• Author : Terence Hui

 
 

VXLAN Decapsulation on default VRF Only

Description Current VXLAN decapsulation logic requires the following hits on affected switches listed in the following paragraph: Outer VXLAN header DMAC = bridgemac. Outer VXLAN header UDP port = VXLAN udp port. Outer VXLAN header DIP = VTEP IP. VNI on Outer VXLAN header is configured on the VTEP. The current decapsulation logic does not consider the VRF of the interface the packet came in on. This has led to security issues such as Security Advisory 0055. The fix for SA55 was to simply disable VXLAN decapsulation on an interface if it could receive any non-default VRF traffic. This however...
Continue reading →

Follow

Get every new post on this blog delivered to your Inbox.

Join other followers: