Tag: DVTI

Cisco, Firepower

FTD Dynamic VTI


Cisco FMC/FTD version 7.3 introduced support for Dynamic Virtual Tunnel Interfaces (DVTI). A DVTI allows for a single tunnel configuration on the Hub FTD for connecting to hundreds of spokes, instead of configured 100s of Static VTI’s peer spokes, which simplifies the configuration of the Hub FTD. Like the Cisco IOS-XE FlexVPN solution, the FTD uses a virtual template, this is dynamically cloned, and a virtual access (VA) interface is created when a VPN is established. The Virtual Access interfaces inherits the settings from the virtual template interface. The Virtual Access interface is active on the Hub for the duration of the VPN tunnel between itself and the spoke, once the tunnel is terminated the Virtual Access interface is removed.

This post covers configuring a Hub and Spoke VPN topology, with an FTD acts as the Hub and two spoke devices, another FTD and a CSR1000V router. Both FTD’s will utilise Loopback interfaces for the tunnel interface and run BGP over the VTI.

The following software versions were used:-

  • Management – Cisco FMC 7.4.1
  • Hub – Cisco FTD 7.4.1
  • Spoke 1 – Cisco FTD 7.4.1
  • Spoke 2 – CSR1000V 16.6 Router

The figure below represents the topology used in this post.

Continue reading “FTD Dynamic VTI”

ASA, Cisco, VPN

ASA Dynamic VTI


Cisco Secure Firewall ASA version 9.19 introduces the Dynamic Virtual Tunnel Interfaces (DVTI) route-based VPN, which is an alternative to a policy-based VPN (crypto map).

A VTI is always up, unlike a policy-based VPN which requires interesting traffic in order for the VPN to be established. Once the VTI is up and an encrypted VPN tunnel established, dynamic (OSPF, EIGRP or BGP protocols) or static routes are used to route traffic over the VPN. Adding additional networks just need to be advertised into the routing protocol for the VPN peers to learn the networks, no modifications to the VPN settings required. Using a Dynamic VTI allows for a Hub and Spoke topology, not full mesh. For spokes to communicate with each other, all traffic must traverse the Hub ASA.

This post will cover the steps to configure a hub and spoke topology on ASA firewalls, with a DVTI on the Hub ASA and static VTI on the spoke ASA.
 Continue reading “ASA Dynamic VTI”