VXLAN Port Termination


When overlay VLANs are configured on a port, Netvisor One does not allow VXLAN termination on a port even if the VXLAN termination criteria is matched. This is mainly enforced for ports facing bare metal servers or single root input/output virtualization (SRIOV) hosts. With underlay VLANs configured on a port, Netvisor One allows VXLAN termination on a port which could have HWvtep or SWVtep configured for that port.


Prior to Version 2.5.3, when overlay vlans are configured on a port, VXLAN encapsulated packets received on a port are not subjected to VXLAN tunnel termination. This restriction is now removed while keeping security constraint valid by enhancing port-config-modify with new parameter vxlan-termination.


One sample use case has both overlay and underlay VLANs on a port. In this case, Netvisor One disables the VXLAN termination on the port since the port has overlay VLAN and therefore, any VXLAN encapsulated traffic received on this port is no longer terminated even if the destination is a local HWvtep.


To support this sample use case, Netvisor One provides a port-config-modify parameter to enable or disable VXLAN termination on the port.


CLI (network-admin@switch) > CLI (network-admin@Spine1) > port-config-modify port 35 vxlan-termination


Enables tunnel termination of VXLAN encapsulated packets received on the port when VXLAN tunnel termination criteria is met.


CLI (network-admin@switch) > CLI (network-admin@Spine1) > port-config-modify port 35 no-vxlan-termination


Disables vxlan-termination on a port when VXLAN encapsulated packets are received on port. This enforces the security to prevent any malicious host from generating VXLAN encapsulated packets that would otherwise be subject to VXLAN tunnel termination.


Managed ports added to a VNET with vlan-type private, relies on VXLAN functionality and therefore always carry overlay VLANs only. Therefore when a port is configured to be a managed port, VXLAN termination is disabled by default.

 

Default Settings


  1. VNETs with vlan-type private relies on VXLAN functionality. The vlan-type private are VXLAN overlay VLANs. Hence when a port is configured to be a managed port with vlan-type private, vxlan-termination is disabled by default.


  1. Shared/underlay ports have vxlan-termination on by default and can use the port-config-modify command to enable or disable vxlan-termination as is deemed to enforce port level security.


VXLAN termination is disabled on VXLAN loopback trunk ports.