Use Cases for SD-WAN Capabilities in Cisco Secure Firewall

Workflow for Configuring a Route-based VPN (Hub and Spoke Topology)

Updated: February 5, 2026

Want to summarize with AI?

Overview

Illustrates the end-to-end workflow to configure a route-based hub-and-spoke topology in Firewall Management Center (FMC).

The following flowchart illustrates the workflow for configuring a route-based VPN for a hub spoke topology in Secure Firewall Management Center.

Step	Description
	Configure a VTI based VPN. See Create a Route-based Site-to-Site VPN Configure the Endpoint for the Hub Node Configure the Endpoint for the Spoke Node
	Configure OSPF on the hub and spoke nodes. See Configure OSPF on the Hub Node Configure OSPF on the Spoke Node
	Updates rules in the access control policy for hub and spoke nodes. See Configure the Access Control Policy.
	Deploy configuration to threat defense. See Deploy Configuration.
	Verify traffic flow over VPN tunnel. See Verify Traffic Flow Over the VPN Tunnel.
	Configure backup VTI on spoke node. See Configure the Backup VTI Interface on the Spoke Node.
	Deploy the configuration on Threat Defense. SeeDeploy Configuration .
	Verify traffic flow over secondary tunnel. See Verify the Primary and Secondary Tunnels.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.