VXLAN has been around for a while, so how do router vendors support it? Well, let’s use a dead simple topology to test them out.<\/p>\n
Our setup today:<\/p>\n
<\/p>\n
Tested version: Debian 10, Linux kernel 4.19.0<\/p>\n
Linux runs just fine with the most simple setup across all operating systems we tested. VXLAN VTEP is implemented as a layer 2 tunnel device which means you can either put it into a bridge or just assign IPs to it.<\/p>\n
ip link set ens3 up\r\nip addr add 169.254.0.1\/24 dev ens3\r\nip -6 link add vxlan1 type vxlan id 5000 dstport 4789 local 169.254.0.1 group 239.0.0.1 dev ens3 ttl 1\r\nip link set vxlan1 up\r\nip addr add 10.0.0.1\/24 dev vxlan1<\/pre>\nNotes:<\/p>\n
References:<\/p>\n
Tested version: 1.2.5, Linux kernel 4.19.106<\/p>\n
VyOS is basically Linux with a better config interface, so there isn’t much difference.<\/p>\n
set interfaces ethernet eth0 address 169.254.0.5\/24\r\nset interfaces vxlan vxlan1 address 10.0.0.5\/24\r\nset interfaces vxlan vxlan1 group 239.0.0.1\r\nset interfaces vxlan vxlan1 link eth0\r\nset interfaces vxlan vxlan1 remote-port 4789\r\nset interfaces vxlan vxlan1 vni 5000\r\n<\/pre>\nNotes:<\/p>\n
References:<\/p>\n
Tested version: 16.12.3<\/p>\n
IOS XE’s command line user experience and internal design is a mess, and the documentation is bad in many aspects. IOS XE does not support running layer 3 over a VXLAN VTEP (yes, it self identifies as a router) so here’s a config for bridging the VTEP with an ethernet port.<\/p>\n
ip multicast-routing distributed\r\ninterface GigabitEthernet1\r\n no shutdown\r\n ip address 169.254.0.2 255.255.255.0\r\ninterface GigabitEthernet2\r\n no shutdown\r\n service instance 1 ethernet\r\ninterface nve1\r\n no shutdown\r\n source-interface GigabitEthernet1\r\n vxlan udp port 4789\r\n member vni 5000 mcast-group 239.0.0.1\r\nbridge-domain 1\r\n member vni 5000\r\n member GigabitEthernet2 service-instance 1<\/pre>\nTo bridge the VTEP with a tagged VLAN on an ethernet port, you can’t just create a VLAN subinterface and bridge it. Instead, you need a service instance like this:<\/p>\n
interface GigabitEthernet2\r\n service-instance interface 100 ethernet\r\n bridge-domain 100\r\n encapsulation dot1q 100\r\n rewrite ingress tag pop 1 symmetric<\/pre>\nNotes:<\/p>\n
Also I noticed that there will be a Tunnel interface automatically configured for every NVE interface, the tunnel interface will copy the IP address from NVE’s source interface.<\/p>\n
References:<\/p>\n
Tested version: 9.10.1<\/p>\n
In my past experience, ASAs are little devices with some odd personalities that I had a hard time getting used to. However configuring VXLAN on the ASA turned out to be very simple.<\/p>\n
vxlan port 4789\r\ninterface GigabitEthernet0\/0\r\n no shutdown\r\n nameif outside\r\n security-level 0\r\n ip address 169.254.0.3 255.255.255.0\r\ninterface vni5000\r\n no shutdown\r\n segment-id 5000\r\n nameif inside\r\n security-level 100\r\n ip address 10.0.0.3 255.255.255.0\r\n vtep-nve 1\r\nnve 1\r\n encapsulation vxlan\r\n source-interface outside\r\n default-mcast-group 239.0.0.1<\/pre>\nNotes:<\/p>\n
References:<\/p>\n
Juniper like to overdesign everything. Their design is sometimes very useful, but make network designing complicated.<\/p>\n
Configuration for vQFX:<\/p>\n
set interfaces xe-0\/0\/0 unit 0 family inet address 169.254.0.7\/24\r\nset interfaces irb unit 5000 family inet address 10.0.0.7\/24\r\nset interfaces lo0 unit 0 family inet address 169.254.0.7\/24\r\nset switch-options vtep-source-interface lo0.0\r\nset vlans VXLAN1 vlan-id 100\r\nset vlans VXLAN1 l3-interface irb.5000\r\nset vlans VXLAN1 vxlan vni 5000\r\nset vlans VXLAN1 vxlan multicast-group 239.0.0.1\r\n<\/pre>\nNotes:<\/p>\n
References:<\/p>\n
Tested version: 7.1 beta 1<\/p>\n
RouterOS is the latest one to support VXLAN and the support is limited to their cutting-edge development version. But let’s try it out, shall we?<\/p>\n
The config is as simple as Linux. (Well, I guess they are using the stock Linux implementation of VXLAN tunnel.) I’m using the new slash\/seperated\/config\/grammar here.<\/p>\n
\/ip\/address\/add address=169.254.0.6\/24 interface=ether1\r\n\/interface\/vxlan\/add name=vxlan1 interface=ether1 group=239.0.0.1 mtu=1450 port=4789 vni=5000\r\n\/ip\/address\/add interface=vxlan1 address=10.0.0.6\/24<\/pre>\nNotes:<\/p>\n
Although BGP EVPN is the future, unicast\/multicast EVPN is still handy for small-scale, autonomous deployments without a dedicated controller or something. Enterprise solutions tend to overlook the simple needs and require a lot just to make everything work. Also enterprise solutions tend to have very bad software quality. On the contrary, Linux implements VXLAN in a simple and elegant way, but its inability to atomically save and restore network config added some management overhead to the operation guys.<\/p>\n","protected":false},"excerpt":{"rendered":"
VXLAN has been around for a while, so how do router vendors support it? Well, let’s use a dead simple topology to test them out. Our setup today: All routers connected to the same dumb switch using IP range 169.254.0.0\/24 Multicast signaling on address 239.0.0.1, No PIM VXLAN UDP port 4789 Network 10.0.0.0\/24 on VNI […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5],"tags":[],"class_list":["post-99","post","type-post","status-publish","format-standard","hentry","category-networking"],"acf":[],"_links":{"self":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts\/99"}],"collection":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/comments?post=99"}],"version-history":[{"count":13,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts\/99\/revisions"}],"predecessor-version":[{"id":172,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/posts\/99\/revisions\/172"}],"wp:attachment":[{"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/media?parent=99"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/categories?post=99"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.swineson.me\/en\/wp-json\/wp\/v2\/tags?post=99"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}