A network device stores a Virtual Extensible Local Area Network (VxLAN) Tunnel Endpoint (VTEP) membership information that associates VxLANs each with a corresponding set of VTEPs authorized to originate VxLAN packets on that VxLAN. The network device receives from a communication network a VxLAN packet that identifies a VxLAN and an originating VTEP. The VTEP compares the originating VTEP to the set of VTEPs associated with the VxLAN in the VTEP membership information that matches the identified VxLAN. If the comparison indicates that the originating VTEP is not included in the set of VTEPs authorized to originate VxLAN packets, the VTEP discards the received VxLAN packet. Otherwise the VTEP further processes the VxLAN packet.