Solved: Re: Hub-and-Spoke Topology Question

Joel0748363 · ‎12-16-2024

Hi All

I'm working on a SD-WAN Hub-and-Spoke Topology, but i want to avoid traffic flow between spoke to spoke, for example : the DC site using VPN 100, and the branch A using VPN 10, branch B using VPN 20, in this circumstances i need to route-leaking between 100-10、100-20, but now the routing table on VPN 100 will allow traffic from 10 forward to 20

Because of the default route advertise from the DC site, branch can easily route through anyway via VPN 100, because VPN 100 need to have every VPN's route in the fabric

Is there any way that i can prevent traffic between 10 and 20 without using SD-WAN ZBFW ?

thanks for answering

MHM Cisco World · ‎12-16-2024

since you receive default route toward hub then we can not prevent spoke to spoke traffic without ACL
you need to use Local Data Policy in both Spoke

https://www.networkacademy.io/ccie-enterprise/sdwan/explicit-access-control-list-acl

MHM

View solution in original post

Kanan Huseynli · ‎12-17-2024

Hi,

I don't know how many sites you have. But one option could be to list remote branches and in centralized data policy you select drop action.

There is no way to filter this without manually written access-list.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.

View solution in original post

MHM Cisco World · ‎12-16-2024

What I get you want to make traffic via Hub only ? Or something else

MHM

Joel0748363 · ‎12-16-2024

Yes, even though i am using hub and spoke topology, but i need to avoid any traffic from spoke to spoke via Hub

MHM Cisco World · ‎12-16-2024

since you receive default route toward hub then we can not prevent spoke to spoke traffic without ACL
you need to use Local Data Policy in both Spoke

https://www.networkacademy.io/ccie-enterprise/sdwan/explicit-access-control-list-acl

MHM

Torbjørn · ‎12-16-2024

You can solve this with a centralised policy that prevents spoke originated TLOC and OMP routes to be advertised to other spokes combined with a centralized data policy that restricts spoke-spoke traffic through the hub.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Joel0748363 · ‎12-16-2024

Yes I am using centralized policy to make sure there was no TLOC and Route exchange between spoke-spoke, but because of the default route that learn from the DC site, spoke-spoke can still communicate via DC

Flavio Miranda · ‎12-16-2024

@Joel0748363

You dont need ZBFW, you can achieve this with Control Policy

https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/policy-overview.html

Joel0748363 · ‎12-16-2024

hi sir

Could you please explain specific which function to use in control policy ?

Joel0748363 · ‎12-16-2024

Because of the default route advertise from the DC site, branch can easily route through anyway via VPN 100, because VPN 100 need to have every VPN's route in the fabric

Kanan Huseynli · ‎12-17-2024

Hi,

I don't know how many sites you have. But one option could be to list remote branches and in centralized data policy you select drop action.

There is no way to filter this without manually written access-list.

HTH,
Please rate and mark as an accepted solution if you have found any of the information provided useful.