CiscoCCNPEnterprise NetworkingIntermediate22 min read

What Is Underlay vs Overlay Network in Networking?

Also known as: underlay vs overlay network, CCNP ENCOR overlay, VXLAN explained, overlay network definition, underlay network definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An underlay network is the actual physical hardware like routers, switches, and cables that move data from one place to another. An overlay network is a software-defined network that sits on top of the underlay, creating virtual connections that are independent of the physical layout. Think of the underlay as the roads and highways, and the overlay as the GPS directions that tell you which route to take, regardless of road conditions.

Must Know for Exams

In Cisco certification exams, particularly the CCNP Enterprise (350-401 ENCOR) exam, underlay and overlay networks are a core topic. The exam blueprint explicitly lists 'Architecture for Overlay and Underlay Networks' under the Architecture domain. This means questions can appear on the design principles, protocols, and implementation steps for both types. You are expected to know when to use an overlay versus designing a flat underlay, and how each approach impacts scalability, performance, and manageability.

The ENCOR exam tests your understanding of VXLAN as a dominant overlay technology. You may be asked to identify the role of the underlay in a VXLAN fabric: the underlay must provide IP connectivity between VTEPs (VXLAN Tunnel Endpoints). Questions often describe a scenario where a network engineer is troubleshooting connectivity between two hosts in different VXLAN segments, and you need to check whether the underlay routing is functional. Similarly, the exam expects you to know that the underlay typically uses a dynamic routing protocol like OSPF or IS-IS, while the overlay uses protocols like BGP for EVPN control plane.

In addition, the exam may test your knowledge of Cisco SD-Access, which is a specific implementation of an overlay network. In SD-Access, the underlay is a routed fabric, and the overlay is built using LISP and VXLAN. The exam may ask about the functions of the control plane (LISP) versus the data plane (VXLAN), or how to map a virtual network to a physical infrastructure. Questions about network automation and programmability also tie into overlays, as tools like Cisco DNA Center automate overlay provisioning.

The concept also appears in more advanced exams like the CCIE Enterprise Infrastructure, where you must configure and troubleshoot VXLAN EVPN fabrics. At that level, you need to understand the interaction between underlay BGP sessions and overlay EVPN address families. Even in cloud networking exams, such as AWS or Azure certifications, the concept of overlay networks is reused under names like Virtual Private Cloud (VPC) or Virtual Networks. So mastering this topic early in your studies builds a strong foundation for multiple certification paths.

Simple Meaning

Imagine you are in a large office building with many floors. The building itself has physical hallways, staircases, and elevators. These are the underlay network. They exist in the real world and you can touch them. Now imagine the building also has a system of colored lines painted on the walls and floors that guide different types of people to their destinations. For example, blue lines for visitors, red lines for employees, and green lines for deliveries. These lines are like the overlay network. They use the same physical hallways and elevators, but they create separate paths that are easier to manage and change. If you need to change a visitor route, you do not need to knock down a wall or install a new elevator. You just repaint the line.

In computer networking, the underlay consists of the actual routers, switches, fiber optic cables, and wireless access points that send packets of data as electrical or light signals. The overlay network is a virtual network created using software. It encapsulates packets inside other packets so they can travel across the underlay in a way that is invisible to the physical devices. For instance, a company can create an overlay network that connects all its branch offices securely over the public internet, without needing to lease private physical circuits. The underlay internet might take different paths each time, but the overlay ensures the data arrives safely and securely. This separation makes networks more flexible, scalable, and easier to manage.

A simple way to grasp this is to think of the postal system. The underlay is the entire postal infrastructure: mail trucks, sorting centers, airplanes, and delivery vans. The overlay is a special courier service that uses the same postal trucks but puts your package in a sealed, tamper-proof bag with a unique tracking number. The courier service can reroute your package, provide extra security, and guarantee delivery times without changing how the postal trucks operate. In the same way, an overlay network can add features like encryption, traffic prioritization, or network segmentation without modifying the underlying hardware.

Full Technical Definition

In networking, the underlay network refers to the physical infrastructure responsible for the actual forwarding of data packets. This includes routers, switches, optical transport equipment, and the cabling or wireless links that connect them. The underlay operates at Layers 1 through 3 of the OSI model, handling physical signaling, data link framing, and IP routing. Protocols such as OSPF, IS-IS, and BGP are commonly used in the underlay to establish reachability and exchange routing information. The underlay must provide connectivity and bandwidth, and it is often optimized for performance and reliability.

An overlay network is a logical or virtual network built on top of the underlay. It creates a separate, software-defined topology that can be independent of the physical topology. Overlay networks use encapsulation techniques to wrap packets from the overlay inside packets that the underlay can forward. Common encapsulation protocols include VXLAN (Virtual Extensible LAN), GRE (Generic Routing Encapsulation), IPsec, and MPLS (Multiprotocol Label Switching). For example, VXLAN encapsulates Layer 2 Ethernet frames inside UDP packets, allowing a virtual LAN to extend across Layer 3 boundaries. This enables network virtualization, where multiple virtual networks can share the same physical infrastructure without interference.

Overlay networks are a cornerstone of modern data center and enterprise architectures, particularly in Cisco's SD-Access and ACI (Application Centric Infrastructure) solutions. In SD-Access, the underlay is typically a routed fabric using IS-IS, while the overlay uses VXLAN with a control plane based on LISP. This separation allows network administrators to design and change virtual networks without reconfiguring physical devices. Overlay networks also enable multitenancy, where different customers or departments have isolated network segments over a shared underlay. In cloud environments, overlay networks like those in VMware NSX or Amazon Virtual Private Cloud (VPC) allow virtual machines to move between physical hosts while retaining their IP addresses and network policies.

One key technical aspect is the control plane versus data plane separation. In many overlay designs, the underlay handles the data plane, forwarding encapsulated packets based on the outer header. The overlay control plane manages the mapping between virtual endpoints and their underlay locations. For instance, in VXLAN EVPN (Ethernet VPN), BGP is used to distribute MAC address and IP address information across the overlay, so each endpoint knows where to send encapsulated traffic. This approach significantly improves scalability compared to traditional flooding-based learning.

Real-Life Example

Think of a large university campus with multiple buildings, each with its own internal hallways and doorways. The physical campus roads, sidewalks, and building entrances make up the underlay. Now imagine the university also has a special shuttle service that runs only for faculty members. The shuttle follows a specific route created by software: it picks up faculty at designated stops, takes them between buildings, and even has a priority lane at intersections. This shuttle service is the overlay. It uses the same physical roads as everyone else, but it adds a layer of convenience, security, and custom routing.

If the university decides to change the faculty shuttle route because a new building opened, it does not need to repave the roads or install new traffic lights. The facilities team simply updates the software that controls the shuttle schedule and stops. This is exactly how an overlay network works. If an IT team wants to create a new virtual network for a engineering lab, they configure the overlay software on the existing routers and switches. They do not need to install new cables or buy new hardware. The overlay encapsulation ensures that the lab's traffic is separated from other campus traffic, even though it travels over the same physical cables.

Another layer to this analogy: suppose the faculty shuttle has a camera system that records every trip. This camera footage is encrypted and only accessible to authorized security personnel. Similarly, an overlay network can encrypt all traffic between two branches, ensuring that even if someone taps the physical fiber cable, they cannot read the data. The physical road (underlay) does not care what the shuttle is doing; it just provides the pavement. The shuttle service (overlay) adds security, routing, and management on top. This separation of concerns is what makes overlay networks extremely powerful for modern enterprises that need to adapt quickly without major infrastructure overhauls.

Why This Term Matters

Understanding the difference between underlay and overlay networks is critical for anyone working in modern IT, especially as networks become more software-driven. In real-world IT environments, overlay networks allow companies to create multiple isolated networks over a single physical fabric. This is essential in data centers where different applications, customers, or security zones need to coexist without conflict. For example, a hospital might use an overlay network to separate patient data traffic from guest Wi-Fi traffic, all while using the same physical switches and cables. This reduces hardware costs and simplifies management.

In enterprise networking, overlays enable seamless mobility. When a user moves from one office to another, the overlay network can keep their IP address and access policies consistent, even if the underlay topology changes. This is vital for voice and video applications that break if the network path changes abruptly. Overlay networks also facilitate secure remote connectivity. A company can build an overlay using IPsec VPNs to connect branch offices over the internet, creating a virtual private network that is isolated from the public underlay.

In cybersecurity, overlay networks support microsegmentation. Instead of placing a firewall at the network edge, overlay networks can enforce security policies between individual virtual machines within the same data center. For instance, a web server and a database server can be placed in separate overlay segments, and traffic between them is only allowed if the policy permits. This greatly reduces the attack surface. Without overlays, achieving this level of isolation would require physical firewalls and complex VLAN configurations that are difficult to scale.

From a career perspective, most Cisco CCNP exams, especially ENCOR, cover underlay and overlay concepts extensively. Professionals who master these concepts can design and troubleshoot complex networks using technologies like VXLAN, SD-Access, and EVPN. Employers look for engineers who understand how to build scalable, flexible networks that can adapt to changing business needs. Overlay networks are not just a theoretical idea; they are deployed in thousands of organizations worldwide, from small businesses to global enterprises.

How It Appears in Exam Questions

Exam questions on underlay and overlay networks appear in several forms. The most common is the scenario-based multiple-choice question. For instance, the exam might describe a company that wants to extend a Layer 2 VLAN across three data centers that are connected by a routed Layer 3 underlay. The question asks which technology should be used. The correct answer is VXLAN, because it encapsulates Ethernet frames over IP, creating an overlay that operates over the routed underlay. A distractor might be to use a traditional VLAN trunk, which would require a Layer 2 underlay and is not scalable.

Another question pattern involves troubleshooting. A scenario describes a user unable to reach a server on a different subnet, even though both are part of the same overlay network. The question asks what to check first. The correct answer would be to verify the underlay routing between the VTEPs, because if the physical path is broken, the overlay cannot function. This type of question tests whether you understand that the overlay depends on the underlay for basic reachability.

There are also design questions. A company is planning a new data center with multiple tenants. The question asks whether to use a flat underlay with VLANs or an overlay with VXLAN. The correct answer is the overlay, because it supports 16 million virtual networks versus 4096 VLANs, and it allows tenant isolation without physical segmentation. These questions require you to know the limitations of traditional architectures and the benefits of overlays.

Configuration-related questions might ask you to match commands to their function. For example, you might be given a list of commands and asked to identify which one configures a VXLAN Network Identifier (VNI) on a switch. Or you might need to identify which protocol is used for the overlay control plane in SD-Access (LISP). Some questions test your ability to interpret output from show commands, like 'show vxlan tunnel' or 'show lisp session'. You must recognize the underlay source and destination IPs versus the overlay endpoint IDs.

Finally, there are compare-and-contrast questions: 'Which of the following is true about underlay networks compared to overlay networks?' Options might include statements about where routing decisions are made, which layer of the OSI model they operate at, or which one requires more manual configuration. Knowing these distinctions helps you eliminate wrong answers quickly.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A regional bank has 15 branch offices and a central data center. Each branch has its own local network with printers, file servers, and point-of-sale systems. The bank wants all branches to be able to securely share data with the data center, but they do not want to lease expensive MPLS circuits from a provider. The bank already has internet connections at each site.

The bank's network engineer decides to create an overlay network using IPsec VPN tunnels between each branch and the data center. The underlay is the public internet. The overlay is the collection of encrypted tunnels. Each branch's traffic is encapsulated and sent to the data center, where it is decrypted and forwarded to the appropriate server. The underlay (internet) has no idea which traffic belongs to which branch; it just forwards packets based on their outer IP headers.

Now, consider a situation where the bank acquires a new branch. To connect it, the engineer does not need to install any new physical circuits or routers. They simply configure a new IPsec tunnel on the existing router at the new branch and on the data center firewall. The underlay remains unchanged. This scenario shows the flexibility of overlay networks: new sites can be added quickly, and the underlay is unaffected. If the bank had used a traditional wide area network design, adding a new site would require provisioning a new leased line or buying additional hardware, which takes weeks. The overlay approach reduces time and cost.

Common Mistakes

Thinking that the underlay and overlay are two completely separate physical networks.

The overlay network runs on top of the underlay using the same physical infrastructure. They are not separate; the overlay creates virtual paths within the same hardware.

Remember that the underlay provides the physical pipes, and the overlay creates logical tunnels through those pipes. They share the same cables, switches, and routers.

Believing that overlay networks do not need an underlay to function.

Overlay networks depend entirely on the underlay for packet delivery. If the underlay fails, the overlay breaks because there is no physical path for the encapsulated packets to travel.

Think of the overlay as a house built on a foundation. The foundation (underlay) must be solid; otherwise, the house (overlay) collapses. Always troubleshoot the underlay first when an overlay issue arises.

Assuming that VXLAN only works in data centers and not in enterprise campus networks.

VXLAN is widely used in campus networks, especially in Cisco SD-Access. It is not limited to data centers. Any environment that needs scalable network virtualization can use VXLAN.

Recognize that VXLAN is a general-purpose overlay technology suitable for any network requiring Layer 2 extension over Layer 3 underlays, including campuses, branch offices, and cloud.

Confusing the overlay data plane with the overlay control plane.

The data plane forwards encapsulated traffic (e.g., VXLAN packets), while the control plane distributes information about endpoints (e.g., MAC and IP addresses). They are separate functions that use different protocols.

When studying overlay networks, keep the data plane and control plane distinct. For VXLAN, the data plane uses UDP encapsulation, and the control plane often uses EVPN (BGP) to share reachability information.

Thinking that overlay networks automatically improve performance.

Overlay networks add encapsulation overhead, which can increase packet size and processing delay. They do not inherently make the network faster; they add flexibility and manageability at the cost of slight performance overhead.

Understand that overlays trade off small performance overhead for operational benefits like segmentation, mobility, and automation. Always consider underlay capacity when designing overlays.

Exam Trap — Don't Get Fooled

In an exam, a question might state that an overlay network replaces the need for a routing protocol in the underlay. The correct answer is false, but many learners assume that because the overlay handles routing virtually, the underlay does not need OSPF or IS-IS. Always remember that the underlay requires a functional routing protocol to provide IP connectivity between overlay endpoints.

The overlay does not eliminate the need for underlay routing; it operates on top of it. When in doubt, draw the path: the overlay packet has an outer IP header that must be routed by the underlay.

Commonly Confused With

Underlay vs Overlay NetworkvsVLAN (Virtual LAN)

VLANs are a Layer 2 segmentation technique within a single switch or between switches connected by a trunk. Overlay networks like VXLAN can extend Layer 2 segments across a Layer 3 underlay, which VLANs cannot do without special configurations.

VLANs work in one building with a single switch. VXLAN overlays connect VLANs across different cities using the internet.

Underlay vs Overlay NetworkvsVPN (Virtual Private Network)

VPNs are a type of overlay network specifically designed to provide secure, encrypted connections over a public underlay like the internet. Overlay networks are a broader category that includes VPNs, but also includes technologies like VXLAN and MPLS L3VPN.

IPsec VPN is an overlay for secure site-to-site connections. VXLAN is another overlay for data center virtualization. Both are overlays, but VPN is a subset focused on security.

Underlay vs Overlay NetworkvsSD-WAN (Software-Defined WAN)

SD-WAN is an overlay technology that uses software to manage WAN connections, often bonding multiple underlays (MPLS, broadband, LTE). It is a specific implementation of an overlay for wide area networks, while overlay networks in general can be used in any network context.

An SD-WAN overlay might use both a fiber underlay and a cellular underlay for redundancy. A data center VXLAN overlay uses a single Ethernet underlay.

Step-by-Step Breakdown

1

Physical Infrastructure Setup

The underlay begins with deploying routers, switches, and cabling. These devices must be physically connected and powered on. This step creates the foundation for all network traffic. Without a functional underlay, no overlay can operate.

2

Underlay Routing Configuration

Configure a dynamic routing protocol like OSPF or IS-IS on all underlay devices. This ensures that every device knows how to reach every other device in the underlay. The routing protocol learns paths and recovers from link failures. This IP reachability is essential for overlay endpoints to communicate.

3

VTEP Configuration

Identify the devices that will act as VXLAN Tunnel Endpoints (VTEPs). These are typically top-of-rack switches or data center gateways. Assign each VTEP an IP address on the underlay that will be used as the source and destination for VXLAN tunnels. Configure the VTEPs to sit at the edge of the overlay.

4

Overlay Control Plane Setup

Establish a method for VTEPs to learn about remote hosts. In VXLAN EVPN, this means configuring BGP sessions between VTEPs or with route reflectors. The BGP EVPN address family carries MAC and IP address information. In simpler implementations, multicast or flood-and-learn can be used, but EVPN is preferred for scalability.

5

VXLAN Network Identifier (VNI) Mapping

Map each virtual network to a unique VNI. The VNI is a 24-bit identifier embedded in the VXLAN header. Each VNI corresponds to a separate overlay segment. Configure the VTEP to associate a VNI with a specific VLAN or interface. This step defines the segmentation boundaries.

6

Traffic Encapsulation and Forwarding

When a host sends a packet destined for another host in the same VNI, the VTEP encapsulates the original Ethernet frame with a VXLAN header plus an UDP/IP header. The outer header has the underlay IP addresses of the source and destination VTEPs. The packet is then forwarded over the underlay.

7

Verification and Troubleshooting

Use commands like 'show vxlan tunnel' and 'show lisp session' to verify that tunnels are up and that the control plane has learned endpoints. Check that the underlay routing table has paths to remote VTEP IPs. Troubleshoot by pinging from VTEP to VTEP ensuring underlay connectivity first, then check overlay mapping.

Practical Mini-Lesson

In practice, underlay and overlay networks are designed together, but they are managed separately. As a network engineer, you first build the underlay to be simple, resilient, and high-performance. Common underlay designs use a spine-leaf topology in data centers, where every leaf switch connects to every spine switch, providing predictable latency and easy scalability. The underlay runs a dynamic routing protocol like BGP (with IPv4 unicast) or IS-IS, and it should have enough bandwidth to accommodate all overlay traffic plus overhead from encapsulation.

Once the underlay is stable, you deploy the overlay. The overlay requires careful configuration of VTEPs. In a Cisco environment, you might use Nexus 9000 switches with VXLAN EVPN. The overlay control plane uses BGP EVPN to exchange type-2 routes (MAC/IP) and type-3 routes (IMET for multicast). You must configure the VNI-to-VLAN mapping and ensure that the underlay MTU is large enough to handle the extra 50 bytes from VXLAN encapsulation. If the underlay MTU is 1500, you must either increase it to 1550 or enable IP fragmentation, which is best avoided.

Common issues in production include MTU mismatches: when a VTEP sends a 1550-byte packet over an underlay with 1500 MTU, the packet is fragmented or dropped. Engineers must configure the underlay interfaces with a larger MTU, typically 1550 or 1600, and ensure that all intermediate devices also support it. Another issue is misconfiguration of the VXLAN destination UDP port (default 4789). If firewall ACLs in the underlay block this port, the overlay fails. Always verify that UDP 4789 is permitted between VTEPs.

From a broader perspective, overlay networks are central to network automation. Tools like Ansible can push overlay configurations to hundreds of switches simultaneously. Cisco DNA Center automates the provisioning of SD-Access overlay fabrics. As a professional, you should learn to read overlay troubleshooting logs and correlate them with underlay metrics. For example, if overlay traffic is slow, check underlay link utilization and routing convergence. The overlay is only as good as the underlay that supports it.

Memory Tip

Overlay is like a 'layer on top' — it adds features without changing the physical roads. Underlay is 'under it all' — the foundation that must be running and reachable. If the underlay breaks, the overlay is just a ghost town.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Do I need to configure the underlay before the overlay?

Yes. The underlay must provide IP connectivity between all devices that will participate in the overlay. Without a working underlay, the overlay tunnels will not come up.

Can the same underlay support multiple overlays?

Yes. The underlay is shared by all overlays running on it. Each overlay is isolated by its own VNI or virtual network identifier, so traffic from different overlays does not mix.

What is the overhead of VXLAN encapsulation?

VXLAN adds 50 bytes to each packet: 8 bytes for the VXLAN header, 8 bytes for the outer UDP header, 20 bytes for the outer IP header, and 14 bytes for the outer Ethernet header. This means the underlay MTU must be at least 1550 for typical 1500-byte payloads.

Is the underlay always Layer 3?

In modern designs, the underlay is a routed Layer 3 network. However, older overlay technologies like traditional MPLS can operate over a Layer 2 underlay. For VXLAN and SD-Access, the underlay is always a routed IP network.

Can I use the overlay to bypass underlay routing problems?

No. The overlay depends on the underlay to forward its encapsulated packets. If the underlay has routing issues, the overlay cannot deliver traffic. You must fix the underlay first.

Is an overlay more secure than an underlay?

Not inherently. Overlay networks can add security features like encryption (IPsec) and microsegmentation, but the underlying underlay still needs its own security (access lists, firewall policies). Security is a layered approach.

What is the difference between VXLAN and VLAN?

VLANs operate at Layer 2 and require a flat Layer 2 underlay. VXLAN is an overlay that works over a Layer 3 underlay, allowing Layer 2 segments to extend across routers and wide area networks. VXLAN also supports 16 million segments versus VLAN's 4096.

Will overlay networks replace underlay networks?

No. Overlay networks are built on top of underlay networks. They complement each other. The underlay handles physical transport, and the overlay adds virtualization and management. Both are necessary.

Summary

Underlay and overlay networks are two sides of the same coin in modern networking. The underlay is the physical infrastructure that provides raw connectivity, using hardware like routers, switches, and cables. The overlay is a virtual network that runs on top, using encapsulation to create isolated, flexible, and programmable network segments.

Understanding this distinction is essential for Cisco certification exams, especially ENCOR, where you must know how technologies like VXLAN, LISP, and EVPN interact with the underlay. In real-world IT, overlays enable rapid deployment, seamless mobility, and strong security through microsegmentation, all while using existing hardware. For exams, remember that the underlay must be functional, reachable, and properly configured with routing protocols before the overlay can work.

Common exam traps include forgetting that the underlay still needs routing and confusing control plane with data plane. By mastering this topic, you build a foundation for advanced studies in data center, campus, and cloud networking.