Each VPN is independent of every other VPN. You might separate VPNs in order to separate business traffic from guest wireless traffic. Or you might want to separate manufacturing or extranet traffic. Some traffic might be site-to-site traffic, and other traffic might be site-to-data center traffic. VPNs can be configured with several different topologies:
- Full-mesh: All sites connect to each other (site-to-site traffic).
- Hub-and-spoke: Remote sites connect to a single central site (data center).
- Partial-mesh: Most sites are interconnected with one another.
- Point-to-point: One site connects to another.
Figure 11-12 shows full-mesh and hub-and-spoke VPN topologies.

Figure 11-12 VPN Topologies: Full-Mesh and Hub-and-Spoke
Figure 11-13 shows partial-mesh and point-to-point VPN topologies.

Figure 11-13 VPN Topologies: Partial-Mesh and Point-to-Point
Access Control Lists (ACLs)
ACLs can be created and applied to particular interfaces in order to police traffic in either the ingress or the egress directions. An ACL allows a sequenced list of “match” statements to be defined; traffic is then matched against these statements, and the defined actions are taken (for example, drop, log). Any packets not matching a statement in the ACL are explicitly dropped as the default action of last resort.
Standard ACL options allow for matching of packets based on 5-tuple traffic definitions or DSCP. Advanced ACL options allow for matching based on a more granular set of parameters, such as packet length and TCP flag parameters.
SD-WAN Migration Strategy
SD-WAN leverages existing infrastructure and WAN transports and can be seamlessly integrated. A common strategy is to place the new vEdge overlay network in parallel with the existing WAN and then cut over the infrastructure.
As shown in Figure 11-14, the first step is to install the parallel SD-WAN infrastructure. This leaves the existing MPLS infrastructure intact. In the next step, the SD-WAN fabric leverages the MPLS transport, allowing the vEdge device to establish an overlay network over both the MPLS and the Internet transport. The final step is to replace the MPLS routers with vEdge devices to allow full SD-WAN overlay transport with full transport and headend redundancy.

Figure 11-14 SD-WAN Migration
QoS in SD-WAN
Cisco’s SD-WAN solution has many QoS features that provide advanced prioritization of traffic and network policies. These features include Bidirectional Forwarding Detection (BFD), application-aware routing, and interface queuing with low-latency queueing (LLQ).
Bidirectional Forwarding Detection (BFD)
WAN edge routers use Bidirectional Forwarding Detection (BFD) to probe and measure the performance of the transport links. BFD probes provide information about latency, jitter, and loss on all the transport links, which aids in the determination of best paths. Information on interface up/down and IPsec tunnel MTU is also gathered. BFD detects transport link failures in subseconds. Path liveliness and quality measurements run on all WAN edge routers (and WAN edge cloud routers) in the network. BFD in SD-WAN has the following characteristics:
- Runs inside IPsec tunnels
- Operates in echo mode
- Is automatically invoked during IPsec tunnel establishment
- Cannot be disabled