Hubbry Logo
Virtual Extensible LANVirtual Extensible LANMain
Open search
Virtual Extensible LAN
Community hub
Virtual Extensible LAN
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Contribute something
Virtual Extensible LAN
Virtual Extensible LAN
Virtual Extensible LAN
View on Wikipedia
from Wikipedia

Virtual eXtensible LAN (VXLAN) is a network virtualization technology that uses a VLAN-like encapsulation technique to encapsulate OSI layer 2 Ethernet frames within layer 4 UDP datagrams, using 4789 as the default IANA-assigned destination UDP port number,[1] although many implementations that predate the IANA assignment use port 8472. VXLAN attempts to address the scalability problems associated with large cloud computing deployments.[2] VXLAN endpoints, which terminate VXLAN tunnels and may be either virtual or physical switch ports, are known as VXLAN tunnel endpoints (VTEPs).[3][4]

History

[edit]

VXLAN is an evolution of efforts to standardize on an overlay encapsulation protocol. Compared to single-tagged IEEE 802.1Q VLANs which provide a limited number of layer-2 VLANs (4094, using a 12-bit VLAN ID), VXLAN increases scalability up to about 16 million logical networks (using a 24-bit VNID) and allows for layer-2 adjacency across IP networks. Multicast or unicast with head-end replication (HER) is used to flood Broadcast, unknown-unicast and multicast traffic.[5]

The VXLAN specification was originally created by VMware, Arista Networks and Cisco.[6][7]

Implementations

[edit]

VXLAN is widely, but not universally, implemented in commercial networking equipment. Several open-source implementations of VXLAN also exist.

Commercial

[edit]

Arista, Cisco, and VMware were the originators of VXLAN and support it in various products.

Other backers of the VXLAN technology include Huawei,[8] Broadcom, Citrix, Pica8, Big Switch Networks, Arrcus, Cumulus Networks, Dell EMC, Netgate, Ericsson, Mellanox,[9] Red Hat,[10] Joyent, and Juniper Networks.

Open source

[edit]

Standards specifications

[edit]

VXLAN is officially documented by the IETF in RFC 7348.[10] VXLAN encapsulates a MAC frame in a UDP datagram for transport across an IP network,[14] creating an overlay network or tunnel.

Alternative technologies

[edit]

Alternative technologies addressing the same or similar operational concerns include:

  • IEEE 802.1ad ("Q-in-Q"), which greatly increases the number of VLANs supported by standard IEEE 802 Ethernet beyond 4K.
  • IEEE 802.1ah ("MAC-in-MAC"), which supports tunneling Ethernet in a way that greatly increases the number of VLANs supported while avoiding a large increase in the size of the MAC Address table in a Carrier Ethernet deployment.
  • Network Virtualization using Generic Route Encapsulation (NVGRE), which uses different framing but has similar goals to VxLAN.

See also

[edit]

References

[edit]
[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Virtual Extensible LAN

View on Grokipedia
from Grokipedia
Virtual Extensible LAN (VXLAN) is a technology that overlays Layer 2 Ethernet networks over an underlying Layer 3 IP infrastructure, enabling the creation of virtualized network segments in large-scale environments such as data centers. It achieves this by encapsulating original Ethernet frames within UDP packets, which are then routed across IP networks using VXLAN Tunnel End Points (VTEPs) located on hypervisors or network devices to handle encapsulation and decapsulation. This approach allows virtual machines (VMs) in different physical locations to communicate as if connected on the same , while preserving Layer 2 semantics like MAC addressing. VXLAN was developed to overcome the scalability limitations of traditional VLANs, which are restricted to 4094 identifiers under the standard due to their 12-bit field. In contrast, VXLAN employs a 24-bit VXLAN Network Identifier (VNI) to support up to 16 million unique network segments, facilitating multi-tenancy, isolation of tenant traffic, and efficient resource utilization in virtualized and setups. Key benefits include support for live VM migration (such as VMware vMotion) without IP address changes or subnet constraints, and the ability to leverage existing IP multicast or unicast mechanisms for broadcast, unknown unicast, and multicast (BUM) traffic handling, thereby reducing the flood domain size and improving performance in east-west data flows. Initiated around 2011 by a of industry leaders including Arista, , , Citrix, , , and to address growing demands for flexible networking, VXLAN gained formal standardization through RFC 7348, published by the (IETF) in August 2014. Since then, it has seen widespread adoption in (SDN) architectures, particularly when combined with BGP (EVPN) for functions, enabling dynamic MAC and learning across distributed environments. Major implementations appear in hypervisors like , open-source projects such as , and hardware from vendors including , Juniper, and Arista, making VXLAN a cornerstone for scalable, multi-tenant cloud infrastructures.

Overview

Definition and Purpose

Virtual Extensible LAN (VXLAN) is a technology that serves as an encapsulation protocol for extending Layer 2 Ethernet networks over an underlying Layer 3 IP infrastructure, utilizing UDP tunneling to encapsulate MAC frames within IP packets. This design enables the creation of virtualized Layer 2 overlays, allowing virtual machines (VMs) and other endpoints to communicate as if they were on the same local network segment, even when separated by routed IP networks. The primary purpose of VXLAN is to overcome the scalability limitations of traditional VLANs, which are restricted to a maximum of 4094 unique identifiers due to the 12-bit VLAN ID field in the 802.1Q header. By employing a 24-bit Virtual Network Identifier (VNI) within its encapsulation header, VXLAN supports up to 16 million distinct logical network segments, facilitating large-scale without the constraints of physical Layer 2 boundaries. This expansion is particularly essential in modern data centers, where the proliferation of virtualized workloads demands flexible segmentation to isolate traffic efficiently. In multi-tenant cloud and environments, VXLAN plays a crucial role in enabling for diverse tenants, ensuring isolation of broadcast domains and traffic while optimizing resource utilization across distributed infrastructure. It operates on the principle of overlay networks, where the VXLAN overlay provides virtualized Layer 2 connectivity atop a physical 3 underlay network, using endpoints to manage the encapsulation and decapsulation processes without altering the underlay's fabric. This separation allows administrators to scale and manage virtual networks independently of the underlying physical topology, supporting dynamic workload mobility and enhanced through tenant-specific isolation.

Key Features and Benefits

Virtual Extensible LAN (VXLAN) employs a 24-bit Virtual Network Identifier (VNI) that enables segmentation of up to 16 million unique virtual networks, vastly surpassing the 4094-limit of traditional VLANs and addressing scalability challenges in large-scale data centers. This feature allows for fine-grained isolation of tenant networks without the constraints of Layer 2 broadcast domains. Additionally, VXLAN uses UDP-based encapsulation to transport Layer 2 frames over IP networks, leveraging the standard UDP port 4789 for seamless integration with existing infrastructure. For handling broadcast, unknown unicast, and multicast (BUM) traffic, VXLAN supports multicast group discovery mechanisms, such as PIM-SM, or unicast head-end replication (HER) to efficiently replicate packets across the overlay without flooding the underlay network. The primary benefits of VXLAN include enhanced in virtualized environments by overlaying Layer 2 networks over a robust Layer 3 underlay. This design facilitates seamless mobility of virtual machines across physical hosts and subnets, preserving their IP addresses and network configurations without requiring reconfiguration or address changes. Furthermore, by operating over IP, VXLAN reduces dependency on the (STP), mitigating its limitations in large topologies such as slow convergence and restricted , while leveraging the inherent loop prevention of Layer 3 . Quantitatively, VXLAN's 16 million segment capacity provides orders-of-magnitude improvement over VLANs, enabling massive multi-tenancy in cloud data centers. VXLAN integrates effectively with (SDN) frameworks, allowing dynamic provisioning and orchestration of overlay networks through centralized controllers that automate tenant isolation and policy enforcement.

Technical Fundamentals

Encapsulation and VTEPs

In VXLAN, the encapsulation process involves wrapping an original Ethernet frame in multiple outer headers to form an overlay tunnel across an underlay IP network. At the ingress VTEP, the inner Ethernet frame—carrying the original Layer 2 payload—is prepended with a VXLAN header, a UDP header (using port 4789), an outer IP header, and an outer Ethernet header. This creates a tunneled packet that traverses the underlay network as standard IP traffic, preserving the Layer 2 semantics of the original frame while enabling scalability beyond traditional VLAN limitations. Upon reaching the egress VTEP, the outer headers are stripped away, and the inner frame is forwarded to the appropriate local endpoint. The VXLAN Tunnel End Point (VTEP) serves as the critical ingress and egress point for this encapsulation and decapsulation process. VTEPs can be implemented in hardware on network switches or in software within hypervisors on virtualized servers, where they manage the tunneling of between virtual machines or endpoints. Key functions include learning mappings to remote VTEP IP addresses, performing the header additions and removals, and ensuring isolation across different overlay segments using the 24-bit VXLAN Network Identifier (VNI). The VNI provides segmentation similar to IDs but supports up to 16 million unique networks. For broadcast, unknown unicast, and (BUM) traffic, VXLAN relies on mechanisms to flood packets efficiently across the overlay without flooding the entire underlay. In the standard multicast-based approach, each VNI is mapped to a specific IP group, and the ingress VTEP sends BUM packets to that group using protocols like PIM-Sparse Mode (PIM-SM); remote VTEPs joined to the group then decapsulate and forward the traffic locally. Alternatively, in environments using (EVPN), BUM traffic can be handled via replication, where the ingress VTEP (or provider edge device) replicates and sends individual packets to each remote VTEP's , avoiding the need for underlay but potentially increasing bandwidth usage. The underlay network supporting VXLAN must provide reliable IP connectivity between VTEPs, typically over IPv4 or IPv6, to ensure seamless tunnel operation. A key consideration is the Maximum Transmission Unit (MTU), as VXLAN encapsulation adds approximately 50 bytes of overhead to the original frame; to avoid fragmentation and performance degradation, the underlay MTU should be at least 1550 bytes when supporting standard 1500-byte Ethernet payloads. VTEPs are not permitted to fragment packets, so proper MTU configuration across the path is essential for end-to-end delivery.

Header Structure and Packet Format

The VXLAN encapsulation adds an outer header stack to the original to enable transport over an IP network. The outer headers consist of an Ethernet header (14 bytes, optionally 18 with tagging), followed by an IP header (20 bytes for IPv4 or 40 bytes for ), and a UDP header (8 bytes) with a destination of 4789, which is the IANA-assigned port for VXLAN traffic. The source UDP is typically dynamically assigned based on a hash of the inner packet to support entropy for load balancing. The core of the encapsulation is the 8-byte VXLAN header, inserted immediately after the UDP header. This header begins with an 8-bit flags field, where the I-bit (bit 6, value 1) indicates a valid VNI follows, and the remaining 7 bits are reserved and set to 0. Following the flags is the 24-bit VXLAN Network Identifier (VNI), which uniquely identifies the virtual network segment (supporting up to 16 million segments), followed by a 32-bit reserved field set to 0. The inner payload is the original , including source and destination MAC addresses, optional 802.1Q tag, , and the higher-layer payload, but excluding the (FCS) to avoid duplication. The full VXLAN packet structure thus sequences as: outer Ethernet header → outer → outer UDP header → VXLAN header → inner . This encapsulation introduces approximately 50 bytes of overhead for IPv4 traffic (14-byte Ethernet + 20-byte IP + 8-byte UDP + 8-byte VXLAN), increasing to about 70 bytes for IPv6. For extensibility beyond Ethernet payloads, VXLAN-GPE (Generic Protocol Extension) modifies the header to support protocols like IPv4 or directly. It reuses the 8-byte structure but repurposes reserved bits: adding a 2-bit version field (initially 0), a P-bit for indicating a next protocol field (8 bits identifying type, e.g., 0x03 for Ethernet), a B-bit for broadcast/unknown/ traffic, an O-bit for operations/administration/ (OAM) packets, and an instance bit, while retaining the 24-bit VNI and reserving the rest to 0; it uses UDP port 4790.

History and Development

Origins and Initial Development

The development of Virtual Extensible LAN (VXLAN) originated in the early 2010s as a collaborative effort among key industry players, including VMware, Arista Networks, and Cisco, to address the scalability challenges posed by rapid server virtualization in data centers. The surge in virtual machines (VMs) created demands for far more than the 4096 network segments supported by traditional IEEE 802.1Q VLANs, while also requiring the extension of Layer 2 connectivity over Layer 3 networks to enable VM mobility across geographically distributed sites for cloud providers and enterprises. This was particularly critical for multi-tenant environments, where elastic provisioning and isolation of resources were essential, but existing technologies like Spanning Tree Protocol struggled with loop prevention and MAC address table limitations in top-of-rack switches. The foundational specification emerged from pre-standardization work, culminating in the first experimental Internet-Draft published on August 26, 2011, authored by M. Mahalingam and T. Sridhar (), D. G. Dutt and L. Kreeger (), K. Duda (Arista), P. Agarwal (), M. Bursell (Citrix), and C. Wright (). This draft proposed VXLAN as a UDP-based encapsulation protocol to create overlay networks, allowing up to 16 million unique identifiers (VNIs) for virtual segments while tunneling Ethernet frames across IP underlays without altering the underlying physical infrastructure. The initiative was motivated by the need to decouple network identity from physical location, facilitating seamless workload migration in virtualized setups. Early prototypes focused on integrating VXLAN into existing platforms for proof-of-concept testing and interoperability. VMware began incorporating VXLAN into its vSphere and nascent NSX networking suite around 2011-2012, enabling features like live VM migration (vMotion) over Layer 3 boundaries to support dynamic cloud scaling. Arista Networks demonstrated hardware-based VXLAN termination in its EOS on the 7500 Series switches at VMworld 2012, leveraging VTEPs for efficient encapsulation and bridging in virtualized environments. Cisco introduced VXLAN support in its Nexus 1000V virtual switch in January 2012, followed by hardware integration in the Nexus 9000 series, allowing initial vendor collaborations to validate multi-tenant isolation and performance before broader IETF engagement. These efforts involved iterative draft proposals and joint interoperability testing among the vendors, ensuring VXLAN's prioritized openness and for emerging architectures without relying on extensions.

Standardization Process

The standardization of Virtual Extensible LAN (VXLAN) progressed through the efforts of the (IETF), particularly via the Network Virtualization Overlays (NVO3) Working Group, which was chartered in 2012 to develop protocols and extensions for in environments. This group emerged from a Birds of a Feather (BoF) session held at IETF 80 in March 2011, focusing on overlay technologies to support scalable multi-tenant over Layer 3 networks. Key milestones in the process included the submission of early individual Internet-Drafts in late 2011, with significant revisions and community feedback occurring throughout 2012 as the proposals aligned with NVO3 objectives. These drafts built on vendor prototypes to propose VXLAN as a UDP-based encapsulation method addressing limitations. The culmination of this phase was the publication of RFC 7348 in August 2014, an informational document authored by a team from , , and other contributors, which defined the core VXLAN protocol, including its 24-bit Virtual Network Identifier (VNI) for up to 16 million segments and encapsulation over UDP port 4789. Following RFC 7348, the and related IETF activities advanced VXLAN through targeted updates for enhanced functionality and deployment. RFC 8365, published in May 2018 by the BESS , integrated VXLAN with (EVPN) as a overlay solution, providing detailed guidance on considerations such as ingress replication for BUM traffic to avoid dependency on underlay infrastructure. Ongoing NVO3 efforts include the development of VXLAN-GPE, outlined in draft-ietf-nvo3-vxlan-gpe (version 13, last updated November 2023; expired without becoming an RFC as of 2025), which extends the VXLAN header to support additional next protocols like IPv4/ and Ethernet, along with metadata options for policy enforcement. Throughout the process, contributions from original VXLAN developers at and , combined with broader industry input from entities like and , emphasized interoperability testing and refinements to ensure VXLAN's compatibility across hardware and software platforms. This collaborative approach, including design team reviews within NVO3, addressed gaps in and extensibility identified during draft iterations.

Implementations

Commercial Solutions

Cisco Systems has been a pioneer in commercial VXLAN implementations, integrating the technology into its Nexus 9000 series switches since 2013 as part of the Application Centric Infrastructure (ACI) framework, with enhanced support for Ethernet VPN (EVPN) control plane introduced in 2015 to enable scalable multi-tenant overlays. These solutions leverage hardware-accelerated ASICs in Nexus switches for high-performance encapsulation and decapsulation, supporting up to 16 million segments via 24-bit VNIs, and integrate seamlessly with the ACI SDN controller for policy-based automation and orchestration. Security enhancements include CloudSec for 256-bit AES-GCM encryption of inter-site VXLAN traffic in multi-site fabrics, ensuring confidentiality without impacting throughput. VMware's NSX-T platform, evolving from NSX-V introduced in , employs VXLAN for hypervisor-based VTEPs on ESXi hosts, enabling software-defined overlays that abstract Layer 2 networks over Layer 3 underlays for virtualized data centers. NSX-T's integration with its central management and allows dynamic VTEP provisioning and load balancing, with hardware offload support on compatible NICs for reduced CPU overhead in high-density environments. Unique to VMware's offering is tight coupling with vSphere for micro-segmentation and distributed firewalling, extending VXLAN tunnels across hybrid clouds while supporting encryption via for secure overlays. Huawei's CloudFabric solution incorporates VXLAN within its fabric architecture, deploying VTEPs on CloudEngine switches since around 2016 to support lossless Ethernet for AI and workloads. The platform uses iMaster NCE-Fabric as an SDN controller for automated VXLAN provisioning, BGP-EVPN signaling, and intent-based networking, optimizing for ultra-low latency in large-scale deployments. Commercial distinctions include via custom ASICs for VXLAN routing at wire speeds and built-in security features like encryption for VXLAN traffic in multi-tenant scenarios. Arista Networks provides VXLAN support in its EOS-based switches, such as the 7050X and 7280R series, enabling overlay networks with EVPN control plane for data center fabrics since the early 2010s. Arista's implementation emphasizes high-scale routing and multicast optimization for BUM traffic, integrating with their CloudVision platform for management and analytics in multi-tenant environments. Juniper Networks integrates VXLAN into its QFX and MX series devices, supporting both static and EVPN-based configurations for Layer 2 extensions over Layer 3 networks. Introduced in Junos OS releases around 2014, Juniper's solutions feature hardware-accelerated VTEPs and interoperability with SDN controllers like Contrail (now Mist AI-driven), facilitating scalable virtualization in enterprise and service provider data centers. Adoption of commercial VXLAN solutions has surged in hyperscale environments, with technologies akin to VXLAN underpinning () Virtual Private Cloud () overlays for traffic mirroring and segmentation since 2019, facilitating scalable isolation across global regions. Post-2020 enhancements have focused on , including environments, where vendors like and support VXLAN for scalable overlays in distributed deployments. For instance, Cisco's 2024 configuration guides detail VXLAN EVPN setups for multi-site fabrics, emphasizing resilient any-to-any connectivity with integrated analytics via Nexus Dashboard.

Open-Source Projects

The has provided native support for VXLAN since version 3.7, released in 2012, enabling the creation of VXLAN tunnel endpoints (VTEPs) directly within the operating system. This integration allows for efficient encapsulation of Ethernet frames over UDP without requiring additional user-space software for basic functionality. Configuration of VTEPs and VXLAN interfaces is facilitated by tools in the suite, such as the ip link add type vxlan command, which supports parameters for VNI assignment, remote endpoints, and learning modes. Recent enhancements in kernel versions 6.x, including improved support for EVPN integration through extended attributes, have optimized VXLAN handling for dynamic control planes in large-scale deployments. Open vSwitch (OVS), an open-source multilayer virtual switch designed for (SDN), incorporates robust VXLAN tunneling capabilities to extend Layer 2 domains across distributed environments. OVS supports VXLAN as a primary overlay protocol, allowing automated tunnel creation between hypervisors or hosts via OpenFlow controllers, which is essential for SDN architectures in virtualized data centers. Similarly, Free Range Routing (FRR), a suite of routing daemons, provides BGP-EVPN support for VXLAN, enabling MAC and learning, route advertisement, and multi-tenancy through standards-compliant EVPN Type-2 and Type-3 routes. Community-driven development of VXLAN has been advanced through contributions to the IETF, where the core protocol was standardized in RFC 7348, and via the Foundation's networking projects, which foster and performance improvements. Testing frameworks like OFTest, originally developed for validation, have been adapted by the community to verify VXLAN behavior in OVS-based setups, ensuring compliance with encapsulation and forwarding requirements. Since 2020, VXLAN integration has expanded into container orchestration ecosystems, particularly through Container Network Interface (CNI) plugins such as Multus, which acts as a meta-plugin to attach multiple networks—including VXLAN overlays—to pods for hybrid cloud-native and virtualized workloads. This enables fine-grained control over pod networking, such as delegating VXLAN tunnels to secondary interfaces managed by plugins like OVS-CNI, supporting scalable deployments post-2020.

Standards and Specifications

Primary RFCs and Protocols

The primary specification for Virtual Extensible LAN (VXLAN) is defined in RFC 7348, published in August 2014, which outlines a framework for overlaying virtualized Layer 2 networks over Layer 3 . This RFC specifies VXLAN encapsulation, where Ethernet frames are tunneled within UDP/IP packets, using a standardized UDP destination port of 4789 and a 24-bit VXLAN Network Identifier (VNI) to segment up to 16 million isolated networks. It emphasizes UDP for its simplicity and compatibility with existing network hardware, while supporting both IPv4 and as outer headers to enable deployment over diverse underlay networks. Related RFCs extend VXLAN's functionality through mechanisms and advanced features. RFC 7432, published in February 2015, introduces BGP MPLS-Based (EVPN), providing a standardized for discovering and advertising MAC addresses and VNIs across provider edge devices, initially focused on MPLS but adaptable to VXLAN overlays. Building on this, RFC 8365 from May 2018 details EVPN as a Overlay (NVO3) solution, explicitly integrating VXLAN for data plane encapsulation and using BGP to distribute reachability information without relying solely on data plane learning. VXLAN interacts with several protocols to form complete overlay networks. It integrates with BGP via EVPN for overlay control plane operations, enabling dynamic endpoint discovery and route advertisement, while the underlay relies on standard protocols. For handling broadcast, unknown , and multicast (BUM) traffic in early deployments, VXLAN uses IP multicast groups mapped to VNIs, requiring underlay support from protocols like Protocol Independent Multicast (PIM) in sparse or source-specific modes. Subsequent RFCs address VXLAN's initial limitations, particularly its dependency on multicast for efficient BUM traffic distribution, which could strain non-multicast-enabled underlays. RFC 8365 mitigates this by supporting ingress replication—where the ingress VTEP replicates packets unicast to remote VTEPs listed in EVPN Inclusive Multicast Ethernet Tag (IMET) routes—alongside optional PIM-based multicast, thus enhancing scalability in unicast-only environments.

Interoperability and Extensions

One key interoperability challenge in VXLAN deployments involves VTEP discovery, which can be achieved dynamically through protocols like BGP-EVPN for scalable, protocol-based remote VTEP learning, or via static configuration for simpler environments without a control plane. In multi-vendor setups, such as between Cisco NX-OS and Juniper Junos OS, BGP-EVPN configurations may lead to route invalidation if next-hop addresses differ—Junos uses the VTEP source IP, while NX-OS expects the physical interface IP—requiring policy adjustments like setting the next-hop to the VTEP IP on Junos with vpn-apply-export. Another common issue is handling MTU mismatches in VXLAN tunnels, where the overhead from encapsulation (typically 50 bytes) can fragment packets if underlay MTUs are not adjusted to at least 1550 bytes, necessitating Path MTU Discovery (PMTUD) enablement via configurations like ip unreachables on uplinks. VXLAN extensions enhance its flexibility beyond the core encapsulation defined in RFC 7348. An IETF draft for VXLAN-GPE introduces a "Next Protocol" field to support diverse payloads like IPv4, , Ethernet, or Header (NSH), along with bits for OAM signaling and ingress-replicated BUM traffic, enabling multi-protocol overlays and service chaining in s. Integration with SRv6 for segment allows seamless handoff at data center interconnects, where EVPN routes are imported into VRFs and mapped to SRv6 SIDs via BGP address families, supporting traffic engineering across VXLAN fabrics and SRv6 cores without . Testing and certification efforts ensure VXLAN reliability across vendors, with IETF-backed events like those organized by EANTC demonstrating multi-vendor compatibility. Multi-vendor for EVPN-VXLAN has been validated in EANTC events, including demonstrations by vendors such as in 2023 and 2025. As of 2025, VXLAN's future directions emphasize alignment with and standards to support low-latency, sliced networks. Enhancements focus on programmable data planes for edge data centers, where VXLAN enables network slice isolation via NFV and edge tools, reducing latency for applications like AI-driven services.

Alternative Technologies

Limitations of Traditional VLANs

Traditional Virtual Local Area Networks (s), defined by the standard, utilize a 12-bit VLAN Identifier (VID) field in Ethernet to tag , enabling up to 4094 unique s (values 1 to 4094, with 0 for priority-tagged null and 4095 for implementation-specific use). Each functions as a separate , logically segmenting the network to contain within defined groups of devices. However, in large-scale networks, this structure leads to challenges, as expanding beyond recommended sizes—such as exceeding 1024 hosts per domain—amplifies broadcast storms and degrades performance due to excessive flooding of unknown , , and across all ports in the domain. A primary limitation arises in virtualized environments, where rapid proliferation of virtual machines (VMs)—often termed VM or VLAN sprawl—quickly exhausts the 4094 VLAN limit, resulting in increased broadcast traffic and management complexity across data centers hosting thousands of VMs. Additionally, traditional VLANs are inherently Layer 2 constructs confined to a single , making it difficult to extend them across Layer 3 boundaries without implementing inter-VLAN via protocols like those supported in , which introduces configuration overhead, potential single points of failure at routers or Layer 3 switches, and scalability issues in multi-site or routed topologies. In data centers characterized by high —server-to-server communications within the same facility—VLANs exacerbate inefficiencies through frequent flooding of frames to all ports in a VLAN when destination MAC addresses are unknown, consuming significant bandwidth and straining switch resources. The reliance on (STP) to prevent loops further compounds this, as STP's convergence times (up to 50 seconds in basic implementations) and per-VLAN instance overhead limit fault domains and introduce delays unsuitable for dynamic, high-volume environments, often leading to suboptimal topologies and increased latency during failures. Prior to 2010, network operators heavily depended on for segmentation, prompting the development of proprietary and standardized extensions to mitigate the 4094-tag constraint, such as (Provider Bridges), ratified in 2005, which introduced double tagging (Q-in-Q) to stack an additional VLAN tag atop the customer tag, effectively expanding the addressable space for service providers while preserving with 802.1Q.

Other Network Virtualization Methods

Network Virtualization using Generic Routing Encapsulation (NVGRE) is a tunneling protocol primarily associated with environments, such as , that leverages Generic Routing Encapsulation (GRE) over IP to enable multi-tenant in data centers. It incorporates a 24-bit Virtual Subnet ID (VSID) within the GRE key extension to segment virtual networks, allowing up to 16 million unique identifiers for scalability across Layer 3 underlays. While NVGRE provides lower encapsulation header overhead compared to UDP-based alternatives—typically around 28 bytes for the IP and GRE components—it incurs higher processing demands in some hardware due to limited support for GRE offloading and lacks the entropy from UDP ports, reducing flexibility for equal-cost multipath (ECMP) routing and load balancing. Generic Network Virtualization Encapsulation (Geneve), standardized by the IETF in RFC 8926, serves as a unified and extensible alternative for overlay networks, using UDP over IPv4 or with a compact 8-byte base header on port 6081. Its key innovation lies in the variable-length Type-Length-Value (TLV) options field following the base header, which supports the insertion of arbitrary metadata (up to 260 bytes total header size (8-byte base plus up to 252 bytes of options)) for advanced features like service chaining or security policies without protocol redesign. This extensibility positions Geneve as more future-proof than VXLAN's rigid 8-byte fixed header, enabling seamless adaptation to evolving control planes and hardware accelerations while maintaining compatibility with existing IP fabrics through UDP source port entropy for ECMP. Geneve's also facilitates among diverse technologies by accommodating capabilities from predecessors like VXLAN and NVGRE. Stateless Transport Tunneling (STT), originally proposed by Nicira (later acquired by ), represents an early UDP-based approach to outlined in an expired IETF Internet-Draft from 2013. STT encapsulates Ethernet frames using a TCP-like header structure to exploit NIC offloads such as TCP Segmentation Offload (TSO) and Large Receive Offload (LRO), aiming for high-throughput performance in environments with minimal state maintenance at endpoints. It features a 64-bit Context ID for network identification, supporting larger segment sizes up to 64 KB, but has achieved limited adoption due to the lack of standardization and the rise of more versatile protocols. In contemporary NSX deployments, STT has been overshadowed by Geneve, rendering it effectively deprecated for new implementations. The following table summarizes key differences among these methods and VXLAN in terms of design trade-offs:
ProtocolEncapsulation Overhead (bytes, approx. tunnel header)Scalability (Network ID bits)Native Control Plane Support
VXLAN36 (IP + UDP + header)24 (16M segments)EVPN (RFC 7432),
NVGRE28 (IP + GRE + key)24 (16M segments)None; relies on external mechanisms
Geneve36+ (IP + UDP + header + TLV options, min. 36)24 (VNI) + extensible optionsEVPN compatible
STT46 (IP + UDP + header)64None

Deployment and Use Cases

Common Applications

VXLAN is widely deployed in virtualization to extend Layer 2 connectivity across Layer 3 boundaries, facilitating seamless (VM) migration in private cloud environments such as . By encapsulating Ethernet frames within UDP packets, VXLAN enables vMotion operations between VXLAN-backed logical switches in NSX for vSphere and overlay segments in NSX-T, allowing VMs to move across hosts without network reconfiguration. This approach supports dynamic workload mobility in scalable fabrics, as demonstrated in Cisco FlexPod deployments with vSphere 7.0, where VXLAN BGP EVPN provides Layer 2 extension for vMotion traffic over 100 GbE interconnects. In multi-tenant environments, VXLAN provides robust for public clouds like , enabling isolated tenant networks while supporting (NFV). uses VXLAN as an overlay for tenant-specific Layer 2 domains, with configurable VNI ranges (e.g., 1001–2000) to connect instances across regions without physical limitations. In NFV contexts, VXLAN-backed logical switches in Integrated ensure secure between Virtual Network Functions (VNFs) within tenant virtual data centers, complemented by Edge Services Gateways for North-South connectivity and firewall isolation. ETSI specifications recognize VXLAN's role in NFV for intra-site multi-tenancy, leveraging 24-bit VNIs to support up to 16 million segments over L3 underlays. VXLAN facilitates hybrid cloud connectivity by establishing secure tunnels that bridge on-premises infrastructure with public clouds, maintaining consistent Layer 2 domains for workload portability. In Cisco's Hybrid Cloud Networking Solution, VXLAN overlays extend on-premises EVPN fabrics to cloud providers via Nexus Dashboard Orchestrator, enabling unified policy enforcement and inter-site L2 extension without proprietary gateways. This tunneling mechanism supports seamless integration in environments like Red Hat OpenStack with OpenShift, where VXLAN-based overlays connect private clusters to public resources over BGP-EVPN control planes. Post-2020, VXLAN has seen adoption in emerging applications such as core networks and IoT edge segmentation, particularly among hyperscalers and telcos. In transport networks, Huawei's IP designs incorporate VXLAN for in Multi-access Edge Computing (MEC), providing low-latency overlays between RAN and core elements to handle ultra-reliable traffic. For IoT edge, Juniper's EVPN-VXLAN architecture segments device traffic in distributed environments, isolating sensors and gateways to enhance security and scalability in industrial deployments. Hyperscalers like AWS and Azure leverage VXLAN extensions in hybrid setups, such as Cisco ACI integrations, to unify on-premises and cloud segmentation for large-scale IoT and workloads.

Challenges and Best Practices

One significant challenge in VXLAN deployment is the dependency on in the underlay network for handling broadcast, unknown , and (BUM) traffic, which can lead to issues in environments lacking robust support, such as public clouds or non-multicast-enabled fabrics. This reliance floods traffic to all VTEPs in a VNI, potentially overwhelming network resources unless optimized. To mitigate this, head-end replication (HER) replicates BUM packets as multiple streams at the ingress VTEP, eliminating needs, while EVPN provides a that distributes MAC/IP information via BGP, enabling ARP suppression and targeted forwarding. Another operational difficulty arises from MTU fragmentation, as VXLAN encapsulation adds approximately 50 bytes to each frame (including outer , UDP, and VXLAN headers), necessitating an underlay MTU of at least bytes to avoid packet drops or fragmentation on default 1500-byte links. In heterogeneous networks, mismatched MTUs between data centers and WAN links can cause connectivity issues, particularly for larger payloads like frames in high-throughput applications. tunnel visibility further complicates deployments, as encapsulated obscures endpoint-to-endpoint paths, making it hard to diagnose issues like asymmetric or VTEP failures without specialized tools. Security concerns in VXLAN stem from the exposure of overlay tunnels to underlay IP network attacks, such as unauthorized access or , since VXLAN packets traverse the IP fabric without inherent or . This vulnerability is heightened in multi-tenant or public underlay scenarios, where adversaries could inject malformed packets or exploit UDP port 4789. To address these risks, overlays are recommended to encrypt and authenticate VXLAN traffic, providing confidentiality and integrity over untrusted networks while supporting hardware-accelerated performance on modern switches. Best practices for VXLAN operations emphasize adopting EVPN as the control plane to decouple MAC learning from data-plane flooding, enabling scalable, multicast-free BUM handling and integrated Layer 2/3 services. For monitoring, tools like should be enabled on VTEPs to export flow statistics, revealing overlay traffic patterns and anomalies despite encapsulation. Ensuring underlay QoS is critical for low-latency performance, with policies applied to prioritize VXLAN UDP traffic (e.g., marking outer IP headers with DSCP values) to prevent congestion-induced delays in real-time applications. Additionally, configuring consistent MTU sizes across the fabric and using overlay-specific diagnostics, such as ping/traceroute over VXLAN tunnels, aids in proactive issue resolution. Post-2020 advancements have focused on to handle large-scale VXLAN configurations, with collections like .nac_dc_vxlan enabling (IaC) workflows that generate and deploy EVPN fabrics via data models, reducing manual errors in multi-site environments. Integration with observability platforms such as has emerged as a key practice, using its pull-based metrics collection to monitor VXLAN endpoints in real-time—scraping data from VTEPs and exporters for dashboards in —thus supporting dynamic and alerting in distributed setups.

References

  1. https://datatracker.ietf.org/doc/html/rfc7348
  2. https://www.juniper.net/documentation/us/en/software/junos/evpn/topics/topic-map/sdn-vxlan.html
  3. https://www.arista.com/assets/data/pdf/Whitepapers/Arista_Networks_VXLAN_White_Paper.pdf
  4. https://onug.net/blog/vxlan-comes-of-age-with-bgp-evpn/
  5. https://www.hpe.com/us/en/what-is/vxlan.html
  6. https://datatracker.ietf.org/doc/html/rfc8365
  7. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/layer2/7x/b_5600_Layer2_Config_7x/config_vxlans.html
  8. https://datatracker.ietf.org/doc/html/draft-ietf-nvo3-vxlan-gpe
  9. https://datatracker.ietf.org/doc/html/draft-mahalingam-dutt-dcops-vxlan-00
  10. https://www.arista.com/assets/data/pdf/Whitepapers/VXLAN_Scaling_Data_Center_Designs.pdf
  11. https://www.theregister.com/2011/08/30/vmware_cisco_vxlan_spec/
  12. https://blog.ipspace.net/2012/09/arista-launches-first-hardware-vxlan/
  13. https://blogs.cisco.com/datacenter/celebrating-5-year-anniversary-of-cisco-nexus-1000v-launch
  14. https://datatracker.ietf.org/wg/nvo3/about/
  15. https://datatracker.ietf.org/doc/draft-mahalingam-dutt-dcops-vxlan/history/
  16. https://datatracker.ietf.org/doc/html/draft-ietf-nvo3-vxlan-gpe-12
  17. https://datatracker.ietf.org/doc/draft-ietf-nvo3-vxlan-gpe/
  18. https://blogs.cisco.com/datacenter/close-peek-at-cisco-aci
  19. https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2015/m02/cisco-continues-open-standard-leadership-with-support-for-evpn-vxlan-overlay-protocol-on-nexus-9000-series-switches.html
  20. https://www.cisco.com/c/en/us/td/docs/dcn/whitepapers/cisco-vxlan-bgp-evpn-design-and-implementation-guide.html
  21. https://blogs.cisco.com/datacenter/multi-site-data-center-networking-with-secure-vxlan-evpn-and-cloudsec
  22. https://blogs.vmware.com/networkvirtualization/2013/08/vmware-nsx.html/
  23. https://www.networkbachelor.com/nsx-t-series-part-3-nsx-vxlan/
  24. https://techdocs.broadcom.com/us/en/vmware-cis/nsx/nsxt-dc/3-2/installation-guide/overview-of-nsx.html
  25. https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-740124.html
  26. https://actfornet.com/ueditor/php/upload/file/20181230/1546128772233537.pdf
  27. https://support.huawei.com/enterprise/en/doc/EDOC1100023542/a273cbc8/vxlan
  28. https://support.huawei.com/enterprise/en/doc/EDOC1100112360/40551ff/example-for-configuring-the-headquarters-and-branch-to-communicate-using-vxlan-over-ipsec-tunnels
  29. https://docs.aws.amazon.com/vpc/latest/mirroring/traffic-mirroring-packet-formats.html
  30. https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/103x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-103x.html
  31. https://docs.openvswitch.org/en/latest/howto/userspace-tunneling/
  32. https://docs.frrouting.org/en/latest/evpn.html
  33. https://datatracker.ietf.org/doc/rfc7348/
  34. https://github.com/k8snetworkplumbingwg/multus-cni
  35. https://www.redhat.com/en/blog/demystifying-multus
  36. https://datatracker.ietf.org/doc/html/rfc7432
  37. https://www.dell.com/support/manuals/en-cr/smartfabric-os10-emp-partner/vxlan-evpn-10-5-2_ug/bgp-evpn-for-vxlan?guid=guid-8a071396-e08a-491f-b94a-97a463559df1&lang=en-us
  38. https://notes.networklessons.com/vxlan-evpn-ingress-replication-with-bgp
  39. https://www.juniper.net/documentation/us/en/software/nce/evpn-vxlan-interop-between-nxos-and-junos-os/evpn-vxlan-interop-between-nxos-and-junos-os.pdf
  40. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/92x/vxlan-92x/configuration/guide/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-92x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_chapter_0100.html
  41. https://www.rfc-editor.org/info/rfc7348
  42. https://www.cisco.com/c/en/us/td/docs/dcn/nx-os/nexus9000/105x/configuration/vxlan/cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-release-105x/m-configuring-seamless-integration-of-evpn-with-l3vpn-srv6-93x.html
  43. https://blogs.juniper.net/en-us/industry-solutions-and-trends/proving-data-center-evpn-vxlan-interoperability-at-eantc-2023
  44. https://blogs.juniper.net/en-us/industry-solutions-and-trends/juniper-networks-shines-at-eantc-interoperability-testing-2025
  45. https://www.sciencedirect.com/science/article/pii/S1389128623003535
  46. https://www.researchgate.net/publication/388755176_A_Study_on_5G_Network_Slice_Isolation_Based_on_Native_Cloud_and_Edge_Computing_Tools
  47. https://www.cisco.com/c/en/us/support/docs/lan-switching/8021q/17056-741-4.html
  48. https://community.cisco.com/t5/other-network-architecture-subjects/broadcast-domain-size/td-p/468093
  49. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-125b.pdf
  50. https://www.juniper.net/content/dam/www/assets/white-papers/us/en/switches/evpn-implementation-for-next-generation-data-centers.pdf
  51. https://ualberta.scholaris.ca/bitstreams/3ba1df26-08ad-446b-ab12-7a99f8d8c2a7/download
  52. https://www.cisco.com/c/en/us/support/docs/lan-switching/spanning-tree-protocol-stp-8021d/221799-understand-network-outages-due-to-vlan-i.html
  53. https://www.cisco.com/c/en/us/td/docs/ios/cether/configuration/guide/ce_cfm-ieee_802_1ad.html
  54. https://www.ieee802.org/802_tutorials/2013-03/8021-IETF-tutorial-final.pdf
  55. https://datatracker.ietf.org/doc/html/rfc7637
  56. https://learn.microsoft.com/en-us/windows-server/networking/sdn/technologies/hyper-v-network-virtualization/hyperv-network-virtualization-technical-details-windows-server
  57. https://datatracker.ietf.org/doc/html/rfc8926
  58. https://datatracker.ietf.org/doc/draft-davie-stt/03/
  59. https://www.networkcomputing.com/data-center-networking/vmware-s-sdn-dilemma-vxlan-or-nicira-
  60. https://www.ietf.org/archive/id/draft-ietf-bess-evpn-geneve-08.html
  61. https://kb.vmware.com/s/article/56991
  62. https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/UCS_CVDs/flexpod_esxi70_vxlan_evpn.html
  63. https://docs.openstack.org/tricircle/pike/networking/networking-guide.html
  64. https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/performance/vmware-vcloud-nfv-openstack-edition-reference-architecture.pdf
  65. https://www.etsi.org/deliver/etsi_gr/NFV-IFA/001_099/035/05.01.01_60/gr_NFV-IFA035v050101p.pdf
  66. https://www.cisco.com/c/en/us/td/docs/dcn/ndfc/use-case/hybrid-cloud-connectivity-deployment-guide/cisco-hybrid-cloud-connectivity-deployment-for-nx-os/m-overview.html
  67. https://www.redhat.com/en/blog/building-scalable-virtual-private-cloud-red-hat-openstack-services-openshift
  68. https://carrier.huawei.com/~/media/CNBGV2/download/program/5G-MEC-IP-Network-White-Paper-en-v2.pdf
  69. https://www.juniper.net/content/dam/www/assets/solution-briefs/us/en/iot-network-segmentation.pdf
  70. https://aws.amazon.com/blogs/apn/extending-on-premises-cisco-cloud-aci-network-security-segmentation-to-aws/
  71. https://www.ciscopress.com/articles/article.asp?p=2803865&seqNum=2
  72. https://www.arista.com/assets/data/pdf/Whitepapers/Arista_Design_Guide_DCI_with_VXLAN.pdf
  73. https://www.juniper.net/documentation/us/en/software/junos/evpn/ovsdb-vxlan-qfx/topics/example/overlay-ping-traceroute-vxlan.html
  74. https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-14/configuration_guide/vxlan/b_1714_bgp_evpn_vxlan_9300_cg/configure-bgp-evpn-vxlan-over-ipsec.html
  75. https://www.cisco.com/c/en/us/td/docs/dcn/ndfc/1213/articles/ndfc-data-center-vxlan-evpn/data-center-vxlan-evpn.html
  76. https://www.cisco.com/c/en/us/td/docs/switches/lan/cisco_ie9300/software/Configuration_Guide/BGP-EVPN-VXLAN/b-bgp-evpn-vxlan-cg/configuring_bgp_evpn_vxlan_qos.html
  77. https://galaxy.ansible.com/ui/repo/published/cisco/nac_dc_vxlan/docs/
  78. https://trepo.tuni.fi/bitstream/handle/10024/153120/NguyenAnh.pdf?sequence=2&isAllowed=y
Add your contribution
Related Hubs
Contribute something
User Avatar
No comments yet.