wan Centralized Policy Hub And Spoke

Give the policy a name, select the VPN List we created, and select the Hub and Spoke Sites. Click on Save Hub-And-Spoke Policy to save the policy:

Cisco Sd Wan Centralized Policy Hub And Spoke Policy

The policy now shows up in the overview. Click on Next:

Cisco Sd Wan Centralized Policy Hub And Spoke Policy Overview

We don’t need any Traffic Rules, so click on Next:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

545 Sign Ups in the last 30 days

satisfaction-guaranteed
100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!