Dynamic VTI
Dynamic VTI uses a virtual template for dynamic instantiation and management of IPsec interfaces. The virtual template dynamically generates a unique virtual access interface for each VPN session. Dynamic VTI supports multiple IPsec security associations and accepts multiple IPsec selectors proposed by the spoke.
Benefits
-
Minimizes and simplifies configuration.
You do not have to configure complex access lists or crypto maps.
-
Simplifies management.
-
Easily manage peer configuration for large enterprise hub and spoke deployments.
-
Use only one dynamic VTI for multiple spokes, instead of configuring one static VTI per spoke.
-
-
Provides a routable interface.
Supports IP routing protocols such as BGP, EIGRP, and OSPFv2/v3, and static routes.
-
Simplifies scaling
Addition of new spokes does not require any additional VPN configuration on the hub. You may need to update NAT and routing configurations depending upon the setup.
-
Support for backup VPN tunnels.
-
Supports dynamic spokes.
You do not have to update the hub configuration for spoke's DHCP IP address changes.
-
Conserves IP addresses.
-
Uses the IP unnumbered interface functionality to borrow the IP address from another physical or loopback interface.
-
All virtual access interfaces associated to a dynamic VTI use the same IP address.
-
-
Supports virtual routers.
-
Provides differential access control for VPN traffic.
You can configure a VTI with a security zone and use it in an AC policy. This configuration:
-
Allows you to classify and differentiate VPN traffic from clear-text traffic and permit VPN traffic selectively.
-
Provides differential access-control for VPN traffic across different VPN tunnels.
-
How Does the Management Center Create a Dynamic VTI Tunnel for a VPN Session
When a spoke initiates a tunnel request with the hub:
-
The spoke initiates an IKE exchange with the hub for a VPN connection.
-
The hub authenticates the spoke.
-
The management center assigns a dynamic virtual template on the hub for the spoke.
The virtual template dynamically generates a virtual access interface on the hub. This interface is unique for the VPN session with the spoke.
-
The hub establishes a dynamic VTI tunnel with the spoke using the virtual access interface.
-
The hub and spoke exchange traffic over the tunnel using:
-
Specific traffic proposed by the spokes over IKE exchanges.
-
BGP/OSPF/EIRGP protocols over the IPsec tunnel.
-
-
After the VPN session ends, the tunnel disconnects and the hub deletes the corresponding virtual access interface.
-
To create a dynamic VTI interface in the management center, see Add a VTI Interface.
To configure a route-based site-to-site VPN using dynamic VTI, see Configure Dynamic VTI for a Route-based Site-to-Site VPN.
Virtual Routers and Dynamic VTI
You can create virtual routers, associate dynamic VTIs with these virtual routers, and extend the capabilities of dynamic VTIs in your network. You can associate dynamic VTIs either with global or user-defined virtual routers. You can assign a dynamic VTI to only one virtual router.
A virtual router associated with:
-
A dynamic VTI is called an Indoor VRF (IVRF).
-
A tunnel source interface is known as Front Door VRF (FVRF).
A dynamic VTI and its corresponding protected network interface must be part of the same virtual router. You must map the borrow IP interface and the dynamic VTI to the same virtual router. A tunnel source interface can be part of multiple virtual routers.
To configure virtual routers using dynamic VTI for a route-based site-to-site VPN, see How to Configure a Virtual Router with Dynamic VTI.
For more information about a configuration example, see How to Secure Traffic from Networks with Multiple Virtual Routers over a Site-to-Site VPN with Dynamic VTI