Cloud-based data centers may use Virtual Local Area Networks (VLANs) such as Virtual Extensible Local Area Networks (VxLANs) to extend Layer 2 (L2) networks across Layer 3 (L3) networks. VLAN (including VxLAN) Tunnel Endpoints (VTEPs) encapsulate Ethernet frames from local endpoint systems served by the VTEPs to form VLAN-encapsulated packets (herein “VLAN packets”). The VTEPs tunnel the VLAN-encapsulated packets to peer VTEPs across an Internet Protocol (IP)-based network, such as the Internet.
Some VTEPs may be configured with a static list of VTEP peers. Also, some VTEPs may discover other VTEP peers at runtime when data packets are received from remote VTEPs in the data plane (e.g., unicast or multicast traffic) or when updates are received in the control plane (e.g., BGP-EVPN). The data packets or updates, however, may be sent by network attackers to install rogue VTEPs as peers. VTEPs are not equipped to detect the rogue VTEPs and, therefore, may install them as legitimate VTEP peers. This may cause deleterious effects for the VLAN network and also at the VTEPs and the endpoint systems.