Link Search Menu Expand Document


Use the VXLAN tab to specify Virtual Extensible Local Area Network (VXLAN) and Virtual Network Identifier (VNI) settings for routing segments already configured on Aruba CX switches or EdgeConnect appliances. VXLAN allows you to create multiple Layer 2 segments over a Layer 3 network. Each segment is identified by a 24-bit VNI that can support up to 16 million virtual networks.

VXLAN encapsulates Layer 2 Ethernet frames in Layer 3 UDP packets, enabling you to create virtualized Layer 2 subnets, or segments, that span physical Layer 3 networks. The entity that performs the encapsulation and decapsulation of packets is called a Virtual Tunnel Endpoint (VTEP). An EdgeConnect is a VTEP for WAN-to-LAN traffic. An Aruba CX switch is a VTEP for LAN-to-LAN traffic.

A VNI specifies a routing segment, a firewall zone, and a fallback role for a VXLAN instance. A VNI identifies different virtual networks in the data plane. A VNI is a 24-bit value in the VXLAN header and can support up to 16 million individual network segments. A VNI is like a VLAN ID but has a larger address space. A VNI maps the virtual network to a specific VXLAN segment. The VNI identifies the destination of the traffic in the VXLAN network. VNI is the basis for isolating different virtual networks from each other.

Once a VNI is configured for a segment or in a template, Aruba CX switches or EdgeConnect appliances automatically create a network virtual interface (NVE) as a VXLAN tunnel endpoint (VTEP). A VTEP encapsulates and decapsulates VXLAN packets. The only accepted peer is the NVE that is configured in BGP. Packets received with a VNI not mapped to a segment will be dropped.

EdgeConnect automatically binds the NVE to the VXLAN segment and specifies the source interface for the VXLAN tunnel - only loopback interfaces from the default segment are valid. If BGP EVPN Peer is enabled, the loopback interface you choose is automatically configured in the local interface field of the BGP EVPN Peer configuration. For more information on BGP EVPN Peer configuration, see the BGP tab.

The VXLAN packet tells BGP the target VTEP. BGP discovers the remote VXLAN tunnel endpoint address, advertises routes that are reachable over this tunnel as the forwarding next hop, and dynamically brings down this tunnel when reachability over the tunnel is no longer needed.


Before you can assign a VNI to a VXLAN segment, you must configure the following settings:

  • Segmentation must be enabled to support VXLAN. See the Routing Segmentation (VRF) tab.

  • The IP routing on the BGP Layer 3 network that connects the EdgeConnect VTEPs must already be configured. This is necessary to enable VXLAN traffic to traverse the network. Therefore, only in-line router mode is supported.

  • Currently, the EdgeConnect EVPN address family is only supported for BGP EVPN peers in the Default segment (VRF ID = 0).

  • One or more loopback interfaces must already be available.

  • VXLAN is only supported on LAN interfaces. Route-Targets must be defined, and BGP enabled for all segments, even if no BGP peers are configured in non-default segments.

Common Settings for all VNIs

Use this section of the VXLAN Tab to configure these common settings for all VNIs:

  • Destination UDP Port: You can configure a custom destination UDP port for VXLAN. If not selected, the appliance uses the default port of 4789.

  • VTEP Source Interface: Select a loopback interface from the list.
    NOTE: Only loopback interfaces are valid. The loopback interface you choose will automatically be configured in the local interface field of the BGP Peer configuration if EVPN Peer is enabled.

VNI Mappings

For this dialog box, use the steps belwo to map a VNI to a routing segment, a firewall zone, and a fallback role.


  1. Click Add to create a new VNI for a segment.

  2. Enter a value for the VNI segment. Valid values are 1-16777215.

  3. Select the Segment, Firewall Zone, and Fallback Role (Don’t Apply, Guest IOT, Untrusted).

  4. Click OK.


  1. Select an existing VNI from the list.

  2. Click the Edit icon to modify an existing VNI.

Note: In the Flows tab, enable the VNI Tx and VNI Rx columns to display the number of the VNI that received or sent the VXLAN traffic. Both values should match for every flow. If not, there might be a misconfiguration downstream from the EdgeConnect.

Role to GPID Mapping

Use the Roles dialog box to map a policy enforcement role to a VXLAN Group Policy Identifier (GPID). Mapping policy enforcement roles to a VXLAN GPID is optional. Policy enforcement role mapping to a GPID propagates globally across the SD-WAN Fabric. Enabling the identity-based policy enforcement capability of the HPE Aruba Networking SD-WAN solution in VXLAN segments provides a highly automated extensible way of enabling a zero-trust security architecture.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP.

To view the end-user software agreement, go to HPE Aruba Networking EULA.

Open Source Code:

This product includes code licensed under certain open source licenses which require source compliance. The corresponding source for these components is available upon request. This offer is valid to anyone in receipt of this information and shall expire three years following the date of the final distribution of this product version by Hewlett Packard Enterprise Company. To obtain such source code, please check if the code is available in the HPE Software Center at but, if not, send a written request for specific software version and product for which you want the open source code. Along with the request, please send a check or money order in the amount of US $10.00 to:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America