Router Between VXLAN Domains

With a VXLAN-stretched Layer 2 domain, a VM can point to an threat defense as its gateway while the threat defense is not on the same rack, or even when the threat defense is far away over the Layer 3 network.

See the following notes about this scenario:

  1. For packets from VM3 to VM1, the destination MAC address is the threat defense MAC address, because the threat defense is the default gateway.

  2. The VTEP source interface on Virtual Server 2 receives packets from VM3, then encapsulates the packets with VNI 3’s VXLAN tag and sends them to the threat defense.

  3. When the threat defense receives the packets, it decapsulates the packets to get the inner frames.

  4. The threat defense uses the inner frames for route lookup, then finds that the destination is on VNI 2. If it does not already have a mapping for VM1, the threat defense sends an encapsulated ARP broadcast on the multicast group IP on VNI 2.

    Note

    The threat defense must use dynamic VTEP peer discovery because it has multiple VTEP peers in this scenario.

  5. The threat defense encapsulates the packets again with the VXLAN tag for VNI 2 and sends the packets to Virtual Server 1. Before encapsulation, the threat defense changes the inner frame destination MAC address to be the MAC of VM1 (multicast-encapsulated ARP might be needed for the threat defense to learn the VM1 MAC address).

  6. When Virtual Server 1 receives the VXLAN packets, it decapsulates the packets and delivers the inner frames to VM1.