VXLAN L2 and L3 Gateway

Virtual eXtensible Local Area Network (VXLAN) specifies how to implement a logical layer 2 switching overlay on an existing layer 3 IP network. A VXLAN header encapsulates the original packet with an IP/UDP header. The UDP portion of this header contains a 24‐bit VXLAN Network Identifier (VNI). The VNI extends the original 4095 VLAN limitation to up to 16,777,215 different VXLAN logical switch domains. The VXLAN feature permits many layer 2 data center virtual networks used by different tenants.

Normally, Virtual Machines (VM) are instantiated behind a common scheduling/managing component called a hypervisor. There may be many VMs along with a hypervisor on a single physical machine. Each VM transmits packets into a VXLAN segment distinguished by the VNI to communicate with other VMs in that VXLAN. The other VMs may be in a different geographical location across an IP network, or they may be in the same network closet. This means that before the packet leaves the hypervisor on the physical server, it has already been encapsulated with a VXLAN header and is associated with a VNI. VLANs are not involved in this context. The switches and routers between the two VMs forward the packet normally using the outer header. No special handling is needed.

The reverse is done when the server responds. This allows participation of legacy hardware in the VXLAN overlay network.

Discovery of other VXLAN Gateways and VMs relies on CLI configuration or on an SDN-based centralized controller or distributed set of controllers to provide all of the forwarding and VXLAN gateway information to properly forward VXLAN traffic.

VXLAN allows untagged traffic from the "bare metal" devices, applies the PVID, maps that VLAN to the VNI, and then finally encapsulatse and forwards the packet. Also, VXLAN-decapsulated packets are forwarded to ports on the mapped VLAN's untagged list. All of this depends upon how the egress lists are configured.

Use the set vlan egress command in any command mode to set all the traffic on the VLAN to tagged.

The VXLAN gateway is the tunnel endpoint on a switch. It is also referred to as a VTEP. A VXLAN VTEP is created through a tunnel interface and is bound to one or more VNIs. A maximum of 62 VXLAN VTEP interfaces can be created, though generally only one is needed. Because this is an L2 tunnel, packets routed directly to this tunnel are dropped. Packets are not considered to have arrived from this tunnel router interface. If you want to route between VXLANs, you must map VXLAN VNIs to VLANs, and then create VLAN router interfaces.

Use the set tunnel map logical-switch command to map the VLAN to the VNI for this VXLAN. A tunnel bridge port (TBP) is bound to the VTEP so that it can be used in the appropriate L2 commands to apply rate limiters, L2 policy, and any other L2 port based feature supported on the switch.

The filter database output shows the tunnel bridge ports, and using the show mac vxlan command shows the logical switch, remote VTEP, and VNI (keyword).

Use the tunnel mode vxlan l2 command in tunnel interface command mode to bind the TBP to the VTEP.

Each VNI has a flood list. The IP address of a remote VTEP can be added to the VNI flood list of a VTEP. The switch uses this configured remote VTEP IP address to flood layer 2 Broadcast, Unknown unicast, and Multicast (BUM) packets out to the remote VTEP.

Use the set tunnel remote‐vtep command in any command mode to add the IP address of a remote VTEP to the VNI flood list of this VTEP.