VXLAN Overview and Its Applications in Data Center and Campus Networks

Abstract: To overcome the constraints of traditional data‑center networks on server virtualization, the VXLAN (Virtual eXtensible LAN) technology was created.

1. Overview

1.1 Problems of Traditional Data‑Center Networks

VM scale limited by MAC table size – In Layer‑2 networks, the MAC address table cannot accommodate the massive number of VMs generated after virtualization.

Insufficient network isolation – VLAN tags provide only 12 bits (4096 IDs), which is inadequate for large‑scale cloud environments.

VM migration confined to a single Layer‑2 domain – Traditional Layer‑2 networks restrict live migration to a limited broadcast domain.

1.2 VXLAN Introduction

VXLAN is a VPN‑style overlay that encapsulates Ethernet frames in UDP packets, allowing a virtual Layer‑2 network to be built over any routable IP network.

By using MAC‑in‑UDP encapsulation, VXLAN removes the dependence on MAC‑address tables and enables VM migration across the entire IP fabric.

1.3 VXLAN in Data‑Center

Solves MAC‑table limitation by encapsulating VM traffic, drastically reducing the MAC‑address requirement on access switches.

Provides 24‑bit VNI (VXLAN Network Identifier), supporting up to 16 million segments, far exceeding VLAN’s 12‑bit limit.

Allows VM migration across different physical locations because the encapsulated traffic sees only the underlay IP network.

1.4 VXLAN in Campus Networks (One‑Network‑Multiple‑Uses)

Creates multiple virtual networks (VN) on a single physical fabric for different business domains such as office, R&D, IoT, etc.

Uses Huawei iMaster NCE SDN controller for centralized configuration and NETCONF‑based device provisioning.

2. Basic VXLAN Concepts

2.1 VXLAN Packet Format

2.2 NVE (Network Virtualization Edge)

The NVE is the device (hardware or software) that runs VXLAN and builds a Layer‑2 overlay on top of a Layer‑3 network.

2.3 VTEP (VXLAN Tunnel Endpoint)

VTEP resides inside an NVE and performs encapsulation/de‑encapsulation of VXLAN packets.

The outer IP header’s source and destination addresses are the IPs of the two VTEPs.

One pair of VTEP IPs defines one VXLAN tunnel.

Loopback interfaces are commonly used as VTEP addresses.

2.4 VNI (VXLAN Network Identifier)

24‑bit identifier similar to a VLAN ID; distinguishes different VXLAN segments.

A tenant may have one or multiple VNIs.

2.5 BD (Bridge Domain)

Represents a broadcast domain in VXLAN, analogous to a VLAN in traditional networks.

Each BD is mapped 1:1 to a VNI, enabling Layer‑2 communication within the BD.

2.6 VAP (Virtual Access Point)

VAP provides VXLAN access via either a Layer‑2 sub‑interface or a VLAN binding.

3. VXLAN Gateways

3.1 Layer‑2 Gateway

Provides entry into the VXLAN overlay and enables intra‑subnet communication.

3.2 Layer‑3 Gateway

Handles cross‑subnet traffic within VXLAN and access to external (non‑VXLAN) networks.

4. VBDIF

Logical Layer‑3 interface created on a VXLAN L3 gateway, based on a Bridge Domain.

Assigning an IP address to a VBDIF enables inter‑segment and VXLAN‑to‑non‑VXLAN communication.

5. Centralized vs Distributed Gateways

5.1 Centralized Gateway

All inter‑subnet traffic passes through a single L3 device.

Advantages: simplified management.

Disadvantages: sub‑optimal forwarding path.

5.2 Distributed Gateway

L3 functionality is spread across multiple devices; each VTEP acts as both L2 and L3 gateway.

Advantages: optimal forwarding paths.

Disadvantages: more complex deployment and troubleshooting.

6. VXLAN Tunnel Establishment

A VXLAN tunnel is defined by a pair of VTEP IP addresses; once the underlay routing is reachable, the tunnel can be created.

6.1 Static VXLAN

Manually configures VNI and VTEP IPs on both ends.

6.2 BGP EVPN Control Plane

EVPN (Ethernet VPN) extends BGP to provide automatic VTEP discovery, MAC learning, and route distribution, eliminating the need for static configuration and flood‑and‑learn traffic.

7. VXLAN in CloudCampus Solution

7.1 Requirements

Build a fabric on the physical network.

Adopt a distributed gateway architecture.

Create two virtual networks (OA and RD) that are isolated by default but support intra‑ and inter‑subnet communication.

Both VNs must reach external networks and obtain IP addresses via DHCP.

7.2 Fabric Management

Users add physical switches to the fabric and assign roles (Border, Edge).

iMaster NCE automatically configures OSPF, BGP EVPN, and underlay routing.

7.3 VN Management

Users define VN parameters (IP subnet, VLAN, gateway, external network, DHCP service).

The controller translates intent into device configurations.

7.4 Automatic VXLAN Tunnel Creation

BGP EVPN advertises tunnel information between VTEPs.

Devices establish VXLAN tunnels for data forwarding.

7.5 End‑Host Address Allocation

After authentication, the Edge device forwards DHCP requests through the VXLAN tunnel to the Border, which relays them to the DHCP server.

7.6 Intra‑VN Communication

Same‑subnet traffic is carried over VXLAN tunnels between Edge devices.

Cross‑subnet traffic uses VBDIF interfaces and VXLAN routing.

7.7 Access to External Networks

External routes are injected into the Border via BGP and propagated to Edge devices.

Traffic is encapsulated in VXLAN, sent to the Border, decapsulated, and forwarded to the upstream firewall.

Original author: 迷图小书童. Source: https://blog.csdn.net/devcloud/article/details/113585563