Dynamic Branch to Branch can further be configured to be within the profile only or across different profiles. In some scenarios, you may want to enable Dynamic Branch to Branch within certain regions/domains, but not between regions/domains.
Considerations when Enabling Dynamic branch to branch VPN Isolation by Profile
- Enforcing Edge to Edge via MPLS Core
- Disable Dynamic Edge to Edge Cross Profiles
- Enable Dynamic Edge to Edge within Profiles
Example of Dynamic Branch to Branch VPN Isolation by Profile
For example, shown in the diagram below, there are branches in east and west region with a regional Hub for each region. To avoid mid-mile issue, you want to leverage MPLS underlay routing when there are traffic across regions. At the same time, edges within same region should still be able to establish dynamic tunnels. For east region profile and west region profile, you can enable Dynamic Branch to Branch VPN “within profile.” When this is configured, when E1 need to route to E3, it will take the path of E1 overlay to Hub1 and route via MPLS underlay to Hub2 then overlay to E3.
