Virtual Extensible LAN (VXLAN) Gateway

Virtual Extensible LAN (VXLAN) is a layer 2 overlay scheme over a layer 3 network. Overlays are called VXLAN segments, and only virtual machines (VMs) within the same segment have Layer 2 connectivity. VXLAN segments are uniquely identified using an identifier called the VXLAN Network Identifier (VNI). The VNI is a 24-bit identifier; therefore, an administrative domain can support up to 16 million overlay networks.

As the scope of the MAC addresses originated by tenant VMs is restricted by the VNI, overlapping MAC addresses across segments can be supported without traffic leaking between tenant segments. When a tenant frame traverses a VXLAN overlay network, it is encapsulated by a VXLAN header that contains the VNI. This frame is further encapsulated in a UDP header and L2/L3 headers.

VXLAN can add up to a 54-byte header to the tenant VM‘s frame. For VXLAN to work correctly, this requires that the IP MTU be set to at least 1554 bytes on the network-side interfaces, and on all transit nodes which carry VXLAN traffic.

The role to encapsulate/decapsulate a frame is performed by a VXLAN Tunnel Endpoint (VTEP), also referred to as VXLAN gateway. A VXLAN gateway can be a Layer 2 gateway or Layer 3 gateway depending on its capacity. A Layer 2 gateway acts as a bridge connecting VXLAN segments to VLAN segments. A Layer 3 gateway performs all that of Layer 2 gateway, and capable of routing traffic between tenant VLANs.
Note

Note

This feature implements only Layer 2 gateway.

At tunnel initiation, a gateway looks up the destination MAC address of the frame received from the tenant VM. If the MAC address to remote VTEP IP binding is known, the gateway adds the VXLAN header and the IP/UDP header to the frame and forwards toward the DC network. A gateway node that terminates a tunnel removes the encapsulation headers from the packet and determines the bridge domain of the inner frame by examining the VNID received in the VXLAN header. The gateway then looks up the inner MAC destination address (DA) in the tenant VLAN's filtering database and decides either to flood or forward the frame to tenant ports.

The VXLAN segments with the same virtual network ID form a virtual network with one Ethernet broadcast domain.

In multicast VXLAN, the VNI is mapped to a multicast group and multicast tunnels are used to distribute broadcast, unknown unicast and multicast (BUM) tenant traffic to remote endpoints (VTEPs). This requires that the Layer 3 network should support multicast. Unicast VXLAN uses unicast tunnels, and the BUM traffic is head-end replicated at each of the remote endpoints.
Note

Note

This feature implements only unicast VXLAN.

Supported Platforms

Summit X770 and X670-G2 series switches (standalone), and stacks that have X770 and X670-G2 slots only.

Limitations

The following capabilities are not supported in ExtremeXOS 21.1:
  • Layer 3 gateways
  • Multicast VXLAN
  • Ability to assign more than one VNI to a virtual network
  • IPv6 addresses for local and remote VTEPs
  • Assigning source IP addresses for VXLAN gateway encapsulation:
    • Per virtual router
    • Per virtual network or VNI
  • Support for adding more than one tenant VLAN per VNI
  • A physical port being part of both a tenant VLAN and an underlay (network) VLAN
  • Routing in and out of tunnels
  • Integration with any controllers
  • Support for heterogeneous stack environments where at least one of the stack nodes is not VXLAN capable
  • More than one next hop per (network) hop
  • Tagged and untagged tenant VLANs on the same port
  • Multicast underlay IP network, including PIM-Bidir
  • Multiple VRs

New CLI Commands

create virtual-network vn_name {flooding [standard | explicit-remotes]}

configure virtual-network vn_name vxlan vni [ vni | none]

configure virtual-network vn_name [add | delete] [{vlan} vlan_name | vman vman_name]

configure virtual-network local-endpoint [ ipaddress ipaddress { vr vr_name } | none ]

create virtual-network remote-endpoint vxlan ipaddress ipaddress {vr vr_name}

delete virtual-network remote-endpoint vxlan ipaddress ipaddress {vr vr_name}

configure virtual-network vn_name [add | delete] remote-endpoint vxlan ipaddress ipaddress {vr vr_name}

enable learning {forward-packets | drop-packets}] vxlan {vr vr_name} ipaddress remote_ipaddress

disable learning {forward-packets | drop-packets}] vxlan {vr vr_name} ipaddress remote_ipaddress

show virtual-network { vn_name | vxlan vni vni | [vlan vlan_name | vman vman_name]}

show virtual-network {vn_name} remote-endpoint vxlan {vni vni} {ipaddress ipaddress { vr vr_name } }

configure fdb { mac_addr | broadcast | unknown-unicast | unknown-multicast } vlan vlan_name [ add | delete ] vxlan {vr vr_name } {ipaddress} remote_ipaddress

configure virtual-network remote-endpoint vxlan ipaddress ipaddress { vr vr_name } monitor [ on | off ]

show virtual-network { vn_name | remote-endpoint vxlan {ipaddress ipaddress} {vr vr_name}} statistics {no-refresh}

clear counters virtual-network remote-endpoint vxlan [ all | ipaddress ipaddress]

configure virtual-network vn_name monitor [ on | off ]

show virtual-network { vn_name | remote-endpoint remote-endpoint vxlan {ipaddress ipaddress} {vr vr_name}} statistics {no-refresh}

clear counters virtual-network [ all | vn_name ]

Changed CLI Commands

Changes are underlined.

[ create | delete ] fdb [ mac_addr vlan vlan_name [ ports port_list | blackhole | vxlan { vr vr_name } {ipaddress} remote_ipaddress ] | broadcast vlan vlan_name vxlan { vr vr_name } {ipaddress} remote_ipaddress | unknown-multicast vlan vlan_name vxlan { vr vr_name } {ipaddress} remote_ipaddress | unknown-unicast vlan vlan_name vxlan { vr vr_name } {ipaddress} remote_ipaddress ]

show fdb { {mac_addr | blackhole | permanent | {vlan} vlan_name | ports port_list} {netlogin [all | mac-based-vlans]} | {vpls} {vpls_name} | openflow | rbridge {nickname} | vxlan { vni } | virtual-network vn_name }

create vlan vlan-name {vr vr-name} {description vlan-desc} {tag [ tag | none ] }

configure {vlan} vlan-name {tag [tag {remote-mirroring} | none] }

configure {vlan} vlan_name add ports [port_list | all] {tagged {tag {- end_tag}} | untagged | private-vlan translated }

configure {vlan} vlan_name delete ports [port_list | all] {tagged {tag} {- end_tag}}