VXLAN and iVXLAN Header Stripping for Nexus Data Broker

This chapter describes VXLAN and iVXLAN header stripping procedure for Nexus Data Broker (NDB).

This chapter contains the following sections:

About Nexus Data Broker – VXLAN and iVXLAN Header Stripping

Nexus Data Broker (NDB) VXLAN, and iVXLAN termination allow switches the ability to strip headers when VXLAN, and iVXLAN packets are received.

NDB switch receives packets in the below mentioned scenarios:

  • Test Access Point (TAP) ports between spines and leaf are placed on the Fabric Links in the ACI fabric.

  • Switched Port Analyzer (SPAN) sessions are configured, or TAPs placed in the VXLAN overlay network.

Guidelines and Limitations for VXLAN and iVXLAN Header Strip

  • VXLAN header strip is supported when VXLAN underlay is V4.

  • You must be able to strip VXLAN, and iVXLAN headers without being PTEP/VTEP.

  • VXLAN header strip is enabled per port.

  • VXLAN and iVXLAN strip is not supported if the following features are enabled:

    • NV overlay

    • VN-segment-vlan

    • Legacy MPLS strip and tap-aggregation

  • VXLAN stripping is supported when the default UDP value is used.

  • Ports must be able to manage both tunneled and non-tunneled packets.

  • Layer 2 switch port mode trunk or Layer 2 PO interfaces must be able to strip the VXLAN header.

  • Ensure that the Tap-ACL contains proper ACE with redirect keyword, where the redirect interfaces are pointing toward the egress/analyzer ports, else the packet will be flooded back on the same ingress port.

  • OFM enables VXLAN strip capability for standard ISSU and LXC-ISSU.

  • A maximum of 2 tunnel-profiles can be created on a switch, one per type of encapsulation.

The below statements are true for post VXLAN, and iVXLAN header strip:

  • The interface will allow slapping Q-in-Q VLAN on inside packet.

  • Packet CRC will be properly performed.

  • Inside packets will be allowed to filter using ingress port ACLs.

Configuring Nexus Data Broker Termination

The following steps outline the termination of NDB for VXLAN. The same procedure is followed for iVXLAN header strip.


Note

To change encapsulate tunnel type from VXLAN to iVXLAN or vice versa, the configured tunnel must be removed using no encapsulate CLI.


Note

Ensure that the below CLIs are configured to enable stripping of VXLAN or iVXLAN on interfaces:

  • destination any

  • encapsulation vxlan

  • flow terminate interface add Ethernet 1/1

If any of the above CLIs are missing, stripping of VXLAN or iVXLAN will not happen on the ports specified in flow term CLI.

Procedure

  Command or Action Purpose

Step 1

configure terminal

Example:

switch# configure terminal

Enters global configuration mode.

Step 2

feature ofm

Example:

switch (config)# feature ofm

Enables feature ofm.

Step 3

tunnel-profile profile-name

Example:

switch(config)# tunnel-profile vtep_vxlan_term
switch(config-tnl-profile)#

Enables static VXLAN tunnels.

Step 4

encapsulation vxlan

Example:

switch(config-tnl-profile)# encapsulation vxlan
switch(config-tnl-profile)#

To set appropriate encapsulation type for the tunnel profile.

Step 5

destination any

Example:

switch(config-tnl-profile)# destination any

To set required destination for the tunnel profile.

Step 6

flow terminate interface ethernet 1/1

Example:

switch(config-tnl-profile)# flow terminate interface ethernet 1/1

To add ethernet1/1 to the flow term list (if the no flow terminate interface command was configured).

Step 7

flow terminate interface remove ethernet 1/1

Example:

switch(config-tnl-profile)# flow terminate interface remove ethernet 1/1

To remove Ethernet 1/1 port only.

Step 8

flow terminate interface add ethernet 1/2-5

Example:

switch(config-tnl-profile)# flow terminate interface add ethernet 1/2-5

To add e1/2, e1/3, e1/4, e1/5 to an existing list of flow terminate interfaces.

Note

 

While adding flow terminate interface, CLI doesn’t check whether L2 port interface exists or enabled. For example, e1/10 is a non-breakout mode. CLI allows interface e1/10/1-4 to add for flow terminate list. When e1/10 is a breakout, VXLAN header strip feature functions.

Step 9

flow terminate interface add port-channel 100-110

Example:

switch(config-tnl-profile)# flow terminate interface add po100-110

To add port channel 100-110 to old list. New list will be e1/10-11 and po100-110.

Step 10

no flow terminate interface

Example:

switch(config-tnl-profile)# no flow terminate interface

To remove all flow and terminate interfaces from profile.

Configuration Example for VXLAN and iVXLAN Header Strip

The following example shows VXLAN and iVXLAN header stripping, the procedure is same for iVXLAN: 

switch(config-tnl-profile)# show run ofm
show running-config ofm
feature ofm
tunnel-profile vxlan1
encapsulation vxlan
destination any
flow terminate interface add port-channel101
flow terminate interface add Ethernet1/1

tunnel-profile vxlan2
encapsulation ivxlan
destination any
flow terminate interface add port-channel101
flow terminate interface add Ethernet1/1
switch(config-tnl-profile)#
switch(config-tnl-profile)# show tunnel-profile
Profile : vxlan1
Encapsulation : Vxlan
State : UP
Destination : Any
Terminate Interfaces : 2
Terminate List : port-channel101 Ethernet1/1
Profile : vxlan2
Encapsulation : iVxlan
State : UP
Destination : Any
Terminate Interfaces : 2
Terminate List : port-channel101 Ethernet1/1
switch(config-tnl-profile)#