Configure Strict Hub and Spoke Topology

Configure Strict Hub and Spoke Topology

Posted on Jan 27, 2020 (0)

Configure Strict Hub and Spoke Topology

Task: Configure the Topology to work like Strict Hub and Spoke based network where there are three Subnet for each VPN.

  • VPN 10: Corp-VPN
  • VPN 20: Sec-PCIVPN
  • VPN 40: Guest-VPN

Topology should work like follows:

  • For all VPN 10 : All Branch VPN 10 traffic must go to DC and then to Branch and VPN 10 traffic must not go Branch to Branch , All DC must send a default route to each branch for outside traffic.
  • For VPN 20: Each Branch must have VPN 20 routes for other branch having Next HOP: DC-TLOC
  • For VPN 40: No direct communication between branch to branch to any VPN, This VPN should have default route to access Internet only



For VPN 10 : Advertise branches routes to DC and not to another branch , DC will advertise default route to each branch so that if branch wants to talk to another branch , branch will send the traffic to DC by default route and DC will then route traffic back to remote branch 

For VPN 20 : Branch will advertise VPN 20 routes to vSmart and in return vSmart will advertise those VPN 20 routes by setting Next hop as DC-TLOC , so in branch to branch communication via VPN 20 , Branch will send traffic to DC and DC will route it to branch. 

For VPN 40 : No communication between branch , so restrict routes exchange between them ,and advertise only default routes in VPN 40 for direct internet access.

Before configuring Hub and spoke topology, let’s verify that all the branches are able to reach to other branches directly over VPN 10 and VPN 20 over IPSEC tunnel.

vManage | Monitor | Network | Select BR2-VEDGE1 | Tunnel

This will show that the BR2-VEDGE has full Mesh IPSEC tunnel to all other branches and DC sites.

Select Troubleshooting | PING | under connectivity Section

Select destination IP: (Branch 1), VPN 10 and Source Interface in VPN 10 | Start

So same activity for VPN 20

For VPN 10 Select | trace Route | destination IP | VPN 10 | Select Source Interface | Start

Now Create Application or Groups of interest for all components like DC, Sites, DC-TLOC, Data-Prefix Group.

vManage | Configuration | Policies | centralized Policy | Add Policy

Data-Prefix Group: Contains all RFC1918 Prefixes and all other prefixes known for this Topology

Site Group: Contains All-Branch List, All-DC-hub list Site IDs.

DC-TLOC: Contains all TLOC from two DC vEdge Devices

VPN-Group: contains all VPN group for VPN 10 (Corp-VPN), VPN 20 (Sec-PCIVPN), and VPN 40 (Guest-VPN).

Click Next to move to Configure Topology and VPN Membership Section, here we will configure Custom Control Topology, this topology allow to manipulate OMP and TLOC routes on vSmart.

Click on Add topology | Custom Control (Route & TLOC)

Name: dclessons-con-Multi-topology | Select Sequence Type | TLOC

Name Sequence Type: AllowAllDCTLOC | Match Site List: All-DC-hub | Action | Accept | Save Match & Action

Name Sequence Type: Reject all-TLOC | Action | Reject | Save Match & Action

Name Sequence Type: Route-VPN10 | Match Site List: All-branches, VPN-List: corp-VPN | Action Reject | Save Match & Action

Name Sequence Type: VPN20NextHOP | Match Site List: All-branches, VPN-List: Sec-pciVPN | Action Accept | Set TLOC DC-TLOCS | Save Match & Action

Name Sequence Type: DefaultAction | Action Accept | Save Match & Action

Click on Save Control Policy

Click on VPN Membership to define the scope of rules which was just created in topology configuration.

VPN Membership | Add VPN Membership Policy | name VPN10-VPN20 | Site List All-Branches | VPN list corp-VPN , Sec-pciVPN | Save

Click Next , to go to Configure Traffic Rule section , this section allows you to create policies to manipulate data or application specific traffic, here we will configure single traffic data rule which will be later applied to VPN 40. This rule will block access to any IP from VPN 40.

Select Traffic Data | Add policy | Create New | DenyAllPrivateSubnet-1918 | Sequence type | Application Firewall | Deny1918Prefixes

Name Sequence Type: DenyVPN40 | Match All-Prefixes | Action Drop

Select Sequence Type: Default Action | Action Accept

Click on Save Data Policy | Select Next to go to Apply Policy to Sites & VPN | Name dclessons-con-multitopology

Select | Topology | Outbound Site List All-Branches | Add

Select | Traffic Data | New Site List & VPN List | From Service | Site List All-Branches | VPN-List Guest-VPN | Add

This is done to associate data policy which was created to VPN 40, as soon as Traffic Data is selected you will Deny1918Prefixes under this option and now this needs to be assigned to Site and VPN List.

Click on Save Policy.

Policy Activation & Testing:

Navigate Configuration | Policies | Select your Newly Created Policy: dclessons-con-multitopology | Three Dots | Click Activate


vManage | Monitor | Network | BR2-VEDGE1 | Troubleshooting | Traceroute | From BR2 to BR1

Destination IP (Branch 1) | VPN 10 | Source Interface for VPN 10 | Start

You will see that Inter Branch traffic will now traverse DC for VPN 10.

Check Same for VPN 20


    You are will be the first.


Please login here to comment.