Use Cases for SD-WAN Capabilities in Cisco Secure Firewall

Network Topology Depicting Dual ISP with Hubs and Spokes

Updated: February 5, 2026

Overview

Illustrates a sample dual ISP network topology with branch devices connecting over dual ISP links and integrating with Firewall Management Center (FMC).

In the following sample dual-ISP topology, the hubs are in different regions. The hubs and spokes use External Border Gateway Protocol (eBGP) as the routing protocol to exchange routing information.

Hub 1 is a Firewall Threat Defense hub device in a branch office with autonomous system (AS) number as 1111.
Hub 2 is a Firewall Threat Defense hub device in a branch office with AS number as 2222.
Spoke 1 and Spoke 2 are Firewall Threat Defense spoke devices in the branch with AS number as 1111.
outside-isp1 is the VPN interface of each spoke to ISP 1.
outside-isp2 is the VPN interface of each spoke to ISP 2.

Alex aims to onboard a Cisco Secure Firewall 1210CE Firewall Threat Defense device into an existing dual-ISP SD-WAN topology using the device's serial number and the preconfigured settings. Utilizing the new intuitive SD-WAN VPN wizard and device templates, he can efficiently create SD-WAN VPN topologies and streamline the onboarding process for the device in the SD-WAN topology. In our example, this device is Spoke 3.

Dual ISP topology with hubs in different regions — Figure 1. Dual ISP Topology with Hubs in Different Regions

The topology has the following parameters:

Table 1. IP Adresses of Hubs and Spokes
Device	Management IP Address	Inside Interface	Outside Interface
Hub1	209.165.200.225	198.51.100.17/28	ISP1: 192.0.2.17/28 ISP2: 192.0.2.33/28
Hub2	209.165.200.226	198.51.100.33/28	ISP1: 192.0.2.18/28 ISP2: 192.0.2.34/28
Spoke 1	209.165.200.227	198.51.100.65/28	ISP1: 192.0.2.19/28 ISP2: 192.0.2.35/28
Spoke 2	209.165.200.228	198.51.100.129/28	ISP1: 192.0.2.20/28 ISP2: 192.0.2.36/28

Table 2. Loopback IP Addresses and IP Address Pools of Hubs
Device	Hub Loopback IP Addresses	IP Address Pools
Hub1	Loopback1: 209.165.201.1 (Mask: 255.255.255.224) Loopback2: 209.165.201.65 (Mask: 255.255.255.224)	IP_pool1_hub1: 209.165.201.2-209.165.201.30 (Mask: 255.255.255.224) IP_pool2_hub1: 209.165.201.66-209.165.201.94
Hub2	Loopback1: 209.165.201.33 (Mask: 255.255.255.224) Loopback2: 209.165.201.97 (Mask: 255.255.255.224)	IP_pool1_hub2: 209.165.201.34-209.165.201.62 (Mask: 255.255.255.224) IP_pool2_hub2: 209.165.201.98-209.165.201.126

Note that when you configure the hub IP address pools, ensure that you do not check the Allow Overrides check box in the Add IPv4/IPv6 Pool dialog box (Objects > Object Management > Address Pools). You can also create these address pools in the SD-WAN wizard.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.