Scribd
Upload
114 views86 pages

CSF 7.3.0 Dvti Toi

The document describes Cisco's new Dynamic Virtual Template Interface (DVTI) feature. DVTI allows easy deployment of hub-and-spoke VPN topologies by dynamically creating IPsec tunnels between a hub and spokes using a single virtual template configuration. This simplifies management and allows dynamic addition of new spokes without changing hub configurations.

Uploaded by

falcon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
114 views86 pages

CSF 7.3.0 Dvti Toi

The document describes Cisco's new Dynamic Virtual Template Interface (DVTI) feature. DVTI allows easy deployment of hub-and-spoke VPN topologies by dynamically creating IPsec tunnels between a hub and spokes using a single virtual template configuration. This simplifies management and allows dynamic addition of new spokes without changing hub configurations.

Uploaded by

falcon
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 86

Cisco Highly Confidential

Do Not Share with Anyone


IFT TOI

Dynamic Virtual Template


Interface
Cisco Secure Firewall 7.3
ASA 9.19
Vanita Patel, Utkarsh Srivastava, Antony Navaraj Jermanappan, Asir Sunil Babu,
Siva Sankar Vanamamalai
Engineering
July 14, 2022
Cisco Highly Confidential

• You will not distribute or show Internal Field Testing or Beta Testing
assets to anyone
• The assets provided as part of this program are for your use only.
• You understand that this program and its assets is for Cisco internal
employees only. That means no partners or vendors

Note: These trainings and materials were prepared prior to release


information is subject to change on release, and feature may even be
removed.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 2
‣ Introduction

‣ Feature Details

Agenda ‣ Functional Description


‣ ASDM
‣ FMC

‣ Demo

‣ Troubleshooting / Diagnostics

‣ References
Introduction
Background – Customer Requirements

• Easy way to deploy route-based hub and spoke VPN topology


• Challenges in currently supported static VTI solution:
Requirements - For large enterprise hub and spoke deployments, managing peer configuration
is challenging and time consuming.
- For example,1000 static virtual tunnel interface configuration is required on
hub for 1000 branches.
- Change management is cumbersome for newly added spokes.
- Dynamic (DHCP) spokes cannot be supported as it needs hub's configuration
change every time spoke changes its IP address

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 5
Background – Customer Requirements

• Scalable and on-demand VPN connectivity


- A single DVTI can replace several SVTIs configuration on hub
Requirements
- New spokes can be added to a hub without changing hub configuration
- Dynamic (DHCP) spokes can be supported now with Dynamic VTI
• Ease of Configuration:
- Just one virtual template (~15 lines) can be used for 1000's of spokes

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 6
What’s New
• What’s new or different
• Virtual Template Interface - Infrastructure for dynamic instantiation and
management of dynamic IPsec VTIs.
• On-demand tunnel interface creation - Separate Virtual Access Interface
Solution creation for each dynamically created IPsec session. Configuration of the
Virtual Access Interface is cloned from a Virtual Template configuration.
• Efficient use of IP addresses with IP unnumbered interface functionality on
virtual template, which can borrow IP address of another physical or loopback
interface. This conserves network and address space.
• Dynamic route installation by running BGP/OSPF/EIGRP over IPsec tunnel.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 7
Solution Overview

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 8
Deployment Examples
DVTI S2S VPN (Dynamic routing over the tunnel)
• Spokes establish a tunnel with DVTI Hub and BGP / OSPF / EIRGP routing over the
tunnel.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
CSF 7.3 IFT TOI: DVTI Page 10
DVTI S2S VPN (with Traffic Selector)
• Spokes establish a tunnel with DVTI Hub & advertising the protected network to the
Hub to install routes.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 11
DVTI S2S VPN (Active / Backup Tunnels)
• Spokes establish active / backup tunnels with Primary & Redundant Hubs and
Dynamic routing over the tunnel.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 12
Prerequisites, Supported
Platforms, Licensing
Minimum Supported Software & Hardware Platforms

Application and
Supported Platform(s) Manager(s) Notes
Minimum Version
FMC On-Prem + FMC REST API +
This is a device-side feature; FTD
Secure Firewall 7.3 All which support FTD 7.3 cloud-delivered FMC
must be on 7.3
Not supported in FDM
ASA CLI
ASA 9.19.1 All which support ASA 9.19.1 ASDM 7.19.1
Not supported in CSM

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
CSF 7.3 IFT TOI: DVTI Page 14
Licensing
• Base License
• Supported in Evaluation Mode
- Without crypto compliance, only DES can be used as encryption algorithm.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 15
Feature Details
Functional Feature
Description
DVTI – Solution Overview
• One-time configuration required on Virtual Template Interface which can be used for every new
VPN session established.
• A Virtual Template can be attached to the tunnel-group.
- The same Virtual Template can be attached to multiple tunnel-groups.

• DVTI tunnels are established for the VPN session landing on a tunnel-group which has Virtual
Template attached to it.
• On-demand separate Virtual Access Interface gets created for each VPN session which
clones Virtual Template configuration.
• Lifecycle of Virtual Access Interface remains active only after successful spoke authentication till
the VPN session ends.
• Utilizes route-based VPN and dynamic crypto map infrastructure under the hood.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 18
Dynamic Tunnel Interface Creation

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 19
Dynamic Tunnel Interface Creation

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 20
Virtual Template Interface Mandatory Configuration
• int virtual-Template <n> type tunnel: Creates a Virtual Template interface of
number <n>
• nameif <name>: Virtual Template can have a name. Each Virtual Access Interface is created
with name as <Virtual Template name>_va<n>. Hence if name of Virtual Template is 'xyz' then
Virtual Access Interfaces will be created with name xyz_va1, xyz_va2, xyz_va3...and so on.
• tunnel mode ipsec <ipv4/ipv6>: Indicates the version of traffic being protected.
• tunnel protection ipsec profile <profile>: Set to configure IPSec/IKE
parameters required to negotiate the exchange.
• shutdown: VPN sessions can be accepted for un-shut Virtual Templates. Whenever a Virtual
Template went to shut down, all VPN sessions established form that Virtual Template will be
cleared.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 21
Virtual Template Interface Optional Configuration
• ip/ipv6 unnumbered <interface-name>: Allows Virtual Template Interface to inherit
IPv4/IPv6 address from interface provided in <interface-name>. It can be any physical
loopback interface present on the hub.
• tunnel source interface <interface-name>{ipv6 address}:
- VPN session requests can be accepted only if they are received from source interface
provided in <interface-name>. Any physical or loopback interface present on the hub can be
configured as tunnel source interface. In absence of this configuration, VPN session requests
received from any of the interfaces present on the device can be accepted.
- MTU of the Virtual Access Interface gets inherited from source interface provided in
<interface-name>. In absence of this configuration, Virtual Access Interface inherits MTU
value configured on actual source interface from which VPN session request has been
accepted.
Note: ip/ipv6 unnumbered and tunnel source interface must be different to avoid local routing loops on the device.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 22
Virtual Template Interface Attachment
• A Virtual Template can be attached to the tunnel-group. All incoming VPN
sessions landing on this tunnel group will use the same Virtual Template attached to
tunnel-group. The same Virtual Template configuration will be used to create
individual Virtual Access Interfaces for each VPN session.
- tunnel-group <Tunnel-Group-Name> ipsec-attributes
• virtual-template <template-num>

• The same Virtual Template can be attached to multiple tunnel-groups.


- tunnel-group <Tunnel-Group-Name1> ipsec-attributes
• virtual-template 1
- tunnel-group <Tunnel-Group-Name2> ipsec-attributes
• virtual-template 1

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 23
Dynamic Route Installation
• After DVTI tunnel gets established, routes are required on the hub to send the traffic via Virtual Access
Interface. Routes get installed automatically after DVTI tunnel establishment.

• Dynamic route gets installed for the specific traffic proposed by spokes over IKE exchanges. No additional
configuration is required to install these routes.
• In absence of specific traffic proposal (possible with Cisco SVTI spokes), SVTI spokes inside
connected networks can be learned by running BGP/OSPF/EIGRP over the tunnel. One time configuration is
required on hub and spoke for running unicast BGP protocol.
- tunnel-group <Tunnel-Group-Name> ipsec-attributes
- ikev2 route set interface: Tunnel interface IP address can be sent during IKE exchanges if this
configuration is present. Dynamic route to peer's tunnel interface can be installed and BGP over the tunnel
can be run between hub and spokes.
- ikev2 route accept any: Tunnel interface IP address received during IKE exchanges can be
accepted only if this configuration is present.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 24
Virtual Access Interface – How it works (egress)

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 25
Virtual Access Interface – How it works (ingress)

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 26
Virtual Access Interface - Flow Identification

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 27
Virtual Access Interface – Show ASP table
Any plain traffic routed to output ifc(vaccess1) will be encrypted
out id=0x7f5221fc3c60, priority=70, domain=encrypt, deny=false
hits=0, user_data=0xa664, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=dvti1_va1

Encrypted traffic received from 31.1.1.2 to 31.1.1.1 with SPI(0xE691D833) will be


decrypted
in id=0x7f5221f47ae0, priority=70, domain=decrypt, deny=false
hits=0, user_data=0xd7c4, cs_id=0x0, reverse, flags=0x0, protocol=50
src ip/id= 31.1.1.2, mask=255.255.255.255, tag=any
dst ip/id=31.1.1.1, mask=255.255.255.255, SPI=0xE691D833, tag=any,
dscp=0x0, nsg_id=none
input_ifc=any, output_ifc=identity

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 28
OSPFv2, OSPFv3, and EIGRP Support
•OSPF (IPv4 and IPv6) and EIGRP (IPv4) are supported on tunnel interfaces.
•Currently VRF is supported only for IPv4 OSPF on SVTI.
•OSPF and EIGRP uses multicast packets to establish the neighborship between peers and exchange routes.
•For OSPF and EIGRP multicast packets will be encrypted on the egress side and sent to the peer. On the ingress
side, the packets will be decrypted and punted to the OSPF and EIGRP modules.
•OSPF and EIGRP interface configuration on virtual-template will be replicated to all the vaccess interface.
•Once the neighborship forms the routes will be redistributed based on the configuration.
BGP, connected, EIGRP, OSPF, RIP and static routes can be distributed between the neighbors
• If ip unnumbered is used for the VTI interface, then neighborship will be formed even if the tunnel ip address
are in the different subnet

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 29
OSPF and EIGRP Configuration
• OSPF and EIGRP Configuration CLIs are same as currently supported. Below are mandatory CLIs to
enable OSPF and EIGRP:
• IPv4 OSPF network to be configured under the router context
router ospf <process-id>
network <network-address> <mask> area <area>

• IPv6 OSPF to be configured under the interface context


interface <interface-name>
ipv6 ospf <process-id> area <area>
• IPv4 EIGRP network to be configured under the router context
router eigrp <process-id>
network <network address> <mask> area <area>
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 30
ASDM Configuration
Overview of Configuration
ASDM supports the configuration of DVTI on ASA version 9.19.1 and above. The following changes
are made in ASDM GUI.
• Virtual-Template:
- A new option "DVTI Interface" is added in Interface menu.

• SVTI specific-selector proposed configuration:

- A new dropdown list "Tunnel Protection with IPSec Policy" added in Tunnel Interface screen.
• Virtual-Template binding to Tunnel Group:
- A dropdown list “Virtual-Template” added in Tunnel Group screen.
• Dynamic route addition with ikev2 set route option:
- Checkboxes added in ikev2 tabs in Tunnel Group screen.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 32
Dynamic VTI – New Interface
• Launch ASDM and navigate to Configuration > Interface Settings > Interfaces

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 33
Dynamic VTI – General Tab
1. Click Add button in the right hand side
of the Interface pane and select DVTI
interface.
2. Enter DVTI ID within the specified
range.
3. Enter Interface Name.
4. Select Interface name from the IP
Unnumbered dropdown.
5. Enter Description in the Description
field.
6. Click OK

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 34
Dynamic VTI – Advanced Tab
1. Click the Advanced tab.
2. Select Source Interface under Tunnel
Interface section.
3. Select "Tunnel Protection with IPSec
Profile" dropdown to add IPSec
profile name.
4. Check "Enable Tunnel mode IP
overlay for IPSec" and select
IPv4/IPv6 radio button. To set up the
tunnel, the user must choose an IP
Address type that is the same as the
interface's IP Address.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 35
Dynamic VTI – IPv6 Tab
1. Click IPv6 tab to add IPv6 address.
2. Click button with 3 dots at the end of
the "IPv6 Address
Unnumbered" Combo box.
3. A dialog box appears with Interface
names.
Select Interface name from available
Interfaces.
4. Click OK button.
5. Selected Interface name should
appear in the “IPv6 Address
Unnumbered” Combo box.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 36
SVTI – Advanced Tab
New CLI is being introduced in existing
SVTI to propose the selectors from the
ACL.
1. Go to the Advanced tab in VTI
Interface.
2. New dropdown "Tunnel Protection
with IPSec Policy" added below Source
Interface.
3. Select ACL name from “Tunnel
Protection with IPSec
Policy” dropdown.
4. Click OK button.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 37
Dynamic VTI – Tunnel Groups
• Launch ASDM and navigate to Configuration > Site-to-Site VPN > Advanced > Tunnel
Groups

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 38
Dynamic VTI – Tunnel Group

1. Click Add button in the right-hand side of the


pane.
2. Enter Tunnel Group name.
3. Select Virtual-Template name from the
dropdown. If the Selected DVTI Interface
Configuration is not complete, a warning popup
will appear (but not prevent progress). The
mandatory parameters to define the virtual
template as complete are:
• Nameif defined.
• Tunnel IPSec mode IPv4/6 defined.
• Tunnel IPSec Profile set.
• Not in shutdown mode.
4. Click OK button.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 39
Dynamic VTI – Tunnel Group
1. Click "Enable IKE v2" checkbox under
IPsec Enabling section.
2. Under Dynamic VTI section,
checkboxes for route added.
3. "IKE v2 Route Accept Any" checkbox
enabled by default.
4. Check "IKE v2 Route Set
Interface" checkbox.
5. Click OK button.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 40
Dynamic VTI – Connection Profile
• Launch ASDM and navigate to Configuration > Site-to-Site VPN > Connection Profiles

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 41
Dynamic VTI – IPSec Profile
• Launch the ASDM and navigate to Configuration > Site-to-Site VPN > Advanced >
IPsec Proposals (Transform Sets)

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 42
Dynamic VTI – IPSec Profile

1. Click Add button under IPSec Profile


section
2. Enter name for IPSec Profile.
3. Check "Enable Reverse Route
Injection" checkbox.
4. Check "Dynamic" checkbox to set
Reverse-route as dynamic.
5. Click OK button.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 43
Dynamic VTI – Delete an Interface
• ASDM will throw error when User tries to delete a DVTI and the Interface is attached
to a Tunnel Group.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 44
OSPF support for IPv4 on VTI Interface

• On the ASDM, navigate to Configuration > Device Setup > Routing > OSPF

• VTI Interface is enabled in OSPF screens shown below.

Interfaces > Authentication & Properties


Static Neighbor

Page 45
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
OSPF support for IPv4 on VTI Interface
• Launch ASDM and navigate to Configuration > Device Setup > Routing > OSPF >
Interface and Edit Interface in Authentication

Page 46
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
OSPF support for IPv4 on VTI Interface
• Launch ASDM and navigate to Configuration > Device Setup > Routing > OSPF >
Interface and Edit Interface in Properties

Page 47
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
OSPF support for IPv4 on VTI Interface
• Launch ASDM and navigate to Configuration > Device Setup > Routing > OSPF >
Static Neighbor

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 48
OSPF support for IPv6 on VTI Interface
• In ASDM, navigate to Configuration > Device Setup > Routing > OSPFv3

• VTI Interface is enabled in OSPFv3 screens shown below.

Interfaces > Authentication & Properties


Static Neighbor

Page 49
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
OSPF support for IPv6 on VTI Interface
• Launch ASDM and navigate to Configuration > Device Setup > Routing > OSPFv3 >
Interface

Page 50
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
OSPF support for IPv6 on VTI Interface
• Launch ASDM and navigate to Configuration > Device Setup > Routing > OSPFv3 > Static
Neighbor

Page 51
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
OSPF Flood Reduction
• Launch ASDM and navigate to Configuration > Device Setup > Routing > OSPFv3 > Interface

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 52
Support for EIGRP IPv4 on VTI Interface

• In ASDM, navigate to Configuration > Device Setup > Routing > EIGRP

• VTI Interface is enabled in EIGRP screens shown below.

Setup
Interfaces
Summary Address

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 53
Support for EIGRP IPv4 on VTI Interface
• In ASDM, navigate to Configuration > Device Setup > Routing > EIGRP > Setup

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 54
Support for EIGRP IPv4 on VTI Interface
• In ASDM, navigate to Configuration > Device Setup > Routing > EIGRP > Interfaces

Page 55
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
Support for EIGRP IPv4 on VTI Interface
• In ASDM, navigate to Configuration > Device Setup > Routing > EIGRP > Summary Address

Page 56
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL
FMC Functional
Feature Description
FMC Configuration
Adding DVTI Interface
• A new option “Tunnel Type” is
introduced in this release to the
existing VTI dialog to create Dynamic
VTI. (Devices -> Device Management -
> Interfaces)
• Interface IP cannot be configured
directly on a DVTI interface, but it can
use the IP address from another
interface.
• Tunnel Source is not mandatory for
DVTI.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 59
S2S VPN Dialog Changes
• DVTI is supported in Route-Based
VPN’s Hub and Spoke Topology.
• Hub(s) can only use DVTI interface.
• Spoke(s) will use sVTI interface.
• Hub can be an extranet device.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 60
S2S VPN Hub Dialog Changes

• Only DVTI interfaces can be configured on the


hubs.
• If tunnel source is not configured on the DVTI
interface, then the tunnel source interface input
is required per topology.
• The tunnel source interface is required to
configure the tunnel destination IP on the
spokes.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 61
S2S VPN Add Hub Dialog Changes
• The Advanced Setting in the “Add Endpoint” dialog has
three new options:
- Option to send VTI IP to peers.
- Protected networks behind the hub. This input along with
the protected networks behind the spoke would be used to
generate the access-list to match the traffic to be sent by
the spoke. This access-list is generated only at the spoke.
- Option to allow incoming IKEv2 routes from the spokes.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 62
S2S VPN Add Spoke Dialog Changes
• Device and SVTI selection are the mandatory
inputs at the spoke.
• Local Identity to be sent to peers can also be
configured.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 63
S2S VPN Spoke Dialog Changes
• Protected Network option is added for Route-
based VPN.
• This will generate the ACL on the spokes only.
(e.g., Spoke network -> Hub network)
• Protected networks are required when static
routes are used.
• “Send Virtual Tunnel Interface IP to the peers” is
used in case of dynamic routing.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 64
OSPF and OSPFv3 Configuration
• User can select Static or Dynamic
VTI interfaces while configuring
OSPFv2 and OPSFv3 routing
protocols under interface tab.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 65
EIGRP Configuration
• In existing EIGRP dialog,
supported Static and Dynamic VTI
interfaces for the following tabs,
- Neighbors
- Filter rules
- Summary address and
- Interface.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 66
FMC Validations
• DVTI support restricted to only 7.3 FTDs
• IP versions (or IPsec tunnel mode) should be the same across all the VTIs of the topology.
• Same interface cannot be used as “Borrow IP from interface” (IP unnumbered, i.e., the virtual
access interface takes the IP from this borrow interface) and as tunnel source.
• If a VTI is using a interface as borrow IP from interface (or IP numbered interface), then it cannot
be used as tunnel source for any other interface.
• Tunnel source of DVTI to be configured either in the interface or the S2S VPN topology.
• QoS policy won't support VTI's.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 67
FMC REST APIs
S2S VPN REST APIs
• These are the existing S2S VPN URLs for endpoints whose model is modified for
supporting DVTI.
• GET : /api/fmc_config/v1/domain/{containerUUID}/policy/ftds2svpns/{containerUUID}/endpoints
Gets all endpoints of S2S VPNs.

• GET : /api/fmc_config/v1/domain/{containerUUID}/policy/ftds2svpns/{containerUUID}/endpoints {ObjectID} Get the


specified endpoint.

• POST : /api/fmc_config/v1/domain/{containerUUID}/policy/ftds2svpns/{containerUUID}/endpoints
Creates an endpoint.

• PUT : /api/fmc_config/v1/domain/{containerUUID}/policy/ftds2svpns/{containerUUID}/endpoints {ObjectID} Edits an


endpoint.

• DELETE : /api/fmc_config/v1/domain/{containerUUID}/policy/ftds2svpns/{containerUUID}/endpoints /{ObjectID} Deletes


an endpoint.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 69
Endpoint Model changes for DVTI
• The newly added attributes to the endpoint model for supporting DVTI.

{
...
"tunnelSourceInterface" :
{
"id" : "<uuid>",
"name": "", //NA
"type": "PhysicalInterface | SubInterface | VirtualTunnelInterface",
},
"tunnelSourceIpv6Address" : "f120::0020", //String
"sendTunnelInterfaceIpToPeer" : true,
"allowIncomingIKEv2Routes" : true,
...

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 70
Interface APIs – New Parameter
• New parameter added to existing URL –
/api/fmc_config/v1/domain/{domainUUID}/devices/devicerecords/{container
UUID}/virtualtunnelinterfaces/{objectId}

Param Description Default

tunnelType Enum with value DYNAMIC or STATIC based on DVTI or SVTI STATIC

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 71
Demo
Demo Agenda
• Configuration flow of DVTI Hub & Spoke Topology.
• DVTI - FMC walkthrough
• Verification and troubleshooting in LINA.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 73
DVTI – Demo Topology

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 74
Troubleshooting /
Diagnostics
Troubleshooting
• Troubleshooting information and walkthrough is provided on a separate page:
https://confluence-eng-rtp2.cisco.com/conf/pages/viewpage.action?pageId=424337351

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 76
References
Limitations Details,
Common Problems, &
Workarounds
Limitations of the Implementation for this Release
• ECMP / VRF are not supported for DVTI.
• There can only be 1000 DVTIs on a device (same as SVTI).
• DVTI is not supported in Cluster and Multicontext (same as SVTI).
But it is supported with devices in HA.
• IKEv1 is not supported on DVTI.
• Both sides of OSPF/EIGRP neighbors should be with same Tunnel Interface IP assignment
(either numbered or unnumbered for both peers).
• OSPF inter-op with IOS router for Tunnel Interface requires 'mtu-ignore' to be
configured on ASA/FTD or on IOS router.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 79
IFT / Beta Notes
Objectives for IFT’ers
• Test DVTI in a scaled set-up. (i.e., a large number of spokes connecting to the
DVTI Hub) (also, let us know how many spokes you anticipate customers having)
• Test Spoke-to-Spoke communication via the DVTI Hub.
• Test with Active / Backup tunnels connecting to Primary / Redundant Hub.
• Perform HA operations like switch/break/suspend on the DVTI Hub.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 85
Internal Tracking
Information
During the IFT Program, please log
tickets in Jira. Please don't contact
engineering directly.
CDETS Project / Product / Component(s)
(for logging and searching for bugs)

FMC - CSC.content-security > sfims > ngfw_s2s_vpn-ui


FTD – CSC.netbu > pix-asa > ipsecvpn-ikev2_s2s
ASDM – CSC.netbu > asdm > asdm
© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 88
Cisco Highly Confidential

• You will not distribute or show Internal Field Testing or Beta Testing
assets to anyone
• The assets provided as part of this program are for your use only.
• You understand that this program and its assets is for Cisco internal
employees only. That means no partners or vendors

Note: These trainings and materials were prepared prior to release


information is subject to change on release, and feature may even be
removed.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 91
Everyone is To learn more about Cisco Highly
Confidential, please visit the Data
responsible for Protection page on CEC.
security.

© 2022 Cisco and/or its affiliates. All rights reserved. Cisco HIGHLY CONFIDENTIAL CSF 7.3 IFT TOI: DVTI Page 93

You might also like