VXLAN and iVXLAN Header Stripping

Overview

Nexus Data Broker (NDB) VXLAN and iVXLAN header stripping is a feature that enables switches to remove VXLAN and iVXLAN headers from packets upon receipt.

It allows switches to terminate VXLAN and iVXLAN packets.
It strips VXLAN and iVXLAN headers from incoming packets.
It facilitates packet processing in scenarios involving TAP and SPAN configurations.

Scenarios for Header Stripping

NDB switches receive packets in the following scenarios:

Test Access Point (TAP) ports between spines and leaf are placed on the Fabric Links in the ACI fabric.
Switched Port Analyzer (SPAN) sessions are configured, or TAPs placed in the VXLAN overlay network.

Supported PIDs

Guidelines and Limitations

Post VXLAN and iVXLAN Header Strip Guidelines

The interface will allow slapping Q-in-Q VLAN on inside packet.
Packet CRC will be properly performed.
Inside packets will be allowed to filter using ingress port ACLs.

Not Supported Features

VXLAN and iVXLAN strip is not supported if the following features are enabled:

NV overlay
VN-segment-vlan
Legacy MPLS strip and tap-aggregation

Release Specific Guidelines

Platform Specific Guidelines

You must be able to strip VXLAN, and iVXLAN headers without being PTEP/VTEP.
VXLAN header strip is enabled per port.
Ports must be able to manage both tunneled and non-tunneled packets.
Layer 2 switch port mode trunk or Layer 2 PO interfaces must be able to strip the VXLAN header.
Ensure that the Tap-ACL contains proper ACE with redirect keyword, where the redirect interfaces are pointing toward the egress/analyzer ports, else the packet will be flooded back on the same ingress port.
OFM enables VXLAN strip capability for standard ISSU and LXC-ISSU.

Supported Features

VXLAN header strip is supported when VXLAN underlay is V4.
VXLAN stripping is supported when the default UDP value is used.

Configure Nexus Data Broker Termination

The following steps outline the termination of NDB for VXLAN. The same procedure is followed for iVXLAN header strip.

Note

To change encapsulate tunnel type from VXLAN to iVXLAN or vice versa, the configured tunnel must be removed using no encapsulate CLI.

Note

Ensure that the below CLIs are configured to enable stripping of VXLAN or iVXLAN on interfaces:

destination any
encapsulation vxlan
flow terminate interface add Ethernet 1/1

If any of the above CLIs are missing, stripping of VXLAN or iVXLAN will not happen on the ports specified in flow term CLI.

Procedure

Step 1

Enter global configuration mode using the command configure terminal and enable feature ofm using the command feature ofm

Example:

switch# configure terminal

Example:

switch (config)# feature ofm

Step 2

Enable static VXLAN tunnels using the command tunnel-profile profile-name and set appropriate encapsulation type for the tunnel profile using the command encapsulation vxlan

Example:

switch(config)# tunnel-profile vtep_vxlan_term
                        switch(config-tnl-profile)#

Example:

switch(config-tnl-profile)# encapsulation vxlan
                        switch(config-tnl-profile)#

Step 3

Set required destination for the tunnel profile using the command destination any

Example:

switch(config-tnl-profile)# destination any

Step 4

Add ethernet1/1 to the flow term list (if the no flow terminate interface command was configured) using the command flow terminate interface ethernet 1/1 and remove Ethernet 1/1 port only using the command flow terminate interface remove ethernet 1/1

Example:

switch(config-tnl-profile)# flow terminate interface ethernet 1/1

Example:

switch(config-tnl-profile)# flow terminate interface remove ethernet 1/1

Step 5

Add e1/2, e1/3, e1/4, e1/5 to an existing list of flow terminate interfaces using the command flow terminate interface add ethernet 1/2-5

Example:

switch(config-tnl-profile)# flow terminate interface add ethernet 1/2-5

Note

While adding flow terminate interface, CLI doesn’t check whether L2 port interface exists or enabled. For example, e1/10 is a non-breakout mode. CLI allows interface e1/10/1-4 to add for flow terminate list. When e1/10 is a breakout, VXLAN header strip feature functions.

Step 6

Add port channel 100-110 to old list uisng the command flow terminate interface add port-channel 100-110

Example:

switch(config-tnl-profile)# flow terminate interface add po100-110

New list will be e1/10-11 and po100-110.

Step 7

Remove all flow and terminate interfaces from profile uisng the command no flow terminate interface and enable feature tap-aggregation using the command feature tap-aggregation

Example:

switch(config-tnl-profile)# no flow terminate interface

Example:

switch(config)# feature tap-aggregation

The following example shows VXLAN and iVXLAN header stripping, the procedure is same for iVXLAN:

switch(config-tnl-profile)# show run ofm
show running-config ofm
feature ofm
tunnel-profile vxlan1
encapsulation vxlan
destination any
flow terminate interface add port-channel101
flow terminate interface add Ethernet1/1

tunnel-profile vxlan2
encapsulation ivxlan
destination any
flow terminate interface add port-channel101
flow terminate interface add Ethernet1/1
switch(config-tnl-profile)#
switch(config-tnl-profile)# show tunnel-profile
Profile : vxlan1
Encapsulation : Vxlan
State : UP
Destination : Any
Terminate Interfaces : 2
Terminate List : port-channel101 Ethernet1/1
Profile : vxlan2
Encapsulation : iVxlan
State : UP
Destination : Any
Terminate Interfaces : 2
Terminate List : port-channel101 Ethernet1/1
switch(config-tnl-profile)#

Cisco Nexus 9000 Series NX-OS System Management Configuration Guide, Release 10.1(x)

Bias-Free Language

Book Title