What Does VXLAN Mean?
Also known as: Virtual Extensible LAN, VXLAN overlay, VNI
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
VXLAN (Virtual Extensible LAN) is a network virtualization technology designed to address the scalability limitations of traditional VLANs. It creates overlay networks that can span across Layer 3 boundaries, allowing virtual machines and workloads to communicate as if they were on the same physical switch, regardless of their actual location. VXLAN encapsulates Layer 2 Ethernet frames inside UDP packets, using a 24-bit segment identifier called the VXLAN Network Identifier (VNI) to support up to 16 million isolated networks, compared to the 4094 VLAN limit. The primary purpose of VXLAN is to enable network virtualization in data centers and cloud environments, particularly for multi-tenant architectures where each tenant requires isolated Layer 2 domains. It operates as an overlay on top of an existing IP network, meaning the underlying physical infrastructure only needs to route IP packets. This decouples the virtual network from the physical topology, simplifying moves, adds, and changes. VXLAN is standardized in RFC 7348 and is widely used with hypervisors like VMware vSphere and KVM, as well as in SDN solutions.
Must Know for Exams
On the CompTIA Network+ exam (N10-008), VXLAN is tested under Domain 1.0 (Networking Fundamentals) and Domain 2.0 (Network Implementations). Specific focus areas include:
1. **Purpose and benefits**: Candidates must know that VXLAN extends Layer 2 segments over Layer 3 networks and supports up to 16 million VNIs, overcoming the 4094 VLAN limit. 2. **Encapsulation**: Questions often ask which protocol VXLAN uses for encapsulation (UDP, port 4789) and what headers are added (outer IP, UDP, VXLAN header). 3. **VTEP role**: Understanding that VTEPs perform encapsulation/decapsulation and are typically implemented in hypervisors or physical switches. 4. **Comparison to VLANs**: Exam items may ask how VXLAN differs from traditional VLANs, especially regarding scalability and Layer 3 independence. 5. **Use cases**: Scenarios involving multi-tenant data centers, VM mobility, and cloud networking are common. Candidates should recognize when VXLAN is appropriate.
For CCNA (200-301), VXLAN appears under Network Access and IP Connectivity domains. Cisco emphasizes VXLAN with EVPN as a control plane, and questions may involve configuration verification (e.g., 'show vxlan tunnel'). Understanding the difference between VXLAN bridging and routing is also tested.
Simple Meaning
Imagine you live in a large apartment building with hundreds of units. Each unit has its own apartment number (like a VLAN ID), but the building only has 4094 possible numbers—so eventually you run out. Now imagine you could give each apartment a unique 24-digit code instead, allowing for millions of distinct apartments. That's VXLAN: it replaces the old apartment numbering system with a much larger one, so every tenant can have their own completely isolated space.
But VXLAN does more than just add more numbers. It also creates a magical tunnel between apartments in different buildings. Suppose you and your friend live in separate apartment complexes across town. Normally, you'd need a direct physical connection to share a package. With VXLAN, you can put your package into a special box (the UDP packet) that gets shipped through the city's postal system (the IP network) and arrives at your friend's door as if you were next door. This allows virtual machines in different data centers to talk as if they were on the same switch, without changing the physical wiring.
Full Technical Definition
VXLAN is a network overlay technology defined in RFC 7348 that encapsulates Layer 2 Ethernet frames within UDP packets for transport over an IP network. It operates at Layer 2 (data link) for the encapsulated frame and Layer 3 (network) for the outer transport. The VXLAN packet structure consists of an outer Ethernet header, outer IP header, outer UDP header (destination port 4789), an 8-byte VXLAN header containing a 24-bit VNI (VXLAN Network Identifier), and the original inner Ethernet frame. The VNI provides up to 16 million unique segment identifiers, vastly exceeding the 4096 VLAN limit.
Mechanically, a VXLAN Tunnel Endpoint (VTEP) performs encapsulation and decapsulation. When a virtual machine sends an Ethernet frame, the VTEP (often a hypervisor switch or physical switch) adds the VXLAN header and UDP/IP headers, then forwards the packet to the destination VTEP based on IP routing. The destination VTEP strips the outer headers and delivers the original frame to the target VM. VXLAN relies on IP multicast or a control plane (e.g., EVPN) for learning MAC addresses and handling broadcast, unknown unicast, and multicast (BUM) traffic. Compared to VLANs, VXLAN offers greater scalability, tenant isolation, and the ability to stretch Layer 2 across Layer 3 boundaries without requiring physical re-cabling. Alternatives include NVGRE (Network Virtualization using Generic Routing Encapsulation) and GENEVE, but VXLAN is the most widely adopted due to its simplicity and hardware support.
Real-Life Example
A large enterprise runs a multi-tenant cloud platform with hundreds of virtual machines across two data centers in different cities. Each tenant requires its own isolated Layer 2 network. The network team decides to use VXLAN to meet this need.
Step 1: The team configures VTEPs on the hypervisor hosts in both data centers. Each VTEP has an IP address reachable over the WAN. Step 2: For Tenant A, they assign VNI 10001. For Tenant B, VNI 10002. Each VM is connected to its respective VXLAN segment. Step 3: When Tenant A's VM in Data Center 1 sends a frame to another VM in Data Center 2, the source VTEP encapsulates the frame with VNI 10001 and sends it as a UDP packet to the destination VTEP's IP. Step 4: The destination VTEP decapsulates the packet and delivers the original frame to the target VM. Step 5: The VMs communicate seamlessly as if they were on the same physical switch, even though they are in different cities. The underlying routers only see IP traffic, and each tenant's traffic remains isolated.
Outcome: The enterprise can scale to thousands of tenants without VLAN exhaustion, and VMs can migrate between data centers without changing IP addresses.
Why This Term Matters
IT professionals must understand VXLAN because it is the backbone of modern data center networking and cloud computing. It solves the critical problem of VLAN scalability (4094 limit) and enables network virtualization, which is essential for multi-tenant environments like public clouds and private clouds. Troubleshooting VXLAN requires knowledge of encapsulation, VTEP configuration, and control plane protocols (e.
g., EVPN). Misconfigurations can lead to connectivity issues, broadcast storms, or security breaches. For career value, VXLAN expertise is highly sought after for roles in network engineering, cloud architecture, and data center operations.
It appears on major certifications like CompTIA Network+ and Cisco CCNA, and understanding it demonstrates advanced networking skills.
How It Appears in Exam Questions
1. **Definition-based multiple choice**: 'Which technology encapsulates Layer 2 frames in UDP packets to create overlay networks?' Wrong answers include VLAN trunking, GRE tunnels, or MPLS. Correct: VXLAN.
2. **Scalability comparison**: 'A data center needs to support 10,000 isolated networks. Which technology is most suitable?' Wrong answers: VLANs (limited to 4094), STP, or OSPF. Correct: VXLAN because of its 16 million VNI limit.
3. **Encapsulation details**: 'What destination port does VXLAN use?' Wrong answers: 443 (HTTPS), 22 (SSH), or 67 (DHCP). Correct: UDP 4789.
4. **Troubleshooting scenario**: 'Two VMs on different hypervisors cannot communicate. The hypervisors are on different subnets. Which technology should be configured?' Wrong answers: VLAN trunking, NAT, or static routing. Correct: VXLAN to stretch the Layer 2 segment across the Layer 3 boundary.
To identify the correct answer, focus on keywords like 'overlay,' 'UDP encapsulation,' '16 million segments,' and 'Layer 2 extension over Layer 3.'
Practise VXLAN Questions
Test your understanding with exam-style practice questions.
Example Scenario
Step 1: A company has two hypervisors, Host A (192.168.1.10) and Host B (10.0.0.20), in different buildings connected by a router. Step 2: The network admin creates a VXLAN segment with VNI 5000 on both hosts.
Step 3: On Host A, VM1 (IP 10.0.0.1/24) is connected to VNI 5000. On Host B, VM2 (IP 10.0.0.2/24) is also connected to VNI 5000. Step 4: VM1 sends a ping to VM2. The frame is sent to the VTEP on Host A.
Step 5: Host A's VTEP encapsulates the frame with a VXLAN header (VNI 5000), then adds a UDP header (port 4789) and an outer IP header (source 192.168.1.10, destination 10.0.0.20).
Step 6: The packet is routed across the network to Host B. Step 7: Host B's VTEP receives the packet, strips the outer headers, and delivers the original frame to VM2. Step 8: VM2 replies, and the process repeats in reverse.
The VMs communicate as if on the same switch.
Common Mistakes
VXLAN is just a faster version of VLAN.
VXLAN is not faster; it adds overhead due to encapsulation. Its advantage is scalability (16 million segments vs 4094) and the ability to work over Layer 3 networks, not speed.
VXLAN = more segments + Layer 3 reachability, not speed.
VXLAN uses TCP for reliable delivery.
VXLAN uses UDP (port 4789) because it relies on the underlying IP network for delivery. TCP would add unnecessary overhead and latency. The inner frame's reliability is handled by higher-layer protocols.
VXLAN always uses UDP, never TCP.
VXLAN replaces routing; it works only within the same subnet.
VXLAN actually enables Layer 2 connectivity across Layer 3 boundaries. It does not replace routing; it creates an overlay that can span multiple subnets. The underlying network still routes the encapsulated packets.
VXLAN extends Layer 2 over Layer 3; it does not eliminate routing.
Exam Trap — Don't Get Fooled
{"trap":"Candidates often choose 'VLAN trunking' as the answer when asked how to connect two VMs on different subnets in different data centers, because they think VLANs can be extended across any distance.","why_learners_choose_it":"VLANs are familiar and simple. Learners assume that if a VLAN can be trunked across a campus, it can be trunked across a WAN.
They forget that VLANs require Layer 2 adjacency and are limited to 4094 networks.","how_to_avoid_it":"When you see 'different subnets' or 'different data centers,' immediately think of an overlay technology like VXLAN. Remember: VLANs stop at the router; VXLAN goes through it."
Commonly Confused With
VLAN uses a 12-bit ID (4094 max) and requires Layer 2 adjacency. VXLAN uses a 24-bit VNI (16 million max) and works over Layer 3 via UDP encapsulation. VLAN is a native Layer 2 technology; VXLAN is an overlay.
Use VLAN for segmenting a single switch; use VXLAN when you need to connect VMs across two data centers in different cities.
GRE is a simple tunneling protocol that encapsulates any Layer 3 protocol. VXLAN encapsulates Layer 2 frames and uses UDP for transport. VXLAN also includes a VNI for multi-tenancy, while GRE does not have a built-in segmentation identifier.
Use GRE to connect two remote routers for routing; use VXLAN to stretch a Layer 2 network for VM mobility.
Step-by-Step Breakdown
Step 1: VM sends Ethernet frame
A virtual machine on a hypervisor sends a standard Ethernet frame destined for another VM. The frame includes source and destination MAC addresses.
Step 2: VTEP receives the frame
The VXLAN Tunnel Endpoint (VTEP) on the source hypervisor intercepts the frame. The VTEP identifies which VXLAN segment (VNI) the VM belongs to.
Step 3: Encapsulation
The VTEP adds a VXLAN header containing the VNI, then wraps it in a UDP header (port 4789) and an outer IP header. The outer IP destination is the remote VTEP's IP address.
Step 4: Routing over IP network
The encapsulated packet is forwarded through the physical IP network. Routers treat it as a normal UDP packet and route it based on the outer IP header.
Step 5: Decapsulation and delivery
The destination VTEP receives the packet, strips the outer headers, and delivers the original Ethernet frame to the target VM. The VM sees a standard Layer 2 frame.
Practical Mini-Lesson
VXLAN (Virtual Extensible LAN) is a network overlay technology that solves the VLAN scalability problem. Traditional VLANs use a 12-bit VLAN ID, limiting you to 4094 networks. VXLAN uses a 24-bit VNI, allowing up to 16 million isolated networks. This is crucial for multi-tenant data centers where each tenant needs their own Layer 2 domain.
How it works: VXLAN encapsulates the original Ethernet frame inside a UDP packet. The encapsulation adds: - Outer Ethernet header (for the physical network) - Outer IP header (for routing) - Outer UDP header (destination port 4789) - VXLAN header (8 bytes, including the 24-bit VNI) - Original inner Ethernet frame
The device that performs this encapsulation/decapsulation is called a VTEP (VXLAN Tunnel Endpoint). VTEPs can be software-based (in hypervisors) or hardware-based (in switches).
Comparison to similar technologies: - VLAN: Limited to 4094 networks, requires Layer 2 adjacency. - VXLAN: 16 million networks, works over Layer 3. - NVGRE: Uses GRE encapsulation, less hardware support. - GENEVE: More flexible but newer.
Configuration notes: In a Cisco environment, you might configure a VXLAN tunnel with EVPN as the control plane. For example: ``` interface nve1 source-interface loopback0 member vni 5000 mcast-group 239.1.1.1 ``` This creates a VXLAN overlay using multicast for BUM traffic.
Key takeaway: VXLAN is the foundation of modern network virtualization. It allows you to create isolated Layer 2 networks that span across any IP network, enabling VM mobility and multi-tenancy at scale.
Memory Tip
VXLAN = Virtual eXtensible LAN. Think 'V' for 'Very big' (16 million VNIs) and 'X' for 'X-tends across routers.' The 'LAN' part reminds you it carries Layer 2 frames. Remember UDP port 4789: '47' is the number of the year VXLAN was standardized (2014, but 47 sticks), and '89' is the atomic number of actinium—just a weird mnemonic.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
N10-009CompTIA Network+ →200-301Cisco CCNA →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
N10-008N10-009(current version)Related Glossary Terms
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
AH (Authentication Header) is an IPsec protocol that provides connectionless integrity, data origin authentication, and anti-replay protection for IP packets.
An AP (Access Point) bridges wireless clients to a wired network, acting as a central transceiver and controller for Wi-Fi communications.
An API is a set of rules that allows software applications to communicate and exchange data with each other.
BCP is a proactive process that creates a framework to ensure critical business functions continue during and after a disruptive event.
BNC (Bayonet Neill-Concelman Connector) is a miniature coaxial connector used for terminating coaxial cables in networking, video, and RF applications.
Frequently Asked Questions
Does VXLAN require multicast?
Not necessarily. VXLAN can use multicast for BUM traffic (broadcast, unknown unicast, multicast), but modern implementations often use a control plane like EVPN to avoid multicast. In many data centers, EVPN is preferred for better scalability.
What is the difference between VXLAN and VLAN?
VLAN uses a 12-bit ID (4094 max) and requires Layer 2 adjacency. VXLAN uses a 24-bit VNI (16 million max) and works over Layer 3 via UDP encapsulation. VXLAN is an overlay; VLAN is a native Layer 2 technology.
Can VXLAN be used without a hypervisor?
Yes. VXLAN can be implemented on physical switches (hardware VTEPs) or routers. This is common in data center fabrics where switches perform the encapsulation, allowing physical servers to participate in VXLAN segments.
Is VXLAN secure?
VXLAN itself does not provide encryption. The encapsulated traffic is visible to the underlying network. For security, VXLAN is often combined with IPsec or MACsec. Some implementations also use VXLAN with encryption extensions.
Why is VXLAN important for cloud computing?
Cloud providers need to isolate thousands of tenants while allowing VMs to move across hosts. VXLAN provides the necessary scalability (16 million segments) and the ability to stretch Layer 2 across the data center, enabling live migration and multi-tenancy.
Summary
1. VXLAN is an overlay network technology that encapsulates Layer 2 Ethernet frames in UDP packets, allowing you to create isolated Layer 2 segments that span across Layer 3 networks. 2.
Its key property is the 24-bit VXLAN Network Identifier (VNI), which supports up to 16 million unique segments—vastly more than the 4094 VLAN limit. 3. The most important exam fact: VXLAN uses UDP destination port 4789, and the device that performs encapsulation/decapsulation is called a VTEP (VXLAN Tunnel Endpoint).
Remember these two points, and you'll ace any VXLAN question.