VXLAN — Feature interaction table

Feature

VXLAN impact

ARP protect

VXLAN tunnel interfaces would be (implicitly) TRUSTED interfaces with no MAC/IP verification on ARP PKTs ingressing tunnels.

ARP protection will be enforced on other untrusted ports of the overlay VLAN if ARP protection is enabled for that VLAN.

A VLAN that has a virtual IP subnet and a VNI configured for it is referred to as an overlay VLAN in here.

CDP

CDP only runs on physical links. VXLANs are not able to participate in CDP.

DHCP (v4/v6) relay

A gateway device is able to function as a DHCP Relay agent and support transferring DHCP PKTs between the following depending on where the DHCP server is housed:
  • An overlay subnet and an underlay subnet.

  • An overlay subnet and another overlay subnet.

DHCP snooping

VXLAN tunnel interfaces would be (implicitly) TRUSTED with no MAC/IP/Port verification on DHCP PKTs ingressing tunnels.

distributed trunks

Distributed trunks are mutually exclusive with VXLAN tunnels due to the impact on hardware filters.

filter

  • Connection Rate (Virus Throttling) – Cannot be enabled on a VXLAN tunnel interface.

  • Multicast – Tunnel interface cannot be part of the drop filter. PKTs coming in on a tunnel interface will honor drop filter if configured for the multicast address.

  • Protocol – Similar to Multicast filters.

  • Source Port - Tunnel interface cannot be part of the drop filter. A tunnel interface cannot have a source port filter configured for it.

IGMP snooping

No support for IGMP SNOOPing and Multicast pruning on VXLAN tunnel interfaces.

If a device is an IGMP querier on an overlay VLAN, the IGMP queries sourced by the device will be sent over the VTEP fabric to the other nodes as well.

IGMP blocked and forward configuration cannot be applied to VXLAN interfaces.

IGNORE untagged-MAC

Not applicable to VXLAN tunnel interfaces.

Link-Keepalive (UDLD)

Not supported on VXLAN tunnel interfaces.

LLDP

LLDP not supported on tunnel interfaces.

Lockout-MAC

Traffic ingressing a network port with source MAC that is configured as lockout-MAC will not be tunneled.

Traffic ingressing a tunnel interface (that is, payload) with a source MAC that is configured as lockout-MAC on the device will be dropped upon DECAP.

Loop Protect

Not supported on VXLAN tunnel interfaces

MAC-TRAPMAC-Count TRAP

This Mac-Trap, when configured on an interface, sends out a trap when:
  • MAC addresses are learned or aged-out on an interface.

  • The number of MAC addresses on a port exceeds a certain threshold.

MAC-Count TRAPs are not supported on VXLAN tunnels.

MESH

Mutually exclusive.

<Interface> Monitor

Cannot monitor a VXLAN tunnel interface.

OpenFlow

  • OpenFlow sees VXLAN tunnels as logical interfaces and can program outport rules for tunnels.

  • OpenFlow cannot program in_port match rules on VXLAN tunnel interfaces (similar to SI).

  • OpenFlow lookups will be bypassed for packets ingressing VXLAN tunnels.

Port Security

Not supported on VXLAN tunnel interface.

QinQ

Mutually exclusive.

QoS
  • Source VLAN
  • Source Port
  • UDP
  • TCP
  • device
  • protocol
Encap

When QoS rules are configured, traffic matching QoS rules and will be prioritized and tunnelled into the underlay.

The VLAN priority and DSCP is mapped to the outer header.

Decap

Traffic entering a tunnel (that is, payload) and matching QoS rules will be prioritized upon decapsulation and forwarded out appropriately.

QOS remark policy (PCP/DSCP)

Encap

Traffic matching QoS remark rules will have their DSCP remarked and re-prioritized before being tunneled into the underlay.

Decap

Traffic coming in on a tunnel (that is, payload) and matching QoS remark rules (VLAN based) will be remarked and re-prioritized upon decapsulation and forwarded out appropriately.

QoS rate-limit policy Interface rate-limit

Encap

If a rate-limit policy (port/VLAN based) is applied to traffic destined to a tunnel interface, it will be enforced before the traffic is encapsulated.

Decap

If a rate-limit policy (VLAN based) is applied to (payload) traffic coming in on a tunnel interface, it will be enforced upon ingress on the loopback port (after decapsulation).

Not supported on VXLAN interfaces.

SFLOW

Cannot configure SFLOW (sampling/polling) on tunnel interfaces and loopback ports. If a packet destined to a tunnel has been sampled, the outport field in the SFLOW header will be the tunnel resolved uplink port.

Smart-Link

Cannot be configured on tunnel interfaces.

However Smart-Link can be used to achieve VTEP redundancy. To ensure that downlink traffic is not disrupted when a VTEP goes down and the downlink switch’s Slave Port becomes Active, Smart-Link flush messages will be allowed to traverse the L3 fabric and it will wipe out MAC table entries on tunnel interfaces for the protected VLANs. It will also clear the ARP entries pointing to Tunnel entries on the VTEPs. Per-port recv-control-vlan restriction is not applicable to Flush packets received on Tunnel Interfaces as they are trusted, any filtering can always be done on external facing ports.

STP

Does not run on tunnel interfaces and loopback ports. This implies that STP cannot detect loops if any among switches that are connected via VXLAN tunnels and also directly connected among them.

It is important that only one device as the VTEP for a VLAN in a network where multiple devices can function as VTEPs for the same VLAN.

STP Topology Change message does not have to flush MAC addresses learned on tunnel interfaces as a TC on one segment does not impact the MAC learns of another segment.

When a device that is STP disabled receives BPDUs, it floods to all ports of the VLAN. This can result in BPDUs being tunneled to the remote side as well. The loopback port of the remote end will quench the packet and not process it.

Static MAC

Not supported on VXLAN tunnel interfaces.

UFD

Not supported on VXLAN tunnel interfaces.

<Interface> IPv4/v6 ACLs

Not supported on VXLAN tunnels and loopback ports (stolen and internal).

<Interface> IP Source-Lockdown

Not configurable on VXLAN tunnel and loopback interfaces (stolen and internal).

<Interface> admin-status

Not configurable on VXLAN tunnel interface.

IP Source Binding

IP source binding entries cannot be configured on VXLAN tunnel interfaces and loopback ports (stolen/internal).

<VLAN> RIP, OSPF, BGP

Cannot be enabled on overlay VLANs.

<VLAN> VRRP

Cannot be enabled on overlay VLANs.

<VLAN> IRDP

Cannot be enabled on overlay VLANs.

<VLAN> PIM

Cannot be enabled on overlay VLANs.

<VLAN> IGMP (Router)

Cannot be enabled on overlay VLANs.

<VLAN> IGMP Proxy

Cannot be enabled on overlay VLANs.

<VLAN> UDP Broadcast Forwarder

Supported on overlay VLANs.

<Interface> QoS

Not supported on tunnel and loopback interfaces (stolen/internal).

IPv4 unicast Routing

Supported. Can route traffic into a tunnel and route traffic coming out of a tunnel.

IPv4 multicast Routing

Mutually exclusive.

IPv6 unicast Routing

Not supported.

IPv6 multicast Routing

Mutually exclusive.

<VLAN> MLD

Not supported as overlays are IPv4 only.

<VLAN> ND<VLAN> RA

Not supported as overlays are IPv4 only.Not supported as overlays are IPv4 only.

<VLAN> IPv6

Not supported as overlays are IPv4 only

<VLAN> OSPF3

Cannot be enabled on overlay VLANs.