VXLAN VTEP (TRUST-only) — primer¶
Help Center primer for the VXLAN underlay VTEP stress engine. Pairs with ADR 0019 and the
vyos-vteppods (data-plane TRUST-only).
What it tests¶
Many NGFW deployments sit inside a VXLAN overlay fabric (DC spine-leaf, EVPN, public cloud transit gateways). Their VTEP processing path is distinct from the regular L3 inspection path:
- VNI lookup (per-VNI MAC tables)
- Encap/decap throughput (UDP/4789 add/strip on every packet)
- MTU handling (50B VXLAN overhead requires underlay 1550+ or inner fragmentation)
- Multi-VNI fanout (per-VNI broadcast/multicast handling)
This engine drives the TRUST-side underlay only — the OOBI fabric overlay (VNI 254254) is isolated and never used as a test surface (see ADR 0019: OOBI is canonically immutable).
Three-axis configuration¶
| Axis | Options |
|---|---|
enabled |
yes / no |
vni_count |
1 / 10 / 50 (default) / 250 / 1000 |
inner_mtu |
1280 / 1500 (default) / 9000 (jumbo, validates underlay 9050+) |
The dashboard pre-validates (underlay MTU, inner_mtu) and
refuses the run if underlay < inner + 50B.
Underlay isolation — safety guarantee¶
The stress operates on VLAN 10 (underlay) with VTEPs in
172.18.0.0/29. VNI namespace 1{vlan} is reserved for stress
(VNIs 1101..1120 etc.). The OOBI fabric's VNI 254254 is
canonically immutable (ADR 0019) — the stress engine cannot
touch it.
Layered vs standalone¶
- Standalone:
test_kind = bgp-saturationwithprotocol=vxlanmodifier (control-plane stress under VXLAN encap). - Layered: enable
vxlan_layeredmodifier on any TLS test to observe inspection cost when the DUT must additionally decap every packet.
Reading the report¶
Each VXLAN run adds an "Annex L (VXLAN)" block:
- DUT → VTEP capacity claim if published
- Run config → 3 axes
- Encap envelope → DUT throughput delta vs no-VXLAN baseline
- MTU handling → fragmentation count + path-MTU discovery observability
- Per-VNI → per-VNI table fill + lookup latency
Common patterns¶
| Symptom | Likely cause |
|---|---|
| Throughput delta > 30% vs no-VXLAN | DUT VTEP path is software, not ASIC — capture for sales |
| Fragmentation count climbs | Underlay MTU too small for inner_mtu + 50B overhead |
| Per-VNI lookup latency grows linearly | DUT uses linear-scan VNI table — capacity-bounded |
| OOBI overlay disruption | (Should not happen) Verify VNI namespace isolation |
Related¶
- ADR 0019 — OOBI canonical addressing
pkg/oobi/— OOBI library (read-only constants)- STRESS_ENGINES_CATALOG — engine matrix
Last verified against shipping code: v3.7.0 (2026-05-12).