Hub-and-Spoke in Modern WANs: Still Relevant in 2025? [CCNP ENTERPRISE]

Today we’re going back to one of the core building blocks of WAN design — the Hub-and-Spoke topology.

Even in today’s era of SD-WAN and cloud-first networks, the hub-and-spoke model remains relevant, especially for centralized security, legacy MPLS, and hybrid branch setups. Whether you’re starting out or advancing your WAN design skills, understanding this model deeply will help you design and troubleshoot more effectively.

Let’s cover theory, real-world use cases, CLI, labs, and hands-on troubleshooting — all in one go!

---

Theory in Brief: What is Hub-and-Spoke WAN Design?

In a hub-and-spoke WAN design:

• Spokes (branches) connect only to the hub (data center or HQ).
• Spokes cannot talk directly to each other.
• All inter-branch traffic flows through the hub.

This architecture is simple, secure, and easy to manage, but has limitations in scalability and efficiency for peer-to-peer communication.

When is Hub-and-Spoke Used?

• Centralized security policies
• Legacy MPLS VPNs
• Sites without direct internet access
• Simplified policy and routing enforcement

---

Summary & Comparison

Feature	Hub-and-Spoke	Full Mesh
Branch-to-Branch Traffic	Goes via hub	Direct tunnels
Complexity	Low	High
Control	Centralized	Distributed
Scalability	Medium	High (with automation)
Performance	Potential bottleneck at hub	Better for peer-to-peer apps

---

Pros and Cons

Pros	Cons
Simplified routing and security	Hub becomes a single point of failure
Centralized policy management	Higher latency for spoke-to-spoke traffic
Easy to deploy and scale gradually	Not optimal for real-time branch traffic

---

CLI Commands (Cisco IOS/MPLS)

Task	Command Example
Verify tunnel interface	show interface tunnel0
Check routing table	show ip route
Ping between spokes (via hub)	ping <remote-spoke-IP>
Display tunnel status	show dmvpn or show mpls ldp neighbor
NHRP/Overlay status (DMVPN)	show ip nhrp

---

Real-World Use Cases

Use Case	Technology Stack	Reason
Traditional MPLS VPN rollout	MPLS, Static/BGP Routing	Security and policy via central hub
DMVPN Phase 1 Setup	GRE + NHRP + IPSec	Basic spoke-to-hub routing only
Cloud on-ramp through HQ	Internet via Hub	Security inspection at the data center
Secure Centralized Internet Breakout	SD-WAN Overlay	Apply DIA policy only at hub locations

---

EVE-NG Lab 1: Basic Hub-and-Spoke with Static Routing

Diagram

Objective

Build basic hub-and-spoke with static routes and ping between spokes via the hub.

Hub Configuration

interface Tunnel0
 ip address 10.0.0.1 255.255.255.0
 tunnel mode gre multipoint
 tunnel source Gig0/0
 ip nhrp network-id 1

Spoke Configuration

interface Tunnel0
 ip address 10.0.0.2 255.255.255.0
 tunnel source Gig0/0
 tunnel destination <Hub-IP>
 ip nhrp map 10.0.0.1 <Hub-NBMA>
 ip nhrp network-id 1

---

EVE-NG Lab 2: Hub-and-Spoke Using DMVPN Phase 1 + EIGRP

• Hub config includes EIGRP router setup
• Spokes route only via the hub

router eigrp 100
 network 10.0.0.0
!
interface Tunnel0
 ip nhrp authentication dmvpn
 ip nhrp map multicast <Hub-IP>

---

EVE-NG Lab 3: SD-WAN with Centralized Hub Control

Topology

[Branch1]--[vEdge1]===MPLS===Hub===Internet===vEdge2--[Branch2]

Objective

Simulate hub-and-spoke overlay using SD-WAN with centralized data policies.

Key Config Steps:

• Define hub as data-policy anchor in vSmart
• Use OMP for route exchange
• Use omp advertise connected and TLOCs for transport

---

Troubleshooting Tips

Symptom	Likely Issue	Fix
Spokes can’t reach each other	Hub forwarding not configured	Verify static routes/NHRP
Tunnel not forming	Tunnel source/destination mismatch	Check interface and IP config
SD-WAN policy not applying	Data-policy misconfigured	Check vSmart template and control plane

---

Frequently Asked Questions (FAQs)

1. What is the Hub-and-Spoke topology in WAN architecture?
Hub-and-Spoke is a network topology where remote sites (spokes) communicate through a central site (hub). All data flows between spokes must pass through the hub. It’s simple to deploy and manage but may introduce latency and bandwidth bottlenecks at the hub.

---

2. Why was the Hub-and-Spoke model so popular in traditional enterprise WANs?
This model centralized security, routing, and WAN optimization, making it easier for IT teams to enforce policies and monitor traffic. It also aligned well with MPLS-based WANs where the hub (usually HQ or data center) hosted most of the applications and services.

---

3. How does SD-WAN challenge the traditional Hub-and-Spoke approach?
SD-WAN introduces Direct Internet Access (DIA) and dynamic path selection. It allows branch-to-branch or branch-to-cloud communication without relying solely on the hub, improving performance, reliability, and reducing latency.

---

4. Is Hub-and-Spoke topology still relevant in 2025?
Yes, but with a hybrid twist. While full-mesh SD-WAN is ideal for high-availability environments, Hub-and-Spoke is still used for regulatory compliance, security inspection, and centralized services. Many organizations adopt partial mesh or dual-hub models for better scalability.

---

5. What are the limitations of Hub-and-Spoke in modern WANs?
Key limitations include:

• Increased latency for spoke-to-spoke traffic
• Hub becomes a single point of failure or congestion
• Limited scalability when traffic patterns shift to cloud-first or hybrid applications

---

6. Can I use Hub-and-Spoke with Cloud Connectivity (like Azure or AWS)?
Yes, cloud providers offer Virtual WAN and Transit Gateways that mimic Hub-and-Spoke. However, for performance-sensitive workloads, direct spoke-to-cloud or spoke-to-spoke paths (enabled by SD-WAN) are often recommended.

---

7. How does Hub-and-Spoke impact security policy enforcement?
It simplifies security since all traffic flows through a centralized firewall or IPS/IDS system at the hub. But in modern networks with local breakouts, security must be distributed via cloud-delivered firewalls or Secure Access Service Edge (SASE) frameworks.

---

8. Is Hub-and-Spoke better than full mesh for remote branch offices?
It depends. For a few branches with predictable traffic patterns, Hub-and-Spoke is cost-effective and easier to manage. But for latency-sensitive apps or high branch-to-branch traffic, a full mesh or hybrid SD-WAN approach is more efficient.

---

9. What role does redundancy play in Hub-and-Spoke WANs?
Redundancy is critical. Dual-hub designs or backup VPNs between spokes can help mitigate the impact of a hub failure. SD-WAN solutions can also provide automated failover and path resiliency to enhance availability.

---

10. How do I transition from a legacy Hub-and-Spoke to a modern SD-WAN model?
Start with hybrid deployments: keep the hub for centralized control and add DIA and cloud breakout at the spoke level. Gradually phase in features like path selection, app-aware routing, and cloud integration. Choose an SD-WAN vendor that supports flexible topology options.

---

Related YouTube Video

Watch the Complete CCNP Enterprise: Hub-and-Spoke in Modern WANs Lab Demo & Explanation on our channel:

---

Final Note

Understanding how to differentiate and implement Hub-and-Spoke in Modern WANs is critical for anyone pursuing CCNP Enterprise (ENCOR) certification or working in enterprise network roles. Use this guide in your practice labs, real-world projects, and interviews to show a solid grasp of architectural planning and CLI-level configuration skills.

If you found this article helpful and want to take your skills to the next level, I invite you to join my Instructor-Led Weekend Batch for:

CCNP Enterprise to CCIE Enterprise – Covering ENCOR, ENARSI, SD-WAN, and more!

Get hands-on labs, real-world projects, and industry-grade training that strengthens your Routing & Switching foundations while preparing you for advanced certifications and job roles.

Email: info@networkjourney.com
WhatsApp / Call: +91 97395 21088

Upskill now and future-proof your networking career!

---