For hosted SD-WAN customers, there is always a common controller that connects to all the branch Edges, so that Edges have routes to connect to all other Edges. If customers want to prevent branch edges from learning routes or connecting to each other over the SD-WAN overlay, isolation needs to be enabled.
When Profile Isolation is Enabled
When the Profile Isolation feature is enabled for a profile, the Edges within that profile will only learn:
- Routes to other Edges within its own profile as well as the underlay routes behind those Edges
- Routes to the assigned Hubs as well as underlay routes learned by the Hub
Note: When the Profile Isolation feature is enabled for a profile, the Edges within that profile will not learn routes of other Edges outside of that profile.
Considerations When Enabling VPN Isolation:
- There is no communication between profiles
- Simplified route controls between regions
- Dynamic B2B within a profile can still be turned on/off
VPN Isolation by Profile Example
The following figure shows two isolated environments for production and lab. Edges within the profile-production should not have routes to Edges within profile-lab, but they all need to connect to the Hub to reach common services. In this case, the Profile Isolation checkbox should be checked for both profiles.
Note: For configuration information, see
Enable Branch to Branch VPN Isolation.
