VXLAN Port Termination
When configuring overlay VLANs on a port, Netvisor ONE does not allow VXLAN termination on a port even if the VXLAN termination criteria matches. Netvisor ONE enforces the configuration for ports facing bare metal servers or single root input/output virtualization (SRIOV) hosts. With underlay VLANs configured on a port, Netvisor ONE allows VXLAN termination on a port which may have HWvtep or SWVtep configured for the port.
Prior to Version 2.5.3, when you configured overlay VLANs on a port, VXLAN encapsulated packets received on a port do not terminate on a VXLAN tunnel. In versions later than 2.5.3, Netvisor ONE no longer enforces the configuration.
One sample use case has both overlay and underlay VLANs on a port. In this case, Netvisor ONE disables the VXLAN termination on the port since the port has overlay VLAN and therefore, any VXLAN encapsulated traffic received on this port no longer terminates even if the destination employs a local HWvtep.
To support this sample use case, Netvisor ONE provides a port-config-modify parameter to enable or disable VXLAN termination on the port.
CLI network-admin@switch > CLI (network-admin@Spine1)>port-config-modify port 35 vxlan-termination
Enables tunnel termination of VXLAN encapsulated packets received on the port when VXLAN tunnel termination criteria is met.
CLI network-admin@switch > CLI (network-admin@Spine1)>port-config-modify port 35 no-vxlan-termination
Disable vxlan-termination on a port when VXLAN encapsulated packets are received on port. This enforces the security to prevent any malicious host from generating VXLAN encapsulated packets that would otherwise be subject to VXLAN tunnel termination.
Managed ports added to a vNET with vlan-type private, relies on VXLAN functionality and therefore always carry overlay VLANs only. Therefore when you configure a port as a managed port, VXLAN termination is disabled by default.
Default Settings
1. vNETs with vlan-type private relies on VXLAN functionality. The vlan-type private are VXLAN overlay VLANs. Hence when a port is configured to be a managed port with vlan-type private, vxlan-termination is disabled by default.
2. Shared/underlay ports have vxlan-termination on by default and can use the port-config-modify command to enable or disable vxlan-termination as is deemed to enforce port level security.
VXLAN termination is disabled on VXLAN loopback trunk ports.