Traditional network segmentation technologies, such as VLAN (Virtual Local Area Network), have been in use for decades, but their limitations have become apparent as data center scales and multi-tenancy requirements have grown. To address these challenges, VXLAN (Virtual Extensible LAN) technology was developed.
What is VXLAN? #
VXLAN (Virtual Extensible LAN) is a network virtualization technology that creates a Layer 2 overlay network on top of a Layer 3 network, providing greater flexibility and scalability than traditional VLANs. VXLAN’s primary design goal is to overcome the limitations of traditional VLANs in terms of scale and cross-data center connectivity.
Limitations of VLANs #
Traditional VLANs use a 12-bit identifier, supporting a maximum of 4,096 VLAN IDs. This limit may be sufficient for small networks but is inadequate for large-scale data centers. Furthermore, a VLAN’s broadcast domain is typically confined to the same physical switch or device, making Layer 2 network connectivity across data centers or wide-area networks very complex and impractical.
The Introduction of VXLAN #
VXLAN uses a 24-bit VXLAN Network Identifier (VNI), which can support up to 16 million virtual networks. This dramatically expands network scalability, making it especially suitable for large data centers and cloud computing environments that require extensive virtual network isolation. In addition, VXLAN encapsulates Layer 2 Ethernet frames within a Layer 3 network, allowing Layer 2 networks to span different Layer 3 networks, which enhances network flexibility.
How VXLAN Works #
The core of VXLAN is the VXLAN Tunnel Endpoint (VTEP). A VTEP is responsible for encapsulating and decapsulating VXLAN data packets. VTEP devices map the VXLAN VNI to a physical network interface, enabling communication between different networks.
The VXLAN Encapsulation Process #
In VXLAN, an Ethernet frame sent by a source device first arrives at a VTEP. The VTEP then encapsulates this frame into a VXLAN packet. A VXLAN packet consists of the following parts:
- Original Ethernet Frame: The data to be transmitted.
- VXLAN Header: Contains the 24-bit VNI to identify different VXLAN segments.
- UDP Header: VXLAN uses UDP as the transport protocol.
- IP Header: Contains the IP addresses of the source and destination VTEPs.
- Outer Ethernet Header: Used to transmit the encapsulated packet over the physical network.
Packet Transmission and Decapsulation #
The encapsulated VXLAN packet is transmitted over the Layer 3 network (i.e., the IP network). Because VXLAN packets are encapsulated in UDP, they can be transmitted over any IP-enabled network infrastructure. When the packet arrives at the destination VTEP, the VTEP decapsulates it, extracts the original Ethernet frame, and forwards it to the destination device, thereby extending the Layer 2 network within the Layer 3 network.
The VXLAN Control Plane #
Although the initial VXLAN standard did not specify a control plane, modern VXLAN implementations often use protocols like BGP EVPN (Border Gateway Protocol Ethernet VPN) to distribute MAC addresses and IP information. This method improves network efficiency and scalability and reduces network flooding.
VLAN vs. VXLAN: A Comparison #
VLAN and VXLAN are both network virtualization technologies designed to improve the utilization and management of network resources, but they differ significantly in technical implementation, application scenarios, and scalability.
Identifier Space #
VLAN uses a 12-bit VLAN ID, supporting up to 4,096 VLANs. This scale is generally sufficient for small to medium-sized networks.
In contrast, VXLAN uses a 24-bit VNI, which can support up to 16 million virtual networks. This makes VXLAN ideal for large-scale cloud computing and data center environments.
Working Principle and Encapsulation #
VLAN achieves logical network isolation at the data link layer (Layer 2) by inserting an 802.1Q tag into the Ethernet frame. VXLAN, on the other hand, encapsulates the original Ethernet frame into a UDP packet and transmits it over a Layer 3 network, which allows VXLAN to span different network segments and provides broader network virtualization capabilities.
Network Scale and Isolation #
VLAN isolation is typically based on the port configuration of a physical switch, limited to a single broadcast domain. In contrast, VXLAN creates Layer 2 networks between multiple physical switches through tunneling, allowing for more flexible logical isolation and cross-subnet communication.
Bandwidth Efficiency and Network Latency #
In traditional networks, VLANs may be limited by the Spanning Tree Protocol (STP), which blocks certain network paths and affects bandwidth utilization. VXLAN can bypass STP limitations and utilize all available network paths. While the encapsulation process introduces some latency, this impact is generally acceptable in modern high-speed networks.
Application Scenarios #
VLAN is suitable for smaller-scale network segmentation, such as isolating departments within a corporate network. VXLAN is better suited for cloud service providers and large data centers, especially when a large number of tenants need isolation and virtual network extension across data centers.
How VXLAN Solves Traditional VLAN Problems #
VXLAN provides a more flexible and scalable network virtualization solution, addressing many of the issues with traditional VLANs in large-scale networks. Here are some of VXLAN’s improvements:
Scalability #
VXLAN’s 24-bit VNI supports up to 16 million unique identifiers, far exceeding the 4,096 ID limit of traditional VLANs. This allows VXLAN to meet the network segmentation needs of large data centers and cloud environments.
Configuration and Management Complexity #
VXLAN can be used with control plane protocols like BGP EVPN to automate the distribution of MAC and IP addresses, simplifying network configuration and management. This reduces the possibility of manual configuration errors and lowers management complexity.
Multi-Tenant Environments #
With up to 16 million VNIs, VXLAN can create separate virtual networks for each tenant, ensuring traffic isolation and enhanced security. In multi-tenant environments, VXLAN makes it easier to implement network management and security policies.
Network Topology Limitations #
By encapsulating Layer 2 Ethernet frames in Layer 3 IP packets, VXLAN allows Layer 2 networks to span a Layer 3 network infrastructure. This means networks can be extended to different data centers and geographical locations without being constrained by the physical network topology.
Virtual Machine Migration Issues #
Because VXLAN can operate across Layer 2 networks in a data center, virtual machines can be seamlessly migrated between different physical hosts without changing their IP addresses or network configuration. This greatly simplifies the VM migration process and reduces the risk of network interruptions.
Redundancy and Load Balancing Complexity #
VXLAN leverages the load balancing and redundancy features of IP networks, reducing reliance on the Spanning Tree Protocol (STP). This simplifies network configuration and improves network resilience and performance.
Broadcast Domain Expansion Issues #
VXLAN can use control plane protocols (such as BGP EVPN) to optimize the handling of broadcast, unknown unicast, and multicast traffic, which reduces flooding and improves network performance and stability.
Management and Monitoring Difficulty #
VXLAN supports more advanced network management and monitoring tools, providing better network visibility and troubleshooting capabilities. By using control plane protocols, MAC and IP address information can be centrally managed, simplifying the troubleshooting process.
A Quick Recap #
VXLAN (Virtual eXtensible Local Area Network) is a network virtualization technology designed to solve the scalability issues of traditional VLANs in large-scale data centers.
VXLAN establishes an L2 tunnel over an L3 network, encapsulating Ethernet frames in UDP packets for transmission. This encapsulation method is known as MAC-in-UDP.
The devices at the start and end of a VXLAN tunnel are responsible for encapsulating and decapsulating VXLAN packets.
Similar to VLAN IDs, the VNI is a 24-bit network identifier that can theoretically support up to 16 million VXLAN segments.