+(65) 8344 4290 Ciscodumps.net@gmail.com Room 907, Block B, Baoneng Entrepreneurship Center, Guangrong Road, Hongqiao District, Tianjin

ThinkMo EDU Share – network 12.Overview of VXLAN

蒂娜 No Comments 10/20/2022

ThinkMo EDU Share – network 12.Overview of VXLAN

What is VXLAN?

The full name of VX is Visual Extensible Local Area Network (Virtual Extended Local Area Network), which is an extension protocol of VxLAN.

VxLAN is essentially a tunnel encapsulation technology. It uses the usual technique of TCP/IP protocol stack-encapsulation/decapsulation technology, encapsulates L2 Ethernet frames into L4 UDP datagrams, and then transmits them in L3 network. The effect is just like that L2 Ethernet frames are transmitted in a broadcast domain. In fact, it crosses L3 network, but the existence of L3 network is imperceptible.

Why do you need VXLAN?

A server can virtualize multiple virtual machines, and a virtual machine is equivalent to a host. The number of hosts has changed by an order of magnitude, which also brings the following problems to the virtual network:

  1. Virtual machine size is limited by network specifications.

In the traditional two-layer network environment, data messages are forwarded by querying the MAC address table, and the capacity of the MAC address table limits the number of virtual machines.

  1. Limitation of network isolation capability

At present, the mainstream network isolation technology is VLAN, and its deployment in large-scale virtualized networks has the following limitations:

① As the VLAN Tag field defined in IEEE 802.1Q has only 12 bits, which can only represent 4096 VLANs, it can’t meet the requirement of identifying a large number of tenants or tenant groups in the second layer network.

② VLAN in traditional layer 2 network can’t meet the demand of network dynamic adjustment.

  1. Virtual machine migration scope is limited by network architecture.

After the virtual machine is started, it may be necessary to migrate the virtual machine to a new server due to problems such as server resources (such as high CPU and insufficient memory). In order to ensure the uninterrupted business in the process of virtual machine migration, it is necessary to keep the IP address of the virtual machine unchanged, which requires the business network to be a two-layer network, and the network itself should have multi-path redundant backup and reliability.

Aiming at the second layer network, the proposal of VXLAN solves the above problems well:

  1. The virtual machine size is limited by the network specification.

VXLAN encapsulates the packets sent by the virtual machine in UDP, and uses the IP and MAC addresses of the physical network as the outer header for encapsulation, which only shows the encapsulated parameters to the network. Therefore, the demand for MAC address specification in the second layer network is greatly reduced.

  1. Aiming at the limitation of network isolation ability

VXLAN introduces a user identifier similar to VLAN ID, called VXLAN Network Identifier VNI(VXLAN Network Identifier), which consists of 24 bits and supports up to 16M VXLAN segments, thus satisfying a large number of user identifiers.

  1. The migration scope for virtual machines is limited by the network architecture.

VXLAN extends the layer 2 network by adopting MAC in UDP encapsulation, and encapsulates the Ethernet message on the IP message and transmits it in the network through routing, without paying attention to the MAC address of the virtual machine. Moreover, the routing network is not limited by the network structure, and has the ability of large-scale expansion, fault self-healing and load balancing. By routing the network, virtual machine migration is not limited by the network architecture.

How was the VXLAN tunnel built?

VXLAN establishes a tunnel between two TOR switches, which “wraps” the original data frames sent by the server, so that the original messages can be transmitted on the carrier network (such as IP network). When it reaches the TOR switch connected to the destination server, it leaves the VXLAN tunnel, recovers the original data frame and forwards it to the destination server.

In addition, some new elements, such as VTEP, VNI, etc., which are not found in traditional data center networks, appear in VXLAN network.


The VTEP(VXLAN Tunnel Endpoints) is the edge device of the VXLAN network, the starting point and the end point of the VXLAN tunnel, and the encapsulation and decapsulation of the user’s original data frame by VXLAN are performed on the VTEP.

VTEP is the absolute leading role in VXLAN network. VTEP can be either an independent network device or a virtual switch in a server. The original data frame sent by the server is encapsulated in VXLAN format message on VTEP, and then transferred to another VTEP in IP network, and the original data frame is restored after decapsulation and transfer, and finally forwarded to the destination server.


In Ethernet data frame, VLAN only occupies 12 bits of space, which makes the isolation ability of VLAN in data center network inadequate. The emergence of VNI is dedicated to solving this problem.

VNI(VXLAN Network Identifier), which is a kind of user identification similar to VLAN ID. A VNI represents a tenant, and virtual machines belonging to different VNIs cannot directly communicate with each other at the second layer. When the VX message is encapsulated, 24 bits of length space is allocated to VNI, so that it can support the isolation of a large number of tenants.

In addition, in the distributed gateway deployment scenario, VNI can be divided into two-tier VNI and three-tier VNI, which have different functions:

① Layer 2 VNI is an ordinary VNI, which is mapped to the broadcast domain BD in a 1: 1 way to realize the forwarding of VXLAN messages with the subnet.

② Layer 3 VNI is associated with VPN instance, which is used to forward VXLAN messages across subnets.

VXLAN gateway

VXLAN Layer 2 Gateway and Layer 3 Gateway

Similar to VLAN, hosts between different VNIs, as well as hosts in VXLAN network and non-VXLAN network, cannot communicate with each other directly. To meet these communication requirements, VXLAN introduced the concept of VXLAN gateway. The VXLAN gateway is divided into two layers and three layers:

① VXLAN layer 2 gateway: used for terminal access to VXLAN network, and also used for subnet communication of the same VXLAN network.

② VXLAN three-layer gateway: used for cross-subnet communication in VXLAN network and access to external network.

Vx centralized gateway and distributed gateway in VXLAN

According to the different deployment modes of three-tier gateways, VXLAN three-tier gateways can be divided into centralized gateways and distributed gateways.

VXLAN centralized gateway

Centralized gateway refers to the centralized deployment of three-tier gateway on one device. As shown in the following figure, all traffic across subnets is forwarded through this three-tier gateway, thus realizing centralized management of traffic.

Advantages and disadvantages of deploying centralized gateway are as follows:


Centralized management of traffic across subnets makes the deployment and management of gateways simple.


① The forwarding path is not optimal: all the data center three-layer traffic across subnets under the same two-layer gateway needs to be forwarded through the centralized three-layer gateway (as shown by the blue dotted line in the figure).

② Bottleneck of ARP entry specification: As the centralized three-tier gateway is adopted, the ARP entries of terminals forwarded through the three-tier gateway need to be generated on the three-tier gateway, while the ARP entry specifications on the three-tier gateway are limited, which is not conducive to the expansion of the data center network.

VXLAN distributed gateway

The disadvantages of centralized gateway deployment can be solved by deploying distributed gateway. The VXLAN distributed gateway refers to the typical “Spine-Leaf” networking structure, in which Leaf nodes are used as the endpoint VTEP of VXLAN tunnel, and each Leaf node can be used as the third-layer gateway of VXLAN (at the same time, it is also the second-layer gateway of VXLAN). Spine nodes do not perceive VXLAN tunnel, but only serve as forwarding nodes of VXLAN messages.

As shown in the figure below, Server1 and Server2 are not on the same network segment, but both are connected to the same Leaf node. When Server1 communicates with Server2, the traffic only needs to be forwarded on the Leaf node, and it doesn’t need to pass through the Spine node.

When deploying a distributed gateway:

1.Spine node:

Focus on high-speed IP forwarding, emphasizing the high-speed forwarding capability of equipment.

2.Leaf node:

① As the second-layer gateway device in the VXLAN network, it is connected with the physical server or VM to solve the problem of terminal tenants accessing the VXLAN virtual network.

② As a three-layer gateway device in the VXLAN network, it encapsulates/decapsulates VXLAN messages, and realizes the terminal tenant communication across subnets and the access to external networks.

The VXLAN distributed gateway has the following characteristics:

① the same Leaf node can be used as the second-layer gateway of VXLAN or the third-layer gateway of VXLAN, so the deployment is flexible.

② The Leaf node only needs to learn the ARP entries of its own connected servers, instead of all servers like the centralized three-layer gateway, which solves the ARP entry bottleneck problem caused by the centralized three-layer gateway and has strong network scale expansion ability.

ThinkMo CCNA Dump exam information exchange group:

CCNA/CCNP/CCIE telegram study group:https://t.me/ccie_ei_lab
WAHTAPP:+65 83444290
WAHTAPP:+63 9750724648

ThinkMo CCNA 200-301 Tutorial VIP Exclusive:

The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!

Post Tags :

Leave a Reply