Configure Dual ISP Topology with Two Hubs and Four Spokes in the Same Region

Available Languages

Download Options

  • PDF     (2.4 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.5 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (2.0 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 31, 2024
Document ID:222683

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure a dual ISP topology with two hubs and four spokes in the same region using the SD-WAN wizard.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Secure Firewall Threat Defense (FTD)
    • Cisco Secure Firewall Management Center (FMC)
    • Software-defined WAN (SD-WAN)

    Components Used

    The information in this document is based on these software and hardware versions:

    • FTD version 7.6.0
    • FMC version 7.6.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background information

    Supported Software & Hardware Platforms

    Manager

    FTD

    Supported Platforms

    • FMC >= 7.6.0 and FMC REST API

    • cdFMC >= 7.6.0

    • FDM - Not Supported

    • Hub FTD >= 7.6.0

    • Spoke FTD >= 7.3.0

    All platforms that FMC >= 7.6.0 can manage

    Configure

    Network Diagram

    Network Topology DiagramNetwork topology diagram

    Device ListList of devices

    Step 1. Create an SD-WAN Topology with WAN-1 as the VPN Interface

    Navigate to Devices > VPN > Site To Site. Choose Add, and enter a suitable name in the Topology Name field for the first topology with WAN-1 as the VPN interface. Click SD-WAN Topology>Create.

    SDWAN Topology with WAN 1 as the VPN InterfaceCreate an SD-WAN Topology with WAN-1 as the VPN Interface

    Step 2. Configure the Dynamic Virtual Tunnel Interface (DVTI) on the Primary Hub

    Click Add Hub and choose the primary hub from the Device drop-down list. Click the + icon next to Dynamic Virtual Tunnel Interface (DVTI). Configure a name, security zone, and template ID and assign WAN-1 as the Tunnel Source interface for the DVTI.

    Configure a Loopback Interface

    Choose a physical or loopback interface from the Borrow IP drop-down list. In the current topology, the DVTI inherits a loopback interface IP address. Click OK.

    Configure DVTI on WAN 1

    Choose an address pool or click the + icon next to Spoke Tunnel IP Address Pool in order to create a new address pool. When you add spokes, the wizard auto generates spoke tunnel interfaces, and assigns IP addresses to these spoke interfaces from this IP address pool.

    Create Spoke IP Address Pool

    Once the primary hub configuration is complete, choose Add in order to save the primary hub in the topology.

    Save Primary Hub in Topology

    Step 3. Configure the DVTI on the Secondary Hub

    Now choose Add Hub again in order to configure the secondary hub in the topology with WAN-1 as the VPN interface by repeating steps 1 and 2. Click Next.

    Configure the DVTI on the Secondary Hub

    Step 4. Configure the Spokes

    Choose Add Spoke in order to add a single spoke device, or click Add Spokes (Bulk Addition) in order to add multiple spokes to your topology. The current topology uses the latter option in order to add multiple branch FTDs to the topology. In the Add Bulk Spokes dialog box, choose the required FTDs in order to add them as spokes. Choose either a common Interface Name Pattern that matches the logical name of WAN-1 on all spokes or the Security Zone that is associated with WAN-1.

    Choose Spokes to Add to the Topology

    Click Next so that the wizard validates if the spokes have interfaces with the specified pattern or security zone.

    Save the Spokes in the Topology

    Choose Add and the wizard automatically chooses the hub DVTI as the tunnel source IP address for each spoke.

    Save the Spokes in the Topology

    Step 5. Configure the Authentication Settings

    Click Next in order to configure the Authentication Settings. For device authentication, you can choose a manual pre-shared key, an auto-generated pre-shared key, or a certificate in the Authentication Type drop-down list. Choose one or more algorithms from the Transform Sets and IKEv2 Policies drop-down lists.

    Configure the Authentication Settings

    Step 6. Configure the SD-WAN Settings

    Click Next in order to configure the SD-WAN Settings. This step involves the auto-generation of spoke tunnel interfaces, and Border Gateway Protocol (BGP) configuration of the overlay network. From the Spoke Tunnel Interface Security Zone drop-down list, choose a security zone or click + in order to create a security zone to which the wizard automatically adds the spokes' auto-generated Static Virtual Tunnel Interfaces (SVTIs).

    Check the Enable BGP on the VPN Overlay Topology check box in order to automate BGP configurations between the overlay tunnel interface. In the Autonomous System Number field, enter an Autonomous System (AS) number. Check the Redistribute Connected Interfaces check box and choose an interface group from the drop-down list or choose + in order to create an interface group with connected LAN interfaces of the hubs and spokes for BGP route redistribution in the overlay topology.

    Configure the SDWAN Settings

    In the Community Tag for Local Routes field, enter the BGP community attribute in order to tag connected and redistributed local routes. This attribute enables easy route filtering. Check the Secondary Hub is in the Different Autonomous System check box if you have a secondary hub in a different AS. Finally, check the Enable Multiple Paths for BGP check box in order to enable BGP to load-balance traffic across multiple links.

    Overlay Routing Configuration

    Click Finish in order to save and validate the SD-WAN topology.

    Save and Validate the SDWAN Topology

    You can view the topology under Devices > Site-to-site VPN. The total number of tunnels in the first SD-WAN topology is 8.

    View the Topology under Site to Site VPN

    Step 7. Create an SD-WAN Topology with WAN-2 as the VPN Interface

    Repeat steps 1 through 6 in order to configure an SD-WAN Topology with WAN-2 as the VPN interface. The total number of tunnels in the second SD-WAN topology is 8. The final topologies must look like the image shown:

    Create an SDWAN Topology with WAN 2 as the VPN Interface

    Step 8. Configure (Equal-Cost Multi-Path) ECMP Zones

    On each branch, navigate to Routing > ECMP and configure ECMP Zones for the WAN interfaces and SVTIs connecting to both the primary and secondary Hub, as shown. This can provide link redundancy and enable load balancing of the VPN traffic.

    Configure ECMP Zones

    Step 9. Modify the BGP Local Preference on the Hub

    Navigate to Routing > General Settings > BGP on the secondary hub. Click Enable BGP, configure the AS Number, and set the default local preference value under Best Path Selection to a value lower than the one configured on the primary hub. Click Save. This ensures that routes to the primary hub are preferred over routes to the secondary hub. When the primary hub goes down, the routes to the secondary hub take over.

    Modify the BGP Local Preference on the Hub

    Deploy the configurations to all the devices.

    Verify

    Verify Tunnel Statuses

    In order to verify if the VPN tunnels of the SD-WAN topologies are up, navigate to Device > VPN > Site-to-Site.

    Verify Tunnel Statuses in Site to Site VPN Topology

    In order to view details of the SD-WAN VPN tunnels, choose Overview > Dashboards > Site-to-site VPN.

    Verify Tunnel Statuses in Site to Site VPN Dashboard

    In order to view more details of each VPN tunnel:

    1. Hover over a tunnel.
    2. Click the View Full Information (View Full Information Icon) icon. A pane with tunnel details and more actions appears.
    3. Click the CLI Details tab in the side pane in order to view the show commands and details of the IPsec security associations.

    CLI Details

    Verify Virtual Tunnel Interfaces (VTIs)

    In order to view the dynamic VTIs of hubs and static VTIs of spokes:

    1. Navigate to Devices > Device Management.
    2. Choose the edit icon for a hub or a spoke device.
    3. Click the Interface tab.
    4. Click the Virtual Tunnels tab.


    For each VTI, you can view details such as name, IP address, IPsec mode, tunnel source interface details, topology, and remote peer IP.

    DVTIs on the primary hub:

    DVTIs on the Primary Hub

    DVTIs on the secondary hub:

    DVTIs on the Secondary Hub

    SVTIs on the spoke:

    SVTIs on the Spoke

    In order to verify load-balancing, dual ISP redundancy, and hub level redundancy, only traffic from Branch 1 to the Hub is used. The details of the setup are shown here:

    10.1.0.0.100 - Client in Branch 1 connected network

    10.10.0.0.100 - Client in Hub connected network

    WAN-1_static_vti_1 - SVTI to Hub 1 via ISP 1
    WAN-2_static_vti_3 - SVTI to Hub 1 via ISP 2
    WAN-1_static_vti_2 - SVTI to Hub 2 via ISP 1
    WAN-2_static_vti_4 - SVTI to Hub 2 via ISP 2

    Verify Load Balancing of VPN Traffic

    The tunnel status can be seen in the Site to Site VPN dashboard. Ideally, all tunnels must be active:

    VPN Load Balancing Dashboard

    Routes to the primary hub are preferred. The show route command on Branch 1 indicates that the VPN traffic is load-balanced between the two SVTIs on ISP 1 and ISP 2 to the primary hub:

    VPN Load Balancing Route

    The Egress Interface taken for the actual VPN traffic can be seen in Unified Events:

    VPN Load Balancing Events

    Verify Dual ISP Redundancy

    When ISP-2 is down, the tunnel status indicates that the tunnels via ISP-1 are active:

    Link Redundancy Dashboard

    Routes to the primary hub are preferred. The show route command on Branch 1 indicates that the VPN traffic is routed via the SVTIs on ISP-1 to the primary hub:

    Link Redundancy Routes

    The Egress Interface taken for the actual VPN traffic can be seen in Unified Events:

    Link Redundancy Events

    Verify Hub Level Redundancy

    When the primary hub is down, the tunnel status indicates that the tunnels to the secondary hub are active:

    Hub Redundancy Dashboard

    Since the primary hub is down, the routes to the secondary hub are preferred. The show route command on Branch 1 indicates that the VPN traffic is load-balanced between the two SVTIs on ISP 1 and ISP 2 to the secondary hub:

    Hub Redundancy Route

    The Egress Interface taken for the actual VPN traffic can be seen in Unified Events:

    Hub Redundancy Events

    Revision History

    Revision Publish Date Comments
    1.0
    02-Jan-2025
    Initial Release

    Contributed by

    • Ashlin Leroy Dsilva
      Cisco Software Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products