How To Change VXLAN VTEP MTU Size and Teaming Policy

One of my customers has configured VXLAN in vCloud Director environment and then created multiple Provider and Org VDCs and deployed virtual networks. Then we found out that MTU and teaming policy configuration was set up incorrectly. Redeployment of the whole environment would take too much time, fortunately there is a way to do this without rip and replace approach.

First little bit of background. VXLAN VTEPs are configured in vShield Manager or in NSX Manager (via vSphere Web Client plugin) on cluster/distributed switch level. vShield/NSX Manager creates one distributed switch port group with given parameters (VLAN, teaming policy) and then for each host added to the cluster creates VTEP vmknic (with configured MTU size and DHCP/IP Pool addressing scheme). This means that teaming policy can be easily changed directly at vSphere level by direct edit of the distributed switch port group and MTU size can be changed on each host VTEP vmknic. However every new host deployed into the VXLAN prepared cluster would still use the wrong MTU size set in vShield/NSX Manager. Note that as there can be only one VTEP port group per distributed switch, clusters sharing the same vSwitch need to have identical VTEP teaming policy and VLAN ID.

The actual vCNS/NSX Manager VTEP configuration can be changed via following REST API call:

PUT https://<vCNS/NSX Manager FQDN>/api/api/2.0/vdn/switches/<switch ID>

with the Body containing the new configuration.

Example using Firefox RESTClient plugin:

  1. Install Firefox RESTClient plugin.
  2. Make sure vCNS/NSX Manager certificate is trusted by Firefox.
  3. In Firefox toolbar click on RESTClient icon.
  4. Create authentication header: Authentication > Basic Authentication > enter vCNS/NSX Manager credentials
  5. Select GET method and in the URL enter https://<vCNS/NSX Manager FQDN>/api/2.0/vdn/switches
    VDS Contexts
  6. This will retrieve all vswitch contexts in vCNS/NSX domain. Find ID of the one you want to change and use it in the following GET call
  7. Select GET method and in the URL enter https://<vCNS/NSX Manager FQDN>/api/api/2.0/vdn/switches/<switch-ID>
    VDS Context
  8. Now copy the Response Body and paste it into the Request Body box. In the XML edit the parameters you want to change. In my case I have changed:
    <mtu>9000</mtu> to <mtu>1600</mtu> and
    <teaming>ETHER_CHANNEL</teaming> to <teaming>FAILOVER_ORDER</teaming>
  9. Change the metod to PUT and add a new header: Content-Type: application/xml.
    PUT Request
  10. Send the request. If everything went successfully we should get Status Code: 200 OK response.
    OK Response

Now we need in vSphere Client change MTU size of all existing hosts to the new value and also change the teaming policy on VTEP portgroup (in my case from Route based on IP hash to Use explicit failover order).

vCloud Network and Security (vShield Manager) supports following teaming policies:

  • LACP_V2

NSX adds following two teaming policies for multiple VTEP vmknics:


Update 9/22/2014

Existing VXLAN VNI portgroups (virtual wires) will use original teaming policy, therefore they need to be changed to match the new one as well.

When using FAILOVER_ORDER teaming policy there must be also specification of the uplinks in the XML. The uplinks should use the names as defined at the distributed switch level.

<uplinkPortName>Uplink 2</uplinkPortName>
<uplinkPortName>Uplink 1</uplinkPortName>

Update 4/1/2015

As mentioned in the comments below vCNS and NSX differ slightly in the API call. For NSX the correct call is:


(without the switch-id at the end).


15 thoughts on “How To Change VXLAN VTEP MTU Size and Teaming Policy

  1. Hey, excelent post. Really appreciate it but there’s a copy and paste error with the API URI. It’s /api/2.0/vdn/switches and not /api/api/2.0/vdn/switches.
    Again great post!

      1. The 2.0 API (within NSX 6.1) only allows GET & DELETE operations and not PUT so this manipulation isn’t possible in NSX 6.1 world 😦
        I have some NSX engineers on site and they’re contacting others around VMware but the API documents for NSX tally with what we’ve found. Not good taking functionality away.

  2. NOTE – using FAILOVER_ORDER, the port groups will use “Use explicit failover order” and uplinks will be added to the Active Uplinks set in the order you specify the XML elements.

    Thanks for the helpful article.

  3. I am able to make the change from FAILOVER to SRCID on the vDS without issue. I also confirmed new port groups are created with the desired policy. However, when I change an existing port group to match I lose connectivity.

      1. Thank you for the reply Tomas. So in my setup (with a single VTEP) I cannot use anything other than FAILOVER than correct? Not without unpreparing/reconfiguring VXLAN at the cluster level.

  4. In NSX, I could only use GET to see what is configured. With PUT, I can’t run it.

    To: Another

    It shows “HTTP Status 400 The request sent by the client was syntactically incorrect”

  5. Hi,

    We have four uplinks in vDS configuration. Every time the virtual wire deployed by NSX is having all active uplinks.

    What I want to do is, I want to make one uplink as active, one as standby and two are unused uplinks in FAILOVER_ORDER. How can I achieve via this API ?


    Ammad Ali

  6. Hello Tom,
    I have configured LACP uplink on my productive environment and prepare cluster in NSX.
    But when i try to create dlr – it doesen`t works.
    After few days of researcs we found that controllers doesn`t push configuration to esxi hosts.
    Ii seems the issue appears because the presence of the character “,” in the name of the LAGs configured on hosts.

    So the question is:
    if I will create new LAG uplink with correct name and reconfigure dvs to use this uplink as active, and after it push via API new to nsx will it be works?


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.