A Network Engineer’s Perspective of Virtual Extensible LAN (VXLAN)

David Smith

What Is VXLAN?

Virtual Extensible LAN (VXLAN) has been around for a few years now, but still may be unknown to many. As a person in the IT field, getting familiar with how VXLAN works and what it can do may benefit you and your organization.

The Traditional Approach

Most of us have implemented VLANs on our networks, and understand what they provide us.  This is a traditional way to add boundaries to IP subnets, from a security perspective, to control the broadcast domain. With the IEEE 802.1Q standard, you get a maximum of 4094 VLANs. Sounds like more than enough, right? A few years ago it was, but with the move to the cloud and the need for multiple tenants on the network, you can quickly overwhelm that number. Remember that a VLAN is a true L2 and L3 line of demarcation, and you may run into situations where L2 network must cross over L3 boundaries. For example, clustering applications to a recovery site, hypervisor virtual machine movement, and many disaster recovery scenarios may require extending a VLAN to other sites. The classical approach of VLANs will just not do the trick, but VXLAN may come to the rescue.

VXLAN–The Essentials

VXLAN is a VLAN extension technology that encapsulates the standard Layer 2 Ethernet frames within IP, specifically using UDP port 4789 assigned by the Internet Assigned Numbers Authority (IANA). This MAC Address in UDP encapsulation creates a tunnel that allows you to extend a Layer 2 segment across any Layer 3 network. A VXLAN header is added to the Layer 2 frame and placed inside a UDP packet to send out to your routed domain. A VXLAN network includes something called a VNID or VXLAN Network Identifier. This defines your VXLAN broadcast domain. It’s a 24-bit ID. Compared to normal VLANs that are 12-bit, you can now get up to 16 million unique IDs—so much more than the traditional 4094 VLAN limit. Devices that support VXLAN are called VTEPs or VXLAN tunnel endpoints. These can be physical or virtual end hosts or network devices, like routers and switches. This is where the encapsulation and de-encapsulation actually takes place. With an interface that connects to the local LAN segment, to support local end point communication, and another interface that connects to the transport L3 network, you can now bridge to VXLAN traffic.

Related: Securing the IoT with Modern Network Access Control

The Good (and Maybe Some Bad)

VXLAN can provide millions of Layer 2 segments, while still maintaining isolation between them. This is a great thing if you’re an enterprise that requires a large multi-tenant environment, or maybe a cloud provider. On the other hand, you may not be a service provider and may only need to extend a couple of Layer 2 domains across your IP WAN. VXLAN might be the way to go, particularly if you have the data center switches and hypervisors that already support it. Another nice feature is that VXLAN can make use of all your multipath routing and aggregation protocols, and be extended to all available paths to remote networks.

Any Layer 3 network will support VXLAN, but there are some caveats that may require changes to the Layer 3 network. For instance, with the tunneling technique of a VXLAN underlay and the L3 overlay, there are 50+ bytes of extra stuff added to the L2 frame. This means you need a transport network that can support well over the standard frame sizes to at least 1550 bytes. Full Jumbo frame support may be needed in some circumstances. Also, with the standard flood and learn behavior of VXLAN, you must enable IP multicast end-to-end. In this case, each VXLAN or VNID is mapped to an IP multicast group, and each VTEP is configured to join that group. A MAC address to VTEP mapping is created and the multicast distribution tree is built across your routed domains. This allows communication to flow between the VTPEPs and traffic.

VXLAN: The Future of VLANs

VXLAN offers major benefits, particularly compared to traditional VLANs. VXLAN enables a network to handle massive traffic loads in cloud and multi-tenant environments, along with providing the same isolation and segmentation as classic VLANs. Additionally, you get the ability to stretch VLANs to act as physical or virtual beyond the local area network to a recovery site, colocation, or the cloud. It’s clear that VXLAN offers much of what modern networks are calling for today.

For more information about VXLAN, contact a Connection Networking Expert today.

David has over 15 years of networking experience. His certifications include Cisco CCIE and HP Master ASE. In his free time, David enjoys time with his family and playing golf.