Overview
Explains how to simplify branch-to-hub connectivity using Dynamic Virtual Tunnel Interfaces (DVTI) in Cisco Secure Firewall, detailing route-based VPN design, hub-and-spoke topology, best practices, and an end-to-end configuration workflow.
In this chapter, we delve into the practical application of the DVTI in a hub and spoke topology. The use case details the scenario, network topology, best practices, and prerequisites. It also provides a comprehensive end-to-end procedure for seamless implementation.
Route-based VPN in a Hub and Spoke Topology
Explains route-based VPN deployment in Cisco Secure Firewall using DVTIs, highlighting simplified configuration, dynamic routing support, scalability, redundancy, and secure traffic exchange between branch and headquarters networks.
Benefits
Highlights the benefits of using DVTI in Cisco Secure Firewall, including simplified configuration and management, scalability, dynamic routing, redundancy, load balancing, and secure connectivity across branch and hub deployments.
Is This Use Case For You?
Identifies the intended audience for the use case, helping network architects, IT administrators, and security professionals determine whether Cisco Secure Firewall SD-WAN with DVTI and route-based VPNs aligns with their branch connectivity, scalability, and security requirements.
Scenario
Explains a scenario where a medium-sized company connects multiple branches to the headquarters using Cisco Secure Firewall route-based VPN: DVTI at hub, SVTI at spokes, OSPF dynamic routing, faster provisioning, and scalable, consistent branch-to-hub connectivity.
Network Topology
llustrates the end‑to‑end topology workflow for configuring a route-based VPN for a hub and spoke topology in Cisco Firewall Management Center (FMC).
Best Practices
Lists the best practices for using DVTI with Cisco Secure Firewall in a scalable SD‑WAN deployment.
Prerequisites
Lists the prerequisites for using DVTI with Cisco Secure Firewall in a scalable SD‑WAN deployment.
Workflow for Configuring a Route-based VPN (Hub and Spoke Topology)
Illustrates the end-to-end workflow to configure a route-based hub-and-spoke topology in Firewall Management Center (FMC).
Create a Route-based Site-to-Site VPN
Provides instructions for creating a route-based site-to-site VPN between a hub and a branch site using Firewall Management Center (FMC).
Configure the Endpoint for the Hub Node
Provides instructions for configuring a Threat Defense (FTD) device as a hub in a route-based site-to-site VPN using Firewall Management Center (FMC).
Configure the Endpoint for the Spoke Node
Provides instructions for configuring a Threat Defense (FTD) device as a branch site spoke in a route-based site-to-site VPN using Firewall Management Center (FMC).
Configure OSPF on the Hub Node
Provides instructions for configuring OSPF on a Threat Defense (FTD) hub to route traffic across a route-based site-to-site VPN using Firewall Management Center (FMC).
Configure OSPF on the Spoke Node
Provides instructions for configuring OSPF on a Threat Defense (FTD) spoke to route traffic across a route-based site-to-site VPN using Firewall Management Center (FMC).
Configure the Access Control Policy
Provides instructions for configuring access control policies to allow traffic across a route-based site-to-site VPN using Firewall Management Center (FMC).
Deploy Configuration
Provides instructions to deploy all the configurations to the Threat Defense (FTD) devices in Firewall Management Center (FMC).
Verify Traffic Flow Over the VPN Tunnel
Provides instructions to verify traffic flow across the VPN tunnel to confirm routing, tunnel status, and end-to-end connectivity between hub and spoke devices.
Configure the Backup VTI Interface on the Spoke Node
Provides instructions for configuring a backup static VTI for spoke devices to maintain VPN connectivity with the hub and ensure continuous traffic flow.
Configure an ECMP Zone for the Primary and Secondary VTI Interfaces
Provides instructions to configure an ECMP zone for DVTI-based VPNs to distribute traffic and optimize connectivity in Firewall Management Center (FMC).
Verify the Primary and Secondary Tunnels
Provides instructions to verify routing and state of primary and secondary DVTI VPN tunnels between hub and spoke devices in Firewall Management Center (FMC).
Troubleshoot Route-based VPN Tunnels
Troubleshoot route-based VPN tunnels, using debug commands to identify connectivity,or routing, issues in Threat Defense (FTD) devices.
Additional Resources
Lists additional resources to learn about Cisco Secure Firewall features, configuration, verification, and troubleshooting.