Overlay
Second, you must decide on the topology to interconnect your sites. In most cases, you will build IPsec overlays over all the underlay transports to most likely form a set of hub-and-spoke topologies. This way, you can secure your corporate (site-to-site) traffic, and provide confidentiality, integrity, and mutual site authentication, as expected from an industry-standard IPsec suite.
Hub-and-spoke topologies are highly scalable, and they have a crucial zero-touch property: When adding or removing a spoke, the configuration of all other devices remains untouched. Hub-and-spoke topologies can also be enhanced with redundancy options (such as dual-hub). They can be extended to multiple regions (multi-regional hub-and-spoke topologies interconnected together) for large-scale deployments.
ADVPN—our dynamic tunneling technology—can be enabled in your hub-and-spoke topologies. As mentioned earlier, ADVPN can dynamically build direct spoke-to-spoke tunnels (called shortcuts) when they are needed. It preserves the zero-touch property of hub-and-spoke while providing advantages of direct site-to-site communication without bottlenecks.
To conclude, although other overlay topologies can be used (such as a static hub-and-spoke or even a full-mesh), we recommend ADVPN as the most generic, dynamically adjustable topology for your overlays.
It is worth highlighting at this point that overlays are optional in our SD-WAN solution. The traffic can be steered both to the underlays and the overlays, with broadly similar SD-WAN functionality. We return to this topic when we discuss the SD-WAN pillar. See SD-WAN.