cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
776
Views
1
Helpful
3
Replies

Multiple tunnels using the same VTI

robinhall1
Level 1
Level 1

On an FTD can I set up one VTI and use it on 2 tunnels? I will be running a dual hub and spoke configuration and i am looking to use a /24 for the subnet and have the hubs borrow the IP from the loopback which will be set up in the same subnet. If I need a second VTI will it let me create it on the same subnet? I know that most systems have issues with overlapping subnets. Or should i just create a separate subnet for each hub with two VTI?

1 Accepted Solution

Accepted Solutions

@robinhall1 that should using a dVTI on the hub FWs. On the spokes run a separate VTI to each hub, with a unique subnet per hub. Establish a routing protocol adjacency, either load balance over both hubs, use a routing protocol attribute to prefer one tunnel over the other or use a backup VTI - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4

 

View solution in original post

3 Replies 3

@robinhall1 what version are you running, 7.3? Only in 7.3 did Cisco introduce a loopback interface for VPNs. If you are using 7.3 then on the hub you could use dVTI instead of a sVTI, then all tunnels will use the same DVTI tunnel and you can use the loopback to borrow the IP address instead of wasting IP addresses.

I am running 7.3.1.1 on the two hubs as those are 2110. I am running 7.0.5 on all of the spokes as those are 55xx series running ftd as 7.0 is the last supported firmware for the 55xx series. I was going to use dVTI on the hubs. Where it is a dual hub set up I am not sure if I can use the same VTI on the spokes for each tunnel or if I need to have separate VTI and if separate they will likely need different subnets but not sure if that is a requirement. 

@robinhall1 that should using a dVTI on the hub FWs. On the spokes run a separate VTI to each hub, with a unique subnet per hub. Establish a routing protocol adjacency, either load balance over both hubs, use a routing protocol attribute to prefer one tunnel over the other or use a backup VTI - https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/vpn-s2s.html#Cisco_Reference.dita_73dac582-5114-4643-9536-fc4e2de1f1c4