DVTIs can provide highly secure and scalable connectivity for remote-access VPNs. The dVTI technology replaces dynamic crypto
maps and the dynamic hub-and-spoke method for establishing tunnels.
DVTIs can be used for both the server and remote configuration. The tunnels provide an on-demand separate virtual access interface
for each VPN session. The configuration of the virtual access interfaces is cloned from a virtual template configuration,
which includes the IPsec configuration and any Cisco IOS XE software feature configured on the virtual template interface,
such as QoS, NetFlow, or ACLs.
DVTIs function like any other real interface so that you can apply QoS, firewall, other security services as soon as the tunnel
is active. QoS features can be used to improve the performance of various applications across the network. Any combination
of QoS features offered in Cisco IOS XE software can be used to support voice, video, or data applications.
DVTIs provide efficiency in the use of IP addresses and provide secure connectivity. DVTIs allow dynamically downloadable
per-group and per-user policies to be configured on a RADIUS server. The per-group or per-user definition can be created using
extended authentication (Xauth) User or Unity group, or it can be derived from a certificate. DVTIs are standards based, so
interoperability in a multiple-vendor environment is supported. IPsec dVTIs allow you to create highly secure connectivity
for remote access VPNs and can be combined with Cisco Architecture for Voice, Video, and Integrated Data (AVVID) to deliver
converged voice, video, and data over IP networks. The dVTI simplifies VPN routing and forwarding (VRF)-aware IPsec deployment.
The VRF is configured on the interface.
A dVTI requires minimal configuration on the router. A single virtual template can be configured and cloned.
The dVTI creates an interface for IPsec sessions and uses the virtual template infrastructure for dynamic instantiation and
management of dynamic IPsec VTIs. The virtual template infrastructure is extended to create dynamic virtual-access tunnel
interfaces. DVTIs are used in hub-and-spoke configurations.
In Cisco IOS XE Release 3.4S, support for the following was added:
-
Maximum of 2000 dynamic tunnels with QoS applied
-
Maximum of 4000 dynamic tunnels (2000 with QoS, 2000 without QoS)
-
dVTI QoS LLQ for high-speed access egress shaping with overhead accounting and queuing