Disabling VXLAN Termination

It is possible, for security purposes, to disable VXLAN termination on certain ports that are not supposed to source VXLAN-encapsulated traffic.

This prevents any malicious host from generating VXLAN encapsulated packets that would normally be subject to (unwanted) VXLAN tunnel termination and subsequent forwarding. For example, the following command disables the termination on port 35:

CLI (network-admin@switch) > port-config-modify port 35 no-vxlan-termination

It can be re-enabled, if necessary, like so:

CLI (network-admin@switch) > port-config-modify port 35 vxlan-termination

The default settings are:

  • vNETs with vlan-type private rely on the VXLAN functionality to implement their private characteristics. Therefore, when a port is configured to be a managed port with vlan-type private, VXLAN termination is disabled by default.

  • Underlay ports have VXLAN termination on by default and can use the port-config-modify command to disable VXLAN termination as deemed to enforce port level security.