Use Cases for SD-WAN Capabilities in Cisco Secure Firewall

Network Topology Depicting Dual ISP with Hubs and Spokes in the Same Region

Updated: February 5, 2026

Want to summarize with AI?

Overview

Illustrates a sample dual ISP network topology with branch devices connecting over dual ISP links and integrating with Firewall Management Center (FMC).

In the following sample dual ISP topology, the hubs and spokes are in a single region, with autonomous system (AS) number as 1111. The hubs and spokes use Internal Border Gateway Protocol (iBGP) as the routing protocol to exchange routing information.

Hub1 and Hub2 are Firewall Threat Defense hub devices at the headquarters.
Spoke1 and Spoke2 are Firewall Threat Defense spoke devices at the branches.
outside-isp1 is the VPN interface of each spoke to ISP1.
outside-isp2 is the VPN interface of each spoke to ISP2.

Alex aims to onboard a Cisco Firepower 1120 Firewall Threat Defense device into an existing dual ISP SD-WAN topology with preconfigured device settings. Utilizing the new intuitive SD-WAN VPN wizard and device templates, he can efficiently create SD-WAN VPN topologies and streamline the onboarding process for the device in the SD-WAN topology.

Dual ISP topology with two hubs and four spokes in the same region — Figure 1. Dual ISP Topology with Two Hubs and Two Spokes in the Same Region

The topology has the following parameters:

Table 1. IP Adresses of Hubs and Spokes
Device	Management IP Address	Inside Interface	Outside Interface
Hub1	209.165.200.225	198.51.100.17/28	ISP1: 192.0.2.17/28 ISP2: 192.0.2.33/28
Hub2	209.165.200.226	198.51.100.33/28	ISP1: 192.0.2.18/28 ISP2: 192.0.2.34/28
Spoke1	209.165.200.227	198.51.100.65/28	ISP1: 192.0.2.19/28 ISP2: 192.0.2.35/28
Spoke2	209.165.200.228	198.51.100.129/28	ISP1: 192.0.2.20/28 ISP2: 192.0.2.36/28

Table 2. Loopback IP Addresses and IP Address Pools of Hubs
Device	Hub Loopback IP Addresses	IP Address Pools
Hub1	Loopback1: 209.165.201.1 (Mask: 255.255.255.224) Loopback2: 209.165.201.65 (Mask: 255.255.255.224)	IP_pool1_hub1: 209.165.201.2-209.165.201.30 (Mask: 255.255.255.224) IP_pool2_hub1: 209.165.201.66-209.165.201.94
Hub2	Loopback1: 209.165.201.33 (Mask: 255.255.255.224) Loopback2: 209.165.201.97 (Mask: 255.255.255.224)	IP_pool1_hub2: 209.165.201.34-209.165.201.62 (Mask: 255.255.255.224) IP_pool2_hub2: 209.165.201.98-209.165.201.126

Note

When you configure the hub IP address pools, ensure that you do not check the Allow Overrides check box in the Add IPv4/IPv6 Pool dialog box (Objects > Object Management > Address Pools). You can also create these address pools in the SD-WAN wizard.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.