Each region can have a primary hub, secondary hub, and multiple edge devices. The secondary hub is optional and provides redundancy.
SD-WAN Orchestrator MEA automatically creates links between devices based on settings in the assigned profiles.
SD-WAN Orchestrator MEA automatically builds full-mesh overlay links between all primary and secondary hub devices. Primary hubs have higher priority than secondary hubs.
When a hub receives incoming traffic destined to the edge subnet of a local region, but links between hub and edge devices are down, SD-WAN Orchestrator MEA uses the links to forward traffic to another hub.
If LAN port communication is also configured between hubs in a region, the LAN port is also used.
In the same region, the connection between the hub devices (primary and secondary hubs) and edge devices depends on the VPN mode. The VPN mode is configured in profiles, and a profile is assigned to each primary hub, secondary hub, and edge device when you add it to SD-WAN Orchestrator MEA. The following VPN modes are available:
- Site-to-site VPN
- Dialup VPN
- Dialup full-mesh VPN
The following table summarizes how the VPN modes affect the connection between hub and edge devices:
Overlay links are full-mesh between the hub devices and edge devices in the same region.
Edge devices from the same region communicate with each other by forwarding packets through their region's hubs.
Overlay links are one-to-one between hub devices and edge devices in the same region. In other words, one WAN port on each edge device establishes an IPsec tunnel only with one WAN port on hub devices.
In Dialup VPN mode, ADVPN is supported to create shortcut tunnels between edge devices.
On hub devices, select one of the following options:
On edge devices, toggle ADVPN on to enable ADVPN. Toggle off to disable ADVPN.
Dialup full-mesh VPN
Overlay links are full-mesh between WAN ports on hub devices and WAN ports on edge devices in the same region.
When a region contains both a primary hub and secondary hub, edge devices establish overlay links with both hubs in the region. Overlay links between edge devices and the primary hub have higher priority than overlay links between edge devices and secondary hubs.
When overlay links between edge devices and the primary hub are down, links between the edge device and the secondary hub are used to forward traffic. However when a business rule has the Dual Hub Load Mode option set to ACTIVE_ACTIVE, the links between the edge device and the secondary hub might be used, even if the links between the edge device and the primary hub are up.
If LAN port communication is configured between primary and secondary hubs in a region, traffic is forwarded by using the LAN port communication.
When site-to-site VPN mode is enabled, edge devices in one region can communicate with devices in another region by using the following method:
- Edge devices send packets to their region's hub.
- The hub forwards the packet to the hub of the destination region.
- The hub from the destination region forwards the packet to the final destination.