How to Secure Traffic from Networks with Multiple Virtual Routers over a Site-to-Site VPN with Dynamic VTI

ISPs have different segmented networks for different customers. You can create virtual routers, associate dynamic VTIs with these virtual routers, and extend the capabilities of dynamic VTIs in your network. You can associate dynamic VTIs either with global or user-defined virtual routers. A single threat defense device can act as a dynamic VTI hub with a global or one or more user-defined virtual routers. Each user-defined virtual router can be one customer network.

Let us consider an example where route-based site-to-site VPNs are configured between two company headquarter networks and their two branch office networks. The ISP's threat defense, a dynamic VTI hub, manages the two company headquarter networks with two user-defined virtual routers: VRF green and VRF red. The dynamic VTI hub establishes a site-to-site VPN between:

  • Customer 1 (VRF green) and Branch 1 (SVTI spoke 1)

  • Customer 2 (VRF red) and Branch 2 (SVT2 spoke 2)

Site-to-Site VPNs with Multiple Virtual Routers and Dynamic VTI

This example illustrates how to configure networks with multiple virtual routers over a site-to-site VPN with dynamic VTI.

Procedure

Step 1

Configure a dynamic VTI interface on the hub.

  1. Choose Devices > Device Management and edit the threat defense device.

  2. Choose Add Interfaces > Virtual Tunnel Interface.

  3. Select the Tunnel Type as Dynamic.

  4. Specify the interface name as DVTI1 and configure all the parameters for the dynamic VTI.

  5. Click Save

  6. Repeat steps 1a - e to configure the second dynamic VTI on the hub, DVTI2.

Step 2

Configure static VTI on spoke 1.

  1. Choose Devices > Device Management and edit the threat defense device.

  2. Choose Add Interfaces > Virtual Tunnel Interface.

  3. Select the Tunnel Type as Static.

  4. Specify the interface name as SVTI spoke-1 and configure all the parameters for the static VTI.

  5. Click Save

  6. Repeat steps 2a - e to configure the static VTI on spoke 2: SVTI spoke-2.

Step 3

Configure a route-based site-to-site VPN between hub and SVTI spoke 1.

  1. Choose Devices > Site To Site and click + Site To Site VPN.

  2. Enter a name for the VPN topology in the Topology Name field.

  3. Choose Route Based (VTI) and select Hub and Spoke as the network topology.

  4. Click the Endpoints tab.

  5. Configure the hub and the spoke (DVTI1 and SVTI spoke-1) and their routing policies.

  6. Configure the IKE, IPsec, and Advanced options for the VPN, if required.

  7. Click Save.

  8. Repeat steps 3a - g to configure the second route-based site-to-site VPN topology between hub (DVTI2) and SVTI spoke 2.

Step 4

Configure the two virtual routers.

  1. Choose Devices > Device Management and edit the threat defense device.

  2. Click Routing.

  3. Click Manage Virtual Routers.

  4. Click Add Virtual Router.

    Specify the name as VRF green and provide a description for the virtual router.

  5. Repeat steps 4a - d to configure VRF red.

Step 5

Assign all the interfaces to the virtual routers. 

  1. From the drop-down list, select the virtual router.

  2. In the Virtual Router Properties page, select the interfaces listed under the Available Interfaces box.

    Assign the dynamic VTI interface along with the other interfaces.

  3. Click Add.

Step 6

Repeat steps 5a - c for VRF red.

Step 7

Configure the routing policy for the virtual router. 

  1. From the drop-down list, select the virtual router.

  2. Click Static Route or one of the dynamic routing protocols.

  3. Configure the routing parameters.

  4. Click Save.

What to do next

Select the hub and spoke devices and click Deploy. After the deployment, you can monitor the VPN tunnels in the Site-to site monitoring dashboard (Overview > Site to Site VPN).

You can also use the commands listed in Monitoring Virtual Routers to view and troubleshoot the virtual router.