NAME
vxlan
—
virtual extensible local area network
tunnel interface
SYNOPSIS
pseudo-device vxlan
DESCRIPTION
The vxlan
interface is a tunnelling
pseudo-device for overlaying virtualized layer 2 networks over layer 3
networks.
A vxlan
interface can be created using the
ifconfig vxlan
N
create
command. Once configured, the interface
encapsulates and decapsulates Ethernet frames in UDP datagrams that are
exchanged with tunnel endpoints. The default UDP port for VXLAN traffic is
4789.
Each vxlan
interface uses a 24-bit
vnetid
(virtual networks identifier) that
distinguishes multiple virtualized layer 2 networks and their tunnels
between identical tunnel endpoints.
The interface can operate in three different tunnel modes:
unicast mode
- When a unicast IP address is configured as the tunnel destination, all traffic is sent to a single tunnel endpoint.
multicast mode
- When a multicast IP address is configured as the tunnel destination, all traffic is sent to all the tunnel endpoints that subscribed for the specified multicast group.
dynamic mode
- When
vxlan
is configured for multicast mode and added to a bridge(4), all broadcast and multicast traffic is sent to the multicast group, but directed traffic is sent to unicast IP addresses of individual tunnel endpoints, as they are learned by the bridge.
The configuration can be done at runtime or by setting up a hostname.if(5) configuration file for netstart(8).
EXAMPLES
Create a tunnel to a unicast tunnel endpoint, using the virtual tunnel identifier 5:
# ifconfig vxlan0 tunnel 192.168.1.100 192.168.1.200 vnetid 5 # ifconfig vxlan0 10.1.1.100/24
The following examples creates a dynamic tunnel that is attached to a bridge(4):
# ifconfig vxlan0 tunnel 192.168.1.100 239.1.1.100 vnetid 7395 # ifconfig vxlan0 10.1.2.100/24 # ifconfig bridge0 add vxlan0 up
Prior to the assignment of UDP port 4789 by IANA, some early VXLAN implementations used port 8472. A non-standard port can be specified with the tunnel destination address:
# ifconfig vxlan0 tunnel 192.168.1.100 239.1.1.100:8472
SECURITY
vxlan
does not provide any integrated
security features. It is designed to be a simple protocol that can be used
in trusted data center environments, to carry VM traffic between virtual
machine hypervisors, and provide virtualized layer 2 networks in Cloud
infrastructures.
To protect vxlan
tunnels, the traffic can
be protected with IPsec to add authentication and encryption for
confidentiality.
The Packet Filter (PF) can be used to filter tunnel traffic with endpoint policies in pf.conf(5):
table <vxlantep> { 192.168.1.200 192.168.1.201 } block in on vmx0 pass out on vmx0 pass in on vmx0 proto udp from <vxlantep> to port 4789
The Time-to-Live (TTL) value of the tunnel can be set to 1 or a low value to restrict the traffic to the local network:
# ifconfig vxlan0 tunnelttl 1
SEE ALSO
bridge(4), inet(4), hostname.if(5), ifconfig(8), netstart(8)
STANDARDS
M. Mahalingam, D. Dutt, K. Duda, P. Agarwal, L. Kreeger, T. Sridhar, M. Bursell, and C. Wright, VXLAN: A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks, draft-mahalingam-dutt-dcops-vxlan-04, May 2013.
HISTORY
The vxlan
device first appeared in
OpenBSD 5.5.
AUTHORS
The vxlan
driver was written by
Reyk Floeter
<reyk@openbsd.org>.
CAVEATS
The vxlan
interface requires at least 50
bytes for the IP, UDP and VXLAN protocol overhead and optionally 4 bytes for
the encapsulated VLAN tag. The default MTU is set to 1500 bytes but can be
adjusted if the transport interfaces carrying the tunnel traffic do not
support larger MTUs, the tunnel traffic is leaving the local network, or if
interoperability with another implementation requires running a decreased
MTU of 1450 bytes. In any other case, it is commonly recommended to set the
MTU of the transport interfaces to at least 1600 bytes.
The implementation does not support IPv6 tunnel endpoints at present.