Skip to main content

What is VXLAN ?

What is VXLAN?

VXLAN is an encapsulation protocol that provides data center connectivity using tunneling to stretch Layer 2 connections over an underlying Layer 3 network.

In data centers, VXLAN is the most commonly used protocol to create overlay networks that sit on top of the physical network, enabling the use of virtual networks. The VXLAN protocol supports the virtualization of the data center network while addressing the needs of multi-tenant data centers by providing the necessary segmentation on a large scale.



VXLAN Packet:

• VXLAN is point to multi-point tunneling mechanism to extend Layer 2 networks over an IP network.

• VXLAN uses MAC in UDP encapsulation (UDP destination port 4789)



Two Modes of VXLAN:


1. Flood-and-Learn VXLAN: 

 • No control plane 

 • Data driven flood and learning 

 • Ethernet in the overlay network 


2. VXLAN EVPN: 

• EVPN as control plane 

• VTEPs exchange L2/L3 host and subnet reachability through EVPN control plane 

•  Routing protocol for both L2 and L3 forwarding 


What is VXLAN/EVPN?


•  Standards based Overlay (VXLAN) with Standards based Control-Plane (BGP) 

• Layer-2 MAC and Layer-3 IP information distribution by Control-Plane (BGP) 

• Forwarding decision based on Control-Plane (minimizes flooding) 

• Integrated Routing/Bridging (IRB) for Optimized Forwarding in the Overlay




Comments

Popular posts from this blog

Basic Rules of Checkpoint Firewall

Managing the Firewall Rule Base: Explicit and Implied Rules These are the types of rules in the Rule Base: Explicit rules - Rules that you create to configure which connections the Firewall allows Implied rules - Rules that are based on settings in the Global Properties menu Implied rules allow connections for different services that the Security Gateway uses. For example, the Accept Control Connections option allows packets that control these services: ·          Installing the security policy on a Security Gateway ·          Sending logs from a Security Gateway to the Security Management server ·          Connecting to third party applications, such as RADIUS and TACACS authentication servers Order of Rule Enforcement: Make sure that you understand the importance of the order of rule enforcement to maximize the security of t...

ASA TCP Connection Flags

When troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide a wealth of information about the state of TCP connections to the ASA. This information can be used to troubleshoot problems with the ASA, as well as problems elsewhere in the network. Here is the output of the show conn protocol tcp command, which shows the state of all TCP connections through the ASA. These connections can also be seen with the show conn command. ASA# show conn protocol tcp 101 in use, 5589 most used TCP outside 10.23.232.59:5223 inside 192.168.1.3:52419, idle 0:00:11, bytes 0, flags saA TCP outside 192.168.3.5:80 dmz 172.16.103.221:57646, idle 0:00:29, bytes 2176, flags UIO TCP outside 10.23.232.217:443 inside 192.168.1.3:52427, idle 0:01:02, bytes 4504, flags TCP outside 10.23.232.217:5223 inside 192.168.1.3:52425, idle 0:00:10, bytes 0, flags saAUIO TCP outside 10.23.232.57:5223 inside 192.168.1.3:52412, idle 0:0...

How to Set Up an IPSec Tunnel On PAN-OS - Palo Alto Firewalls

Set Up an IPSec Tunnel  The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP packet) as it traverses across the tunnel.  If you are setting up the Palo Alto Networks firewall to work with a peer that supports policy-based VPN, you must define Proxy IDs. Devices that support policy-based VPN use specific security rules/policies or access-lists (source addresses, destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as Proxy-IDs in the first or the second message of the process. So, if you are configuring the Palo Alto Networks firewall to work with a policy-based VPN peer, for a successful phase 2 negotiation you must define the Proxy-ID so that the setting on both peers is identical. If the Proxy-ID is not configured, because the Palo Alto Networks firewall supports route-based VPN, the default values used as Proxy-ID a...