Limitations and Precautions for VXLAN

All models except USG6635E/6655E, USG6680E and USG6712E/6716E support VXLAN.

The VXLAN function is not license-controlled.

NVE interfaces belong to the Local zone. Therefore, you must configure a security policy for the interzone between the Local zone and the security zone where the inbound interface of VXLAN packets resides to permit VXLAN packets. Otherwise, VXLAN tunnels cannot be established.
When configuring an IP address for the source VTEP on the NVE interface, do not use the IP address of a virtual system. Otherwise, the tunnel cannot be established.
If the destination MAC address in the inner tag of a packet is not the MAC address of the BDIF, the FW will discard the packet.
That is, the FW acts only as a Layer-3 VXLAN gateway, not an aggregation device. Ensure the connectivity of the Layer-2 VXLAN network.
The BDIF can be created only in the root system. Then, the BDIF is allocated to a virtual system along with an associated VNI. After the allocation, the original IP address configuration is lost.
The IP address of the remote VTEP cannot be in the same network segment as the IP address of the BDIF. Otherwise, the VXLAN tunnel cannot be established.
VXLAN supports IPv6.