Guidelines and Limitations for Using SD-WAN Wizard

Guidelines

  • When you configure the DVTIs of two hubs, ensure that they have the same IPsec tunnel mode (IPv4 or IPv6).

  • In a dual-hub SD-WAN topology, the hubs can be in different geographic locations and have different protected networks behind them. To ensure direct communication between these networks, ensure that you configure the following:

    • A point-to-point route-based VPN topology between the two hubs (Devices > Site-to-site > Add > Route-Based VPN).

    • A dynamic routing protocol between the hubs (Device > Device Management > Routing).

  • When you configure IP address pools for spokes, ensure the following:

    • The Allow Overrides check box must be unchecked.

    • If you are using multiple pools, the IP addresses of the pools must not overlap.

    • IP addresses must not overlap with any of the interfaces on the spoke.

  • When you create security zones or interface groups, choose Routed as the Interface Type.

  • Use the spoke security zone to configure an access control policy that allows tunnel traffic to and from the spokes.

  • Configure the spokes' VPN interfaces in an ECMP zone to load balance the application traffic. If you do not configure the ECMP zone, the remaining paths act as backup paths when the primary path goes down.

  • In SD-WAN topologies with dual ISPs on spokes, the tunnel identity and the tunnel source of the spokes must be unique.

  • If a device has only IPv6 address configurations, you must configure the BGP router ID with a loopback or physical interface that has an IPv4 address (Device > Device Management > Routing > General Settings > BGP). ​

Limitations

  • You can configure a maximum of two hubs in an SD-WAN topology using the SD-WAN wizard.

  • For each spoke, you can use only one WAN interface per topology. However, for dual-ISP setups, you can configure a second SD-WAN topology with the second WAN interface. For more information, see Sample Configurations for Dual ISP Deployment Using SD-WAN Wizard.

  • SD-WAN wizard does not support the following:

    • IKEv1

    • Cluster devices are not supported on the hub and spoke because VTI is not supported on cluster devices.

    • Extranet hubs and spokes such as ASA, Cisco IOS, Cisco Viptela, Umbrella, Meraki, or vendor devices.​