VXLAN

What is VXLAN?

Virtual Extensible Local-Area Network (VXLAN) is a network virtualization technology standard developed by the Internet Engineering Task Force (IETF). It enables multiple organizations, or "tenants", to share a single physical network while keeping their network traffic isolated from each other.

VXLANs can be compared to individual apartments in a building, where each apartment is a private unit within a shared structure. Similarly, each VXLAN is a separate, private network segment within a shared physical network.

Technically, VXLAN allows a physical network to be divided into up to 16 million virtual or logical networks. It achieves this by encapsulating Layer 2 Ethernet frames into Layer 4 User Datagram Protocol (UDP) packets with a VXLAN header. When used in conjunction with an Ethernet Virtual Private Network (EVPN), which transports Ethernet traffic over virtualized networks using WAN protocols, VXLAN allows Layer 2 networks to be extended across a Layer 3 IP or MPLS network.

How Does VXLAN Work?

The VXLAN tunneling protocol wraps Layer 2 Ethernet frames within Layer 4 UDP packets, allowing the creation of virtualized Layer 2 subnets across physical Layer 3 networks. Each subnet is assigned a unique VXLAN Network Identifier (VNI).

The process of encapsulating and decapsulating packets is managed by the VXLAN Tunnel Endpoint (VTEP). A VTEP can be a standalone network device, such as a physical router or switch, or a virtual switch operating on a server. VTEPs wrap Ethernet frames into VXLAN packets and transmit them to the destination VTEP via an IP or Layer 3 network, where the packets are unwrapped and sent to the target server.

For devices that cannot function as VTEPs independently, like bare-metal servers, certain hardware VTEPs, such as specific Juniper switches and routers, handle the encapsulation and decapsulation of packets. Additionally, VTEPs can be implemented within hypervisor hosts, such as kernel-based virtual machines (KVMs), to directly support virtualized environments. This type of VTEP is referred to as software VTEP.

Hardware and software VTEPs are shown below:

In the following figure, when VTEP1 receives an Ethernet frame from Virtual Machine 1 (VM1) addressed to Virtual Machine 3 (VM3), it uses the VNI and the destination MAC to look up in its forwarding table for the VTEP to send the packet to. VTEP1 adds a VXLAN header that contains the VNI to the Ethernet frame, encapsulates the frame in a Layer 3 UDP packet, and routes the packet to VTEP2 over the Layer 3 network. VTEP2 decapsulates the original Ethernet frame and forwards it to VM3. VM1 and VM3 are completely unaware of the VXLAN tunnel and the Layer 3 network between them.

Key Advantages of VXLAN

Because VXLANs are encapsulated within UDP packets, they can operate over any network that supports UDP transmission. The physical configuration and geographical distance between nodes in the underlying network are irrelevant, provided that UDP datagrams are correctly forwarded from the VXLAN Tunnel Endpoint (VTEP) that encapsulates the traffic to the VTEP that decapsulates it.

When VXLAN is used with EVPN, operators can create virtual networks using physical ports on any network switches that support the VXLAN standard and are within the same Layer 3 network. For instance, you could use a port from switch A, two ports from switch B, and another port from switch C to form a virtual network that appears as a single physical network for all connected devices. Devices within this virtual network would not be able to see traffic from other VXLANs or the underlying network infrastructure.

Problems Addressed by VXLAN

Just as server virtualization has significantly enhanced agility and flexibility, virtual networks that are independent of physical infrastructure are simpler, faster, and more cost-effective to manage. For instance, VXLANs allow multiple tenants to securely share a single physical network, enabling network operators to scale their infrastructure quickly and affordably to meet increasing demands. The primary goals of network segmentation are to ensure privacy and security, preventing one tenant from accessing or viewing the traffic of another tenant.

While network operators have traditionally used VLANs for logical segmentation, VXLANs address the scaling limitations of VLANs in several ways:

• VXLANs can theoretically support up to 16 million segments within an administrative domain, compared to the 4094 VLANs allowed by traditional methods. This capability meets the large-scale segmentation needs of cloud and service providers, accommodating numerous tenants.

• VXLANs facilitate network segments that extend across data centers. Traditional VLAN segmentation creates broadcast domains, but VLAN information is stripped away by routers, limiting VLANs to the reach of the underlying Layer 2 network. This limitation affects scenarios like virtual machine (VM) migration, which typically avoids crossing Layer 3 boundaries. VXLAN encapsulates the original packet within a UDP packet, allowing network segments to span the entire Layer 3 routed network, provided that all switches and routers support VXLAN. This means applications on the virtual overlay network can remain within the same Layer 2 network, even if UDP packets pass through multiple routers.

• VXLAN's capability to deliver Layer 2 segmentation over a Layer 3 network, along with its support for numerous network segments, enables servers to be part of the same VXLAN regardless of their physical location. This also helps network administrators maintain smaller Layer 2 networks, reducing the risk of MAC table overflow on switches.

Primary Applications of VXLAN

For service providers and cloud providers, the use of VXLAN is quite clear: these operators manage numerous tenants or customers and must segregate each customer's network traffic due to legal, privacy, and ethical considerations.

In enterprise settings, a tenant might represent a user group, department, or any collection of network-segmented users or devices established for internal security. For instance, isolating Internet of Things (IoT) devices, like data center environmental sensors, from production network traffic is a prudent security measure because these devices are vulnerable to security breaches.