About VXLAN Header Stripping
The VXLAN header stripping functionality can identify and remove headers from the VXLAN tagged packets that are tapped from the VXLAN-based enterprise networks and are routed to the respective tools for analysis. This functionality is useful when working with tools that either cannot recognize the VXLAN headers or must engage in additional processing to analyze the VXLAN traffic. The GigaVUE‑OS device is configured with the required traffic intelligence capability to strip the VXLAN header from the incoming packets. It then sends the inner payload to the tools based on the map rules configured.
The incoming VXLAN packets are discarded until the GigaVUE-OS device acquires the capability to remove the VXLAN header.
Once the required intelligence is acquired, header stripping can happen at line rate.
The following figure illustrates the VXLAN header stripping functionality:
In this diagram, the VXLAN encapsulated traffic from the network is tapped on the network port, 1/1/c5 in the GigaVUE-TA200 device. The VXLAN header stripping functionality is enabled in this network port. Based on the traffic intelligence capability, the GigaVUE-TA200 device strips the VXLAN header from the incoming packets that has the L4 destination port as 0x4789. You can choose to configure the L4 destination port at the chassis level. The GigaVUE-TA200 device routes the inner payload to the respective tools based on the map rules configured.
Any other traffic that enters the VXLAN header stripping-enabled network port will also be processed similar to a normal by-rule map.
The following table provides the capabilities available for VXLAN tunnel decapsulation as against the capabilities available for VXLAN header stripping:
Capabilities |
With GigaSMART |
Without GigaSMART |
---|---|---|
IPv4 support |
Yes |
Yes |
IPv6 support |
Yes |
No |
Header stripping on GigaVUE-TA Series |
No |
Yes |
Header stripping at line rate |
No |
Yes |
GigaVUE-OS has a scan interval between 300 to 1000000 seconds to optimize the VXLAN ID processing capability. You must configure 0 to disable the scan interval.
Note: GigaVUE-OS restarts the VXLAN traffic intelligence capability on every reload.
VXLAN Tunnel Decapsulation Vs VXLAN Header Stripping
The difference between the VXLAN tunnel decapsulation and VXLAN header stripping is that in the case of VXLAN tunnel decapsulation, the traffic originates from and terminates at the GigaVUE‑OS devices. So, the GigaVUE‑OS devices are aware of the VXLAN IDs based on which the traffic is decapsulated. In the case of VXLAN header stripping, the GigaVUE‑OS devices are configured with traffic intelligence capability to strip the VXLAN header from the incoming packets with any VXLAN IDs.
VXLAN Header Stripping – Rules and Notes
Keep in mind the following rules and notes when working with VXLAN header stripping:
VXLAN header stripping is supported on GigaVUE‑HC1-Plus,GigaVUE‑HC1, GigaVUE‑HC2 CCv2, GigaVUE‑HC3, GigaVUE-TA40, GigaVUE-TA100, GigaVUE-TA200, ,GigaVUE‑TA25, and GigaVUE‑TA400 devices. |
The destination IP based statistics is not supported on GigaVUE-TA25 and . |
Gigamon’s traffic intelligence processing may lead to initial packet drops. This is not applicable for GigaVUE-TA400. |
On a network or hybrid port that taps the network traffic, you can enable either VXLAN header stripping or MPLS header stripping, but you cannot enable both the functionalities. |
Network ports configured with VXLAN header stripping and MPLS header stripping functionalities cannot be part of the same map. You must create separate maps for these ports. |
After a header is removed from the packet, FCS is recomputed by the hardware and not by the GigaVUE-OS. |
VXLAN header stripping is not supported on network ports that are part of pass-all maps except on GigaVUE-TA400. |
VXLAN header stripping is not supported with IPv6 addresses except on GigaVUE-TA400. |
You cannot associate an IP interface with a network or hybrid port that is enabled with VXLAN header stripping. |
Filter rule is not supported on hybrid port that is enabled with VXLAN header stripping. |
Ingress VLAN tagging is not supported. |
VXLAN header stripping is not supported for Q-in-Q traffic except on GigaVUE-TA400. |
You cannot enable VXLAN header stripping on a port that is part of a port-pair. |
Reassembly of fragmented packets after VXLAN header stripping is not supported. |
A maximum of up to 4096 dynamic VXLAN IDs are supported for VXLAN header stripping. On GigaVUE-TA400, all VXLAN IDs are supported. |
If a map has both header stripping-enabled ports and other network ports, the VXLAN traffic that enters the other network ports will not be sent to the shared collector except on GigaVUE-TA400. |
VXLAN header stripping does not work if you configure a map with any rule that includes the qualifying attributes of the VXLAN header because such rules override the traffic intelligence capability. For example, if you configure a map with pass rule as IPv4 Destination, IPv4 Source, MAC Destination, or MAC Source and the source port of the map is overlapped/matched with VXLAN headers, the header stripping functionality does not work. This is an exception for GigaVUE-TA400. |
VXLAN header stripping does not work if you configure a map with only drop rules and choose the Pass Traffic option so that the traffic is passed through the port when there are no matching rules. For more information, refer to Map Types.This is an exception for GigaVUE-TA400 |
Following table provides the maximum number of static IP addresses that can be configured for each platform for the VXLAN header stripping functionality: |
Platform |
Maximum number of static IP addresses supported |
---|---|
Platform |
Maximum number of static IP addresses supported |
GigaVUE‑HC1 and GigaVUE‑HC2 CCv2 |
3966 |
GigaVUE‑HC3, GigaVUE-TA100, and GigaVUE-TA200 |
1918 |
GigaVUE-TA40 |
512 |