Peer VTEPs

When the threat defense sends a packet to a device behind a peer VTEP, the threat defense needs two important pieces of information:

  • The destination MAC address of the remote device

  • The destination IP address of the peer VTEP

The threat defense maintains a mapping of destination MAC addresses to remote VTEP IP addresses for the VNI interfaces.

VXLAN Peer

There are two ways in which the threat defense can find this information:

  • A single peer VTEP IP address can be statically configured on the threat defense.

    For IPv4: The threat defense then sends a VXLAN-encapsulated ARP broadcast to the VTEP to learn the end node MAC address.

    For IPv6: The threat defense then sends an IPv6 Neighbor Solicitation message to the IPv6 solicited-node multicast address. The peer VTEP responds with an IPv6 Neighbor Advertisement message with its link-local address.

  • A group of peer VTEP IP addresses can be statically configured on the threat defense.

    For IPv4: The threat defense then sends a VXLAN-encapsulated ARP broadcast to the VTEP to learn the end node MAC addresses.

    For IPv6: The threat defense then sends an IPv6 Neighbor Solicitation message to the IPv6 solicited-node multicast address. The peer VTEP responds with an IPv6 Neighbor Advertisement message with its link-local address.

  • A multicast group can be configured on each VNI interface (or on the VTEP as a whole).

    For IPv4: The threat defense sends a VXLAN-encapsulated ARP broadcast packet within an IP multicast packet through the VTEP source interface. The response to this ARP request enables the threat defense to learn both the remote VTEP IP address along with the destination MAC address of the remote end node.

    For IPv6: The threat defense sends a Multicast Listener Discovery (MLD) Report message through the VTEP source interface to indicate that the threat defense is listening on the VTEP interface for the multicast address traffic.

    This option is not supported with Geneve.

Geneve Peer

The threat defense virtual only supports statically defined peers. You can define the threat defense virtual peer IP address on the AWS Gateway Load Balancer. Because the threat defense virtual never initiates traffic to the Gateway Load Balancer, you do not also have to specify the Gateway Load Balancer IP address on the threat defense virtual; it learns the peer IP address when it receives Geneve traffic. Multicast groups are not supported with Geneve.