NAME
vxlan
—
Virtual eXtensible Local Area Network
tunnel interface
SYNOPSIS
pseudo-device vxlan
DESCRIPTION
The vxlan
pseudo-device provides
interfaces for tunnelling or overlaying Ethernet networks on top of IPv4 and
IPv6 networks using the Virtual eXtensible Local Area Network (VXLAN)
protocol.
VXLAN datagrams consist of an Ethernet payload encapsulated by an 8-byte VXLAN header, which in turn is encapsulated by UDP and IP headers. Different VXLAN tunnels or overlays between the same VXLAN Tunnel Endpoints (VTEPs) can be distinguished by an optional 24-bit Virtual Network Identifier (VNI).
A vxlan
interface can be created using the
ifconfig vxlan
N
create
command or by setting up a
hostname.if(5) configuration file for
netstart(8).
For correct operation, encapsulated traffic must not be routed over the interface itself. This can be implemented by adding a distinct or a more specific route to the tunnel destination than the hosts or networks routed via the tunnel interface. Alternatively, the tunnel traffic may be configured in a separate routing table to the encapsulated traffic.
The interface can operate in the following tunnel modes:
point-to-point mode
- When a unicast IP address is configured as the tunnel destination, all traffic is sent to a single tunnel endpoint.
learning mode
- When a multicast IP address is configured as the tunnel destination,
vxlan
operates as a learning bridge. Broadcast, multicast, and unknown unicast packets are sent to the specified multicast group. Packets received by the tunnel source address are used to dynamically learn the endpoint addresses for the encapsulated Ethernet source addresses. endpoint mode
- When configured without a tunnel destination address,
vxlan
operates as a bridge, but with learning disabled. Endpoints for Ethernet addresses must be added explicitly before packets will be encapsulated for those addresses. All valid VXLAN packets sent to the local address will be accepted.
vxlan
supports the following
ioctl(2) calls for configuration:
SIOCSLIFPHYADDR
struct if_laddrreq *- Set the IPv4 or IPv6 addresses used for the exchange of encapsulated traffic. The interface will operate in point-to-point mode if the destination address is unicast, learning mode if the destination address is multicast, or endpoint mode if the destination address is unspecified. A non-standard UDP port for VXLAN packets can be specified by the port in the source address, otherwise use 0 to request the default. The addresses may only be configured while the interface is down.
SIOCGLIFPHYADDR
struct if_laddrreq *- Get the addresses configured for the exchange of encapsulated packets.
SIOCDIFPHYADDR
struct ifreq *- Clear the addresses used for the exchange of encapsulated packets. The addresses may only be cleared while the interface is down.
SIOCSVNETID
struct ifreq *- Configure a virtual network identifier for use in the VXLAN header. The virtual network identifier may only be configured while the interface is down.
SIOCGVNETID
struct ifreq *- Get the virtual network identifier used in the VXLAN header.
SIOCDVNETID
struct ifreq *- Remove the virtual network identifier. The virtual network identifier may only be disabled while the interface is down.
SIOCSLIFPHYRTABLE
struct ifreq *- Set the routing table the encapsulated traffic operates in. The routing table may only be configured while the interface is down.
SIOCGLIFPHYRTABLE
struct ifreq *- Get the routing table the encapsulated traffic operates in.
SIOCSLIFPHYTTL
struct ifreq *- Set the Time-To-Live field in IPv4 encapsulation headers, or the Hop Limit field in IPv6 encapsulation headers.
SIOCGLIFPHYTTL
struct ifreq *- Get the value used in the Time-To-Live field in an IPv4 encapsulation header or the Hop Limit field in an IPv6 encapsulation header.
SIOCSLIFPHYDF
struct ifreq *- Configure whether the encapsulated traffic sent by the interface can be fragmented or not. This sets the Don't Fragment (DF) bit on IPv4 packets, and disables fragmentation of IPv6 packets.
SIOCGLIFPHYDF
struct ifreq *- Get whether the encapsulated traffic sent by the interface can be fragmented or not.
SIOCSRXHPRIO
struct ifreq *- Set the priority value for received packets. Values may be from 0 to 7,
IF_HDRPRIO_PACKET
to specify that the current priority of a packet should be kept, orIF_HDRPRIO_OUTER
to use the value in the Type of Service field in IPv4 or the Traffic Class field in IPv6 encapsulation headers. SIOCGRXHPRIO
struct ifreq *- Get the priority value for received packets.
SIOCSTXHPRIO
struct ifreq *- Set the priority value used in the Type of Service field in IPv4 headers,
or the Traffic Class field in IPv6 headers. Values may be from 0 to 7, or
IF_HDRPRIO_PACKET
to specify that the current priority of a packet should be used. SIOCGTXHPRIO
struct ifreq *- Get the priority value used in the Type of Service field in IPv4 headers, or the Traffic Class field in IPv6 headers.
SIOCSIFPARENT
struct if_parent *- Configure which interface will be joined to the multicast group specified by the tunnel destination address. The parent interface may only be configured for interfaces in learning mode, and while the interface is down.
SIOCGIFPARENT
struct if_parent *- Get the name of the interface used for multicast communication.
SIOCDIFPARENT
struct ifreq *- Remove the configuration of the interface used for multicast communication.
EXAMPLES
Create a point-to-point tunnel using Virtual Network Identifier 5:
# ifconfig vxlan0 tunnel 192.168.1.100 192.168.1.200 vnetid 5 # ifconfig vxlan0 10.1.1.100/24
The following examples creates a learning overlay network:
# ifconfig vxlan0 tunnel 192.168.1.100 239.1.1.100 # ifconfig vxlan0 parent ix0 # ifconfig vxlan0 vnetid 7395 # ifconfig vxlan0 10.1.2.100/24
Prior to the assignment of UDP port 4789 by IANA, some early VXLAN implementations used port 8472. A non-standard port can be specified with the tunnel source address:
# ifconfig vxlan0 tunnel 192.168.1.100:8472 239.1.1.100
SECURITY
vxlan
does not provide any integrated
security features. It is designed to be a simple protocol that can be used
in trusted data center environments, to carry VM traffic between virtual
machine hypervisors, and provide virtualized layer 2 networks in Cloud
infrastructures.
To protect vxlan
tunnels, the traffic can
be protected with IPsec to add authentication and encryption for
confidentiality.
The Packet Filter (PF) can be used to filter tunnel traffic with endpoint policies in pf.conf(5):
table <vxlantep> { 192.168.1.200, 192.168.1.201 } block in on em0 pass out on em0 pass in on em0 proto udp from <vxlantep> to port vxlan
The Time-to-Live (TTL) value of the tunnel can be set to 1 or a low value to restrict the traffic to the local network:
# ifconfig vxlan0 tunnelttl 1
SEE ALSO
STANDARDS
M. Mahalingam, D. Dutt, K. Duda, P. Agarwal, L. Kreeger, T. Sridhar, M. Bursell, and C. Wright, Virtual eXtensible Local Area Network (VXLAN): A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks, RFC 7348, August 2014.
HISTORY
The vxlan
device first appeared in
OpenBSD 5.5.
CAVEATS
The vxlan
interface requires at least 50
bytes for the IP, UDP and VXLAN protocol overhead and optionally 4 bytes for
the encapsulated VLAN tag. The default MTU is set to 1500 bytes but can be
adjusted if the transport interfaces carrying the tunnel traffic do not
support larger MTUs, the tunnel traffic is leaving the local network, or if
interoperability with another implementation requires running a decreased
MTU of 1450 bytes. In any other case, it is commonly recommended to set the
MTU of the transport interfaces to at least 1600 bytes.