To establish a strict hub-and-spoke topology in Cisco SD-WAN for a specific VPN, such as VPN2, a control policy must be configured. This control policy dictates how traffic flows between sites, ensuring that all branch traffic is routed through the hub site.
Control Policy Components:
Site Lists: Define which sites are considered hubs and which are branches.
VPN Lists: Identify the VPNs to which the policy applies.
Control Policy: Use sequences to match routes and specify actions to accept or reject traffic based on the defined topology.
Policy Analysis:
Option A: Correctly defines site lists for hub sites (site-id 1-2) and creates a control policy that matches routes for VPN2, accepting routes from hub sites and rejecting routes from others. This ensures that traffic from branches (other sites) is only accepted if it routes through the hubs.
Other options either incorrectly define the site lists or do not properly match and set the routes to enforce the strict hub-and-spoke topology.
Policy Configuration:
policy
lists
vpn-list VPN2
vpn 2
site-list hub_sites
site-id 1-2
!
control-policy vpn_multi_topology
sequence 10
match route
site-list hub_sites
vpn-list VPN2
!
action accept
!
sequence 20
match route
vpn-list VPN2
!
action reject
!
default-action accept
Cisco SD-WAN Control Policy Configuration Guide
Cisco SD-WAN Hub-and-Spoke Topology Deployment Guide
