VXLAN Overview

VXLAN is a Layer 2 overlay scheme over a Layer 3 network. Overlays are called VXLAN segments and only VMs and physical machines (tenents) within the same segment have Layer 2 connectivity. VXLAN segments are uniquely identified using an identifier called the VXLAN Network Identifier (VNI). The VNI is a 24-bit identifier; therefore, an administrative domain can support up to 16 million overlay networks.

As the scope of the MACs originated by tenants is restricted by the VNI, overlapping MAC addresses across segments can be supported without traffic leaking between tenant segments. When a tenant frame traverses a VXLAN overlay network, it is encapsulated by a VXLAN header that contains the VNI. This frame is further encapsulated in a UDP header and L2/L3 headers.

VXLAN can add up to a 54-byte header to the tenant VM‘s frame. For VXLAN to work correctly, this requires that the IP MTU be set to at least 1554 bytes on the network-side interfaces. IP MTU of 1554 should also be set on all transit nodes which carry VxLAN traffic. The point at which a tenant frame is encapsulated (or decapsulated) is referred to as a VXLAN Tunnel Endpoint (or VTEP). VTEPs are typically located on hypervisors but may also be located on physical network switches. Network switches that act as a VTEP are referred to as VXLAN gateways.

The role to encapsulate/decapsulate a frame is performed by a VXLAN Tunnel Endpoint (VTEP), also referred to as a VXLAN gateway. A VXLAN gateway can be a Layer 2 gateway or Layer 3 gateway depending on its capacity. A Layer 2 gateway acts as a bridge connecting VXLAN segments to VLAN (Virtual LAN) segments. A Layer 3 gateway performs all that of Layer 2 gateway, and capable of routing traffic between tenant VLANs/VMANs.

At tunnel initiation, a gateway looks up the destination MAC address of the frame received from the tenant VM. If the MAC address to remote VTEP IP binding is known, the gateway adds the VXLAN header and the IP/UDP header to the frame and forwards toward the DC network. A gateway node that terminates a tunnel removes the encapsulation headers from the packet and determines the bridge domain of the inner frame by examining the VNID received in the VXLAN header. The gateway then looks up the inner MAC destination address (DA) in the tenant VLAN's/VMAN's filtering database and decides either to flood or forward the frame to tenant ports.

The VXLAN segments with the same virtual network ID form a virtual network with one Ethernet broadcast domain.

Note

Note

ExtremeXOS implements only Layer 2 gateways.
Note

Note

ExtremeXOS VXLAN supports VMware's NSX® for Multi-Hypervisor™ controllers using OVSDB hardware_vtep schema (see Open vSwitch Database Management Protocol (OVSDB) Overview).

Supported Platforms

VXLAN is supported on the Summit X770, X670-G2, and ExtremeSwitching X870, X690 series switches, and stacks with X770, X670-G2, X870, and X690 slots only.

Limitations

The following capabilities are not supported in ExtremeXOS:

  • Layer 3 gateways
  • Multicast VXLAN
  • Ability to assign more than one VNI to a virtual network
  • IPv6 addresses for local and remote VTEPs
  • Assigning source IP for VXLAN gateway encapsulation:
  • Support for adding more than one tenant VLAN/VMAN per VNI
  • A physical port being part of both a tenant VLAN/VMAN and an underlay (Network) VLAN
  • Routing in and out of tunnels
  • Support for heterogeneous stack environments where at least one of the stack nodes is not VXLAN capable
  • More than one next-hop on a (network) port
  • Multicast underlay IP network, including PIM-Bidir
  • Multiple VRs

Interactions with Existing ExtremeXOS Features

Feature/Capability Tenant Network Underlay Network Rest of the Switch
VLAN with: Multiple C-Tags on the same port or different C-Tags on different ports Future Future No new restrictions
MAC-based and Protocol-based VLANs Not supported Not supported No new restrictions
VMANs Supported Not supported No new restrictions
CEP Not supported Not supported No new restrictions
Configuring LAG (Link Aggregation Group) on ports (static and LACP) ExtremeXOS 21.1 or later ExtremeXOS 21.1 or later No new restrictions
Configuring MLAG (Multi-switch Link Aggregation Group) on ports ExtremeXOS 21.1 or later ExtremeXOS 21.1 or later ExtremeXOS 21.1 or later
Limit learning and MAC locking Not supported Not supported ExtremeXOS 21.1 or later
Configuring IP (v4/v6) address on a VLAN ExtremeXOS 21.1 or later ExtremeXOS 21.1 or later No new restrictions
Enabling IP and IPMC forwarding Not supported ExtremeXOS 21.1 or later No new restrictions
Interface virtual router configuration Not supported ExtremeXOS 21.1 or later No new restrictions
Spanning tree (802.1d, RSTP, MSTP (Multiple Spanning Tree Protocol), EMISTP, and PVST+) Not supported ExtremeXOS 21.1 or later No new restrictions
Ring protocols (EAPS (Extreme Automatic Protection Switching) and ERPS) ExtremeXOS 21.1 or later ExtremeXOS 21.1 or later No new restrictions
VRRP (Virtual Router Redundancy Protocol) Not supported ExtremeXOS 21.1 or later No new restrictions
ESRP Not supported ExtremeXOS 21.1 or later No new restrictions
IGMP (Internet Group Management Protocol) Snooping Not supported. ExtremeXOS 21.1 or later No new restrictions
Unicast routing protocols Not supported. ExtremeXOS 21.1 or later No new restrictions
PIM (SM, DM, SSM) Not supported ExtremeXOS 21.1 or later No new restrictions
PIM Bidir Not supported Future No new restrictions
MVR Not supported Future No new restrictions
MPLS (Multiprotocol Label Switching) Not supported Not supported No new restrictions
VPLS Service VLAN configuration Not supported Not supported No new restrictions
DCBX Not supported Not supported No new restrictions
ETS ExtremeXOS 21.1 or later ExtremeXOS 21.1 or later No new restrictions
Extreme Network Virtualization (XNV) Not supported Not supported Restricted
Private VLANs, VLAN aggregation, VLAN translation Not supported Not supported No new restrictions
Identity Management Not supported Not supported Restricted
IP security (DHCP (Dynamic Host Configuration Protocol) Snooping, ARP lockdown) Not supported Not supported No new restrictions
802.1ag CFM and Y.1731 performance monitoring Not supported No supported No new restrictions
BFD Not supported Not supported No new restrictions
AVB protocols (MVRP, gPTP, MSRP, FQTSS) Not supported Not supported Restricted
FIP Snooping Not supported Not supported No new restrictions
Layer 2 Protocol Tunneling Not supported Not supported No new restrictions
NetLogin Not supported No new restrictions. No new restrictions
Priority Flow Control Not supported No new restrictions. No new restrictions
Note

Note

  1. MLAG requires entire switch to move to software learning mode.
  2. MAC locking and limit learning features require software learning mode.
  3. ExtremeXOS will require that all underlay VLANs be part of the same VR. This VR can be user-created or system-created.
  4. This does not imply that VXLAN encapsulated packets will be snooped. IGMP snooping for multicast contained entirely within the operator network will work.
  5. Current hardware has no support for adding an MPLS label to a VXLAN encapsulated frame. So remote VTEPs cannot be reachable through a MPLS network.
  6. XNV dynamic VLANs, IDM role-based VLANs and MVRP require a global VLAN ID space and hence are not supported.
  7. Single-hop BFD can be configured on operator VLANs.
  8. All multicast traffic are treated as unknown.
  9. Multi-chassis Link Aggregation (MLAG) does not function if the Inter-Switch Connection (ISC) port is added to an untagged tenant VMAN.
  10. Non-Tenant VLANs/VMANs do not function if the port also has an untagged tenant VMAN.