man/man4/vxlan.4

.\"	$OpenBSD: vxlan.4,v 1.10 2021/01/02 09:56:16 dlg Exp $
.\"
.\" Copyright (c) 2013 Reyk Floeter <reyk@openbsd.org>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.Dd $Mdocdate: January 2 2021 $
.Dt VXLAN 4
.Os
.Sh NAME
.Nm vxlan
.Nd Virtual eXtensible Local Area Network tunnel interface
.Sh SYNOPSIS
.Cd "pseudo-device vxlan"
.Sh DESCRIPTION
The
.Nm
interface is a tunnelling pseudo-device for overlaying virtualized
layer 2 networks over layer 3 networks.
.Pp
A
.Nm
interface can be created using the
.Ic ifconfig vxlan Ns Ar N Ic create
command.
Once configured, the interface encapsulates and decapsulates Ethernet
frames in UDP datagrams that are exchanged with tunnel endpoints.
The default UDP port for VXLAN traffic is 4789.
.Pp
Each
.Nm
interface uses a 24-bit
.Ic vnetid
(virtual networks identifier)
that distinguishes multiple virtualized layer 2 networks and
their tunnels between identical tunnel endpoints.
.Pp
The interface can operate in the following tunnel modes:
.Bl -tag -width multicast
.It Ic unicast mode
When a unicast IP address is configured as the tunnel destination,
all traffic is sent to a single tunnel endpoint.
.It Ic multicast mode
When a multicast IP address is configured as the tunnel destination,
all traffic is sent to all the tunnel endpoints that subscribed for the
specified multicast group.
.It Ic dynamic mode
When
.Nm
is configured for multicast mode and added to a
.Xr bridge 4 ,
all broadcast and multicast traffic is sent to the multicast group,
but directed traffic is sent to unicast IP addresses of individual tunnel
endpoints as they are learned by the bridge.
.It Ic multipoint mode
When
.Nm
is configured with
.Ic vnetid any
and added to a
.Xr bridge 4 ,
all return traffic is sent to the known tunnel endpoints
as they are learned by the bridge.
In this mode,
.Nm
does not use a specific virtual network identifier but learns the ones
of the individual tunnel endpoints.
It is used to dynamically bridge many virtual networks together.
.El
.Pp
The configuration can be done at runtime or by setting up a
.Xr hostname.if 5
configuration file for
.Xr netstart 8 .
.Pp
For correct operation, encapsulated traffic must not be routed
over the interface itself.
This can be implemented by adding a distinct or a more specific
route to the tunnel destination than the hosts or networks routed
via the tunnel interface.
Alternatively, the tunnel traffic may be configured in a separate
routing table to the encapsulated traffic.
.Sh EXAMPLES
Create a tunnel to a unicast tunnel endpoint, using the virtual tunnel
identifier 5:
.Bd -literal -offset indent
# ifconfig vxlan0 tunnel 192.168.1.100 192.168.1.200 vnetid 5
# ifconfig vxlan0 10.1.1.100/24
.Ed
.Pp
The following examples creates a dynamic tunnel that is attached to a
.Xr bridge 4 :
.Bd -literal -offset indent
# ifconfig vxlan0 tunnel 192.168.1.100 239.1.1.100 vnetid 7395
# ifconfig vxlan0 10.1.2.100/24
# ifconfig bridge0 add vxlan0 up
.Ed
.Pp
Prior to the assignment of UDP port 4789 by IANA, some early VXLAN
implementations used port 8472.
A non-standard port can be specified with the tunnel destination
address:
.Bd -literal -offset indent
# ifconfig vxlan0 tunnel 192.168.1.100 239.1.1.100:8472
.Ed
.Sh SECURITY
.Nm
does not provide any integrated security features.
It is designed to be a simple protocol that can be used in trusted
data center environments, to carry VM traffic between virtual machine
hypervisors, and provide virtualized layer 2 networks in Cloud
infrastructures.
.Pp
To protect
.Nm
tunnels, the traffic can be protected with IPsec to add authentication
and encryption for confidentiality.
.Pp
The Packet Filter (PF) can be used to filter tunnel traffic with
endpoint policies in
.Xr pf.conf 5 :
.Bd -literal -offset indent
table <vxlantep> { 192.168.1.200, 192.168.1.201 }
block in on em0
pass out on em0
pass in on em0 proto udp from <vxlantep> to port vxlan
.Ed
.Pp
The Time-to-Live (TTL) value of the tunnel can be set to 1 or a low
value to restrict the traffic to the local network:
.Bd -literal -offset indent
# ifconfig vxlan0 tunnelttl 1
.Ed
.Sh SEE ALSO
.Xr bridge 4 ,
.Xr inet 4 ,
.Xr hostname.if 5 ,
.Xr ifconfig 8 ,
.Xr netstart 8
.Sh STANDARDS
.Rs
.%A M. Mahalingam
.%A D. Dutt
.%A K. Duda
.%A P. Agarwal
.%A L. Kreeger
.%A T. Sridhar
.%A M. Bursell
.%A C. Wright
.%D May 2013
.%R draft-mahalingam-dutt-dcops-vxlan-04
.%T VXLAN: A Framework for Overlaying Virtualized Layer 2 Networks over Layer 3 Networks
.Re
.Sh HISTORY
The
.Nm
device first appeared in
.Ox 5.5 .
.Sh AUTHORS
The
.Nm
driver was written by
.An Reyk Floeter Aq Mt reyk@openbsd.org .
.Sh CAVEATS
The
.Nm
interface requires at least 50 bytes for the IP, UDP and VXLAN
protocol overhead and optionally 4 bytes for the encapsulated VLAN tag.
The default MTU is set to 1500 bytes but can be adjusted if the
transport interfaces carrying the tunnel traffic do not support larger
MTUs, the tunnel traffic is leaving the local network, or if
interoperability with another implementation requires running a
decreased MTU of 1450 bytes.
In any other case, it is commonly recommended to set the MTU of the
transport interfaces to at least 1600 bytes.
.Pp
The implementation does not support IPv6 multicast tunnel endpoints at
present.