https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255198#M1119257 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/257635">@andre.baumgarten</a>&nbsp;</P> <P>Tunnels are dynamically created when traffic flows, making them unsuitable for static routing in the GUI...</P> <P>So, from my point of vieuw, this is not a bug but rather a limitation of how dynamic VTIs work. If your final design is already using BGP and working well, I’d recommend<EM> sticking with BGP</EM> instead of trying to force static routing in a scenario that isn't designed for it.</P> Fri, 31 Jan 2025 08:26:21 GMT M02@rt37 2025-01-31T08:26:21Z https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255174#M1119254 <P>Hello Community,</P> <P>i want to build a Hub-Spoke Topology with dynamic VTIs. The final design is using BGP which is working perfectly. For testing i wanted to set a static route from HUB (with dyn vti) to Spoke. But i cannot select the dyn VTIinterface in the routing GUI. The interface is there and it is shown on cli. BGP is also working, i only cannot select it for static routing. Is it a bug or a feature ;-)?</P> <P>thx for feedback.</P> <P>Andre</P> Fri, 31 Jan 2025 07:33:37 GMT https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255174#M1119254 andre.baumgarten 2025-01-31T07:33:37Z https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255198#M1119257 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/257635">@andre.baumgarten</a>&nbsp;</P> <P>Tunnels are dynamically created when traffic flows, making them unsuitable for static routing in the GUI...</P> <P>So, from my point of vieuw, this is not a bug but rather a limitation of how dynamic VTIs work. If your final design is already using BGP and working well, I’d recommend<EM> sticking with BGP</EM> instead of trying to force static routing in a scenario that isn't designed for it.</P> Fri, 31 Jan 2025 08:26:21 GMT https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255198#M1119257 M02@rt37 2025-01-31T08:26:21Z https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255204#M1119258 <P>Let me check this&nbsp;</P> <P>Thanks for waiting&nbsp;</P> <P>MHM</P> Fri, 31 Jan 2025 10:03:36 GMT https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255204#M1119258 MHM Cisco World 2025-01-31T10:03:36Z https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255214#M1119259 <P><SPAN>Dynamic Virtual Tunnel Interfaces (VTIs) are designed to work with dynamic routing protocols like BGP, rather than static routes. In a Hub-Spoke topology with dynamic VTIs, the inability to select the dynamic VTI interface for static routing in the GUI is likely by design, not a bug.</SPAN></P><P><SPAN><SPAN class="">Dynamic VTIs are created on-demand and are not persistent interfaces</SPAN><SPAN class=""><SPAN class="">.</SPAN></SPAN><SPAN class="">&nbsp;This makes them unsuitable for static routing, which requires a stable, always-present interface</SPAN>, The hub uses a virtual template for dynamic instantiation of IPsec interfaces. Each VPN session generates a unique virtual access interface, making it impractical to configure static routes for these temporary interfaces. <A href="https://docs.defenseorchestrator.com/cdfmc/c_dynamic-vti.html" target="_self">Here is the link</A><BR /></SPAN></P><P><SPAN>If you need to test connectivity without using BGP, consider these options.<BR /></SPAN></P><P><SPAN><SPAN class="">Use IKEv2 to push routes: Configure the&nbsp;</SPAN><SPAN class="">route set interface</SPAN><SPAN class="">&nbsp;command in your IKEv2 authorization policy to advertise routes over the VTI</SPAN> <A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa919/configuration/vpn/asa-919-vpn-config/vpn-vti.html" target="_self">Here</A> and <A href="https://community.cisco.com/t5/vpn/dynamic-vti-can-i-use-static-routes-over-the-tunnel/td-p/4517911" target="_self">Here</A>&nbsp;<BR /><SPAN class="">Use a loopback interface: Create a loopback interface with the IP address you want to use for the tunnel, then use&nbsp;</SPAN><SPAN class="">ip unnumbered</SPAN><SPAN class="">&nbsp;on the virtual template to borrow this IP</SPAN><SPAN class=""><SPAN class="">.</SPAN></SPAN><SPAN class="">&nbsp;You might be able to create a static route to this loopback</SPAN> <A href="https://networklessons.com/vpn/flexvpn-hub-and-spoke" target="_self">Here</A>&nbsp;<BR /></SPAN></P><P><SPAN>For testing purposes only, you could configure a static VTI on the hub instead of a dynamic VTI, which would allow you to set static routes <A href="https://docs.defenseorchestrator.com/cdfmc/t_configure_endpoints_hub_spoke_topology.html" target="_self">Here</A></SPAN></P> Fri, 31 Jan 2025 09:28:57 GMT https://community.cisco.com/t5/network-security/static-route-throug-dynamic-vti/m-p/5255214#M1119259 Sheraz.Salim 2025-01-31T09:28:57Z