Cisco VXLAN Flood and Learn Spine‑and‑Leaf Network Overview

Encapsulation Format and Standard Compliance

Cisco VXLAN flood and learn technology conforms to the IETF VXLAN standard (RFC 7348), which defines multicast‑based flooding and learning without a control plane; Ethernet frames are first encapsulated with a VXLAN header, then placed inside a UDP‑IP packet for transport.

Underlying Network

VXLAN flood and learn spine‑and‑leaf networks use a Layer 3 IP underlay. IP multicast reduces the flood domain for each VXLAN segment, mapping each VNID to an IP multicast group; VTEPs join the group and participate in PIM routing. Enabling multicast in the underlay can be challenging for organizations that avoid multicast in their data centers or WANs.

Cisco Nexus 9000 series introduces ingress replication, allowing a multicast‑free underlay. VTEPs exchange IP address lists of other VTEPs via static ingress replication configuration (see Figure 10).

Overlay Network

The overlay network lacks a control plane; it is built on top of the Layer 3 underlay using VTEP tunnels to transport Layer 2 packets, employing flood and learn semantics (see Figure 11).

Broadcast and Unknown Unicast Traffic

The underlay IP PIM or ingress replication is used to send broadcast and unknown unicast traffic; note that ingress replication is supported only on Cisco Nexus 9000 series switches.

Host Discovery and Reachability

VXLAN flood and learn relies on initial data‑plane flooding so VTEPs can discover each other and learn remote host MAC addresses and MAC‑to‑VTEP mappings; once learned, VTEPs forward VXLAN traffic via unicast.

Multicast Traffic

Overlay tenant Layer 2 multicast traffic can be carried over the underlay using IP PIM or ingress replication (the latter only on Nexus 9000). Proper design is needed to avoid overloading multicast groups; ideally each VXLAN segment maps to a unique IP multicast group.

Layer‑3 Routing Functionality

Similar to traditional VLANs, routing between VXLAN segments or between VXLAN and VLAN segments is required. In typical designs, leaf ToR switches act as VTEP devices, providing Layer 2 VXLAN gateways; some VTEPs also enable Layer 3 VXLAN gateway functions for centralized routing in the spine or border leaf.

Spine Layer Internal and External Wiring

Leaf‑ToR‑VTEP switches serve as Layer 2 VXLAN gateways, transporting Layer 2 segments over the Layer 3 IP network. Spine switches participate in both underlay IP transport and internal/external VXLAN routing, requiring a single underlay hop from leaf VTEP to the spine for routed traffic.

When HSRP and vPC are used, a maximum of two active VXLAN gateways is supported; spine Layer 3 VXLAN gateways learn host MAC addresses, so MAC scalability must be considered.

Border Leaf Internal and External Routing

Border leaf ToR VTEP switches act as Layer 2 VXLAN gateways for transporting Layer 2 segments over the underlay; spine switches only forward VXLAN‑encapsulated packets and do not learn overlay MAC addresses. Border leaf routers enable Layer 3 VXLAN gateways for internal and external routing, requiring two underlay hops (leaf → spine → border leaf) for external traffic.

Again, with HSRP and vPC, only two active VXLAN gateways are allowed, and MAC address scalability must be accounted for.

Multi‑Tenant Techniques

VXLAN flood and learn supports Layer 2 multi‑tenant isolation using a 24‑bit VNID (up to 16 million segments). VLANs can be reused across VTEPs, with incoming 802.1Q frames mapped to a specific VNI that provides tenant isolation network‑wide.

VXLAN also supports Layer 3 multi‑tenant via VRF‑lite; the overlay remains a Layer 2 network with a top‑of‑overlay Layer 3 SVI, supporting up to 4096 VLANs (see Figure 15).

Cisco VXLAN Flood and Learn Spine‑and‑Leaf Network Summary

The design complies with IETF VXLAN (RFC 7348), transporting Layer 2 frames over a Layer 3 IP underlay while remaining a flood‑and‑learn based solution. As host counts grow, it faces similar flooding challenges as FabricPath. Layer 3 routing is positioned atop the overlay, often centralized in spine or border leaf switches, with support for up to two active gateways and vPC for internal VXLAN routing.

For detailed configuration guides, release notes, and references, see the documentation listed at the end of the original article.