Virtual Extensible LAN (VXLAN) Configuration

Virtual Extensible LAN, or VXLAN (RFC 7348), is a tunneling protocol designed to carry L2 information similarly to VLANs, but using UDP as its transport. A VXLAN tunnel is terminated on each end at a VXLAN tunnel endpoint (VTEP), such as this device or a switch which supports VXLANs.

See also

GIF (Generic tunnel InterFace) is another tunneling protocol designed to carry L2 information, but it is not as widely supported as VXLANs.

Warning

VXLANs do not support encryption. Do not allow VXLAN traffic to pass over untrusted networks.

See also

• Virtual LANs (VLANs)

• Bridging

Compatibility

Individual VXLAN instances with unique VXLAN IDs can be bridged with individual VLANs to transport VLANs between two endpoints, provided that the VLAN parent interface itself is not a bridge.

It is not currently possible to bridge an interface containing multiple VLANs onto a single VXLAN instance.

VXLAN Interface Settings

When creating or editing a VXLAN interface, the following options are available:

Parent Interface:

The interface on the firewall upon which the VXLAN tunnel will terminate.

VXLAN Remote Address:

The address of the remote VTEP where this firewall will send VXLAN packets.

VXLAN ID:

The 24-bit VXLAN Network Identifier (VNI) that identifies the virtual network segment membership of the interface.

Note

The VXLAN ID must be unique for VXLAN instances between the same endpoints.

VXLAN Local Port:

The port number the VXLAN interface will listen on. The default port number is 4789.

VXLAN Remote Port:

The destination port number used in the encapsulating IPv4/IPv6 header. The remote host must accept VXLAN traffic on this port. The default port number is 4789.

Note

Some implementations listen on port 8472 instead, such as Linux.

VXLAN TTL:

The Time To Live (TTL) used in the encapsulating IPv4/IPv6 header. Default value is 64.

VXLAN Learn:

Populate the forwarding table with the source IP address and inner source Ethernet MAC address of received packets.

The source IP address and inner source Ethernet MAC address of received packets are used to dynamically populate the forwarding table. When in multicast mode, an entry in the forwarding table allows the interface to send the frame directly to the remote host instead of broadcasting the frame to the multicast group. This is the default.

Description:

A brief text description of this VXLAN tunnel.

VXLAN Interface Configuration

To configure a VXLAN interface:

• Navigate to Interfaces > Assignments

• Click the VXLAN tab

• Click Add to add a new VXLAN entry

• Configure the VXLAN entry as described in VXLAN Interface Settings

• Click Save to complete the interface