Guidelines for VXLAN Interfaces

Firewall Mode

  • Geneve interfaces are only supported in routed firewall mode.

  • Paired proxy VXLAN interfaces are only supported in routed firewall mode.

IPv6

  • The VNI interface supports both IPv4 and IPv6 traffic.

  • For VXLAN encapsulation, the VTEP source interface supports both IPv4 and IPv6. The threat defense virtual cluster control link VTEP source interface only supports IPv4.

    For Geneve, the VTEP source interface only supports IPv4.

Clustering

  • Clustering does not support VXLAN in Individual Interface mode except for the cluster control link (threat defense virtual only) Only Spanned EtherChannel mode supports VXLAN.

    An exception is made for AWS, which can use an additional Geneve interface for use with the GWLB and for Azure, which can use an additional paired proxy VXLAN interface for use with the GWLB.

Routing

  • Only static routing or Policy Based Routing is supported on the VNI interface; dynamic routing protocols are not supported.

MTU

  • VXLAN encapsulation—If the source interface MTU is less than 1554 bytes for IPv4 or 1574 bytes for IPv6, then the threat defense automatically raises the MTU to 1554 bytes or 1574 bytes. In this case, the entire Ethernet datagram is being encapsulated, so the new packet is larger and requires a larger MTU. If the MTU used by other devices is larger, then you should set the source interface MTU to be the network MTU + 54 bytes for IPv4 or +64 bytes for IPv6. For the threat defense virtual, this MTU requires a restart to enable jumbo frame reservation.

  • Geneve encapsulation—If the source interface MTU is less than 1806 bytes, then the threat defense automatically raises the MTU to 1806 bytes. In this case, the entire Ethernet datagram is being encapsulated, so the new packet is larger and requires a larger MTU. If the MTU used by other devices is larger, then you should set the source interface MTU to be the network MTU + 306 bytes. This MTU requires a restart to enable jumbo frame reservation.