VXLAN Template
Use the VXLAN template to to efficiently deploy Virtual Network Identifier (VNI) instances for Virtual Extensible Local Area Network (VXLAN) segments. A VNI maps a routing segment to a firewall zone and a fallback role. Each segment is identified by a 24-bit VNI that can be configured for up to 16 million virtual networks. For additional information, see the VXLAN tab
Prerequisites
Before you can assign a VNI to a VXLAN segment, you must configure the following settings:
-
Segmentation must be enabled to support VXLAN. See the Routing Segmentation (VRF) tab
-
The IP routing on the BGP Layer 3 network that connects the EdgeConnect appliance VTEPs must already be configured. This is necessary to enable VXLAN traffic to traverse the network. Therefore, only in-line router mode is supported.
-
Currently, the EdgeConnect EVPN address family is only supported for BGP EVPN peers in the Default segment (VRF ID = 0).
-
One or more loopback interfaces must already be available.
-
VXLAN is only supported on LAN interfaces. Route-Targets must be defined, and BGP enabled for all segments, even if no BGP peers are configured in non-default segments.
Common Settings for all VNIs
Use this section of the VXLAN Tab to configure these common settings for all VNIs:
-
Destination UDP Port: You can configure a custom destination UDP port for VXLAN. If not selected, the appliance uses the default port of 4789.
-
VTEP Source Interface: Select a loopback interface from the list.
NOTE: Only loopback interfaces are valid. The loopback interface you choose will automatically be configured in the local interface field of the BGP Peer configuration if EVPN Peer is enabled.
VNI Mappings
For this dialog box, use the steps belwo to map a VNI to a routing segment, a firewall zone, and a fallback role.
Add
-
Click Add to create a new VNI for a segment.
-
Enter a value for the VNI segment. Valid values are 1-16777215.
-
Select the Segment, Firewall Zone, and Fallback Role (Don’t Apply, Guest IOT, Untrusted).
-
Click OK.
Edit
-
Select an existing VNI from the list.
-
Click the Edit icon to modify an existing VNI.
Note: In the Flows tab, enable the VNI Tx and VNI Rx columns to display the number of the VNI that received or sent the VXLAN traffic. Both values should match for every flow. If not, there might be a misconfiguration downstream from the EdgeConnect.
Role to GPID Mapping
Use the Roles dialog box to map a policy enforcement role to a VXLAN Group Policy Identifier (GPID). Mapping policy enforcement roles to a VXLAN GPID is optional. Policy enforcement role mapping to a GPID propagates globally across the SD-WAN Fabric. Enabling the identity-based policy enforcement capability of the HPE Aruba Networking SD-WAN solution in VXLAN segments provides a highly automated extensible way of enabling a zero-trust security architecture.