Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (OpenBSD-5.7)
Apropos / Subsearch:
optional field

VXLAN(4)                 BSD Kernel Interfaces Manual                 VXLAN(4)

     vxlan -- virtual extensible local area network tunnel interface

     pseudo-device vxlan

     The vxlan interface is a tunnelling pseudo-device for overlaying virtual-
     ized layer 2 networks over layer 3 networks.

     A vxlan interface can be created using the ifconfig vxlanN create com-
     mand.  Once configured, the interface encapsulates and decapsulates Eth-
     ernet frames in UDP datagrams that are exchanged with tunnel endpoints.
     The default UDP port for VXLAN traffic is 4789.

     Each vxlan interface uses a 24-bit vnetid (virtual networks identifier)
     that distinguishes multiple virtualized layer 2 networks and their tun-
     nels between identical tunnel endpoints.

     The interface can operate in three different tunnel modes:

     unicast mode
                When a unicast IP address is configured as the tunnel destina-
                tion, all traffic is sent to a single tunnel endpoint.

     multicast mode
                When a multicast IP address is configured as the tunnel desti-
                nation, all traffic is sent to all the tunnel endpoints that
                subscribed for the specified multicast group.

     dynamic mode
                When vxlan is configured for multicast mode and added to a
                bridge(4), all broadcast and multicast traffic is sent to the
                multicast group, but directed traffic is sent to unicast IP
                addresses of individual tunnel endpoints, as they are learned
                by the bridge.

     The configuration can be done at runtime or by setting up a
     hostname.if(5) configuration file for netstart(8).

     Create a tunnel to a unicast tunnel endpoint, using the virtual tunnel
     identifier 5:

           # ifconfig vxlan0 tunnel vnetid 5
           # ifconfig vxlan0

     The following examples creates a dynamic tunnel that is attached to a

           # ifconfig vxlan0 tunnel vnetid 7395
           # ifconfig vxlan0
           # ifconfig bridge0 add vxlan0 up

     Prior to the assignment of UDP port 4789 by IANA, some early VXLAN imple-
     mentations used port 8472.  A non-standard port can be specified with the
     tunnel destination address:

           # ifconfig vxlan0 tunnel

     vxlan does not provide any integrated security features.  It is designed
     to be a simple protocol that can be used in trusted data center environ-
     ments, to carry VM traffic between virtual machine hypervisors, and pro-
     vide virtualized layer 2 networks in Cloud infrastructures.

     To protect vxlan tunnels, the traffic can be protected with IPsec to add
     authentication and encryption for confidentiality.

     The Packet Filter (PF) can be used to filter tunnel traffic with endpoint
     policies in pf.conf(5):

           table <vxlantep> { }
           block in on vmx0
           pass out on vmx0
           pass in on vmx0 proto udp from <vxlantep> to port 4789

     The Time-to-Live (TTL) value of the tunnel can be set to 1 or a low value
     to restrict the traffic to the local network:

           # ifconfig vxlan0 tunnelttl 1

     bridge(4), inet(4), hostname.if(5), ifconfig(8), netstart(8)

     M. Mahalingam, D. Dutt, K. Duda, P. Agarwal, L. Kreeger, T. Sridhar, M.
     Bursell, and C. Wright, VXLAN: A Framework for Overlaying Virtualized
     Layer 2 Networks over Layer 3 Networks, draft-mahalingam-dutt-dcops-
     vxlan-04, May 2013.

     The vxlan device first appeared in OpenBSD 5.5.

     The vxlan driver was written by Reyk Floeter <reyk@openbsd.org>.

     The vxlan interface requires at least 50 bytes for the IP, UDP and VXLAN
     protocol overhead and optionally 4 bytes for the encapsulated VLAN tag.
     The default MTU is set to 1500 bytes but can be adjusted if the transport
     interfaces carrying the tunnel traffic do not support larger MTUs, the
     tunnel traffic is leaving the local network, or if interoperability with
     another implementation requires running a decreased MTU of 1450 bytes.
     In any other case, it is commonly recommended to set the MTU of the
     transport interfaces to at least 1600 bytes.

     The implementation does not support IPv6 tunnel endpoints at present.

BSD                            October 13, 2013                            BSD