Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
1
Replies

Wy use vti for VPN rather than crypto map on physical interface

carl_townshend
Spotlight
Spotlight

‎09-15-2011 11:41 AM - edited ‎03-04-2019 01:37 PM

Hi all

I see all VPN now use vti interfaces, what are the benefits of these over normal setups ?

Labels:
0 Helpful
1 Reply 1

Peter Paluch
Cisco Employee
Cisco Employee

‎09-15-2011 11:52 AM

Hi Carl,

A VTI significantly simplifies the IPsec configuration - instead of creating a crypto map, a simpler crypto profile is created. You do not have to care about the peer or the ACL that selects the interesting traffic to be encrypted, as the peer is identified by the tunnel destination and the IPsec should apply to everything that passes through the tunnel.

In addition, the VTIs are the only flexible way to create a DMVPN if the real routers' IP addresses change over time. With static crypto maps, you would have troubles creating an appropriate ACL to describe the traffic to be encrypted. You could perhaps solve this with dynamic crypto maps but this is all an added hassle. With a VTI, the crypto profile applies to all traffic passing through the tunnel, and its endpoint can be resolved dynamically using NHRP, giving rise to the fundamental DMVPN principle - a multipoint GRE tunnel with dynamically established endpoints.

Using VTIs even allows you to create a pure IPsec tunnel (without GRE) represented by an interface - something that a crypto map can never provide you with.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card