Static VTI

A static VTI is a virtual tunnel interface that

  • uses tunnel interfaces to create a tunnel that is always-on between two sites

  • requires defining a physical interface as a tunnel source, and

  • supports a maximum of 1024 VTIs per device.

To create a static VTI interface in the Management Center, see Add a VTI interface.

The figure shows a VPN topology using static VTIs.

Static VTI VPN topology
VPN topology using static VTIs

On Threat Defense 1:

  • Static VTI IP address is 192.168.10.1

  • Tunnel source is 10.0.149.220

  • Tunnel destination is 10.0.149.221

On Threat Defense 2:

  • Static VTI IP address is 192.168.10.2

  • Tunnel source is 10.0.149.221

  • Tunnel destination is 10.0.149.220

Benefits of SVTI

Static VTI provides these benefits:

  • Minimizes and simplifies configuration.

    You do not have to track all remote subnets for a crypto map access list, and configure complex access lists or crypto maps.

  • Provides a routable interface.

    Supports IP routing protocols such as BGP, EIGRP, and OSPFv2/v3, and static routes.

  • Supports backup VPN tunnels

  • Supports load balancing using ECMP.

  • Supports virtual routers.

  • Provides differential access control for VPN traffic.

    You can configure a VTI with a security zone and use it in an AC policy. This configuration:

    • Allows you to classify and differentiate VPN traffic from clear-text traffic and permit VPN traffic selectively.

    • Provides differential access-control for VPN traffic across different VPN tunnels.