Why VXLAN Is the Key to Scaling Modern Data Centers

1. Overview

Traditional data center networks face three main limitations when supporting server virtualization:

VM scale limited by MAC table size – In a Layer‑2 network, switches forward frames based on MAC tables; the number of VMs quickly exceeds the table capacity after virtualization.

Network isolation limited – VLAN IDs provide only 12 bits (4096 segments), insufficient for large cloud tenants.

VM migration range limited – Migration must stay within the same Layer‑2 broadcast domain.

2. VXLAN Introduction

VXLAN (Virtual Extensible LAN) is a VPN‑style technology that overlays a Layer‑2 network on any IP‑routable underlay. It uses MAC‑in‑UDP encapsulation, allowing VMs to be moved across the underlay without regard to the physical MAC topology.

Encapsulation extends Layer‑2 frames into UDP packets, removing dependence on MAC address tables.

Routing in the underlay eliminates the size limits of traditional Layer‑2 networks.

3. VXLAN Components

3.1 NVE (Network Virtualization Edge)

An NVE can be a hardware or software switch that builds a virtual Layer‑2 network on top of a Layer‑3 fabric.

3.2 VTEP (VXLAN Tunnel Endpoint)

VTEP resides in the NVE and performs encapsulation and decapsulation of VXLAN packets. Each VTEP pair forms a VXLAN tunnel.

Source IP in the outer IP header is the VTEP’s IP; destination IP is the remote VTEP’s IP.

Loopback addresses are commonly used as VTEP IPs.

3.3 VNI (VXLAN Network Identifier)

VNI is a 24‑bit identifier (up to 16 M segments) that separates VXLAN segments, analogous to a VLAN ID.

3.4 BD (Bridge Domain)

BD defines a virtual Layer‑2 broadcast domain; each VNI maps 1:1 to a BD.

3.5 VAP (Virtual Access Point)

VAP provides access to the VXLAN fabric. It can be configured as a Layer‑2 sub‑interface or a VLAN‑binding.

4. VXLAN Gateways

4.1 Layer‑2 Gateway

Provides entry into the VXLAN fabric and enables intra‑segment communication.

4.2 Layer‑3 Gateway

Enables inter‑subnet communication within VXLAN and connectivity to external non‑VXLAN networks.

5. VBDIF

VBDIF is the VXLAN equivalent of a VLANIF, a logical Layer‑3 interface created on a VXLAN L3 gateway based on a BD. Assigning an IP address to VBDIF allows routing between different VXLAN segments and between VXLAN and non‑VXLAN networks.

6. Centralized vs Distributed Gateways

6.1 Centralized Gateway

Advantages: Simplified deployment and management; all inter‑subnet traffic passes through a single device.

Disadvantages: Sub‑optimal forwarding path.

6.2 Distributed Gateway

Advantages: More optimal forwarding paths for inter‑subnet traffic.

Disadvantages: More complex deployment, fault isolation, and routing maintenance.

7. VXLAN Tunnel Establishment

7.1 Static VXLAN

Manually configure VNI and VTEP IPs on both ends; the tunnel comes up when the two VTEP IPs are routable.

7.2 BGP EVPN Control Plane

EVPN (an extension of BGP) automates VTEP discovery and host MAC learning, eliminating the need for manual configuration and reducing broadcast traffic.

8. VXLAN in a CloudCampus Solution

8.1 Requirements

Build a fabric over the physical network.

Use a distributed gateway architecture.

Create two virtual networks (Office and R&D) that are isolated by default but support intra‑ and inter‑subnet communication.

Provide DHCP services and external network access.

8.2 Fabric Management

Administrators add physical devices to the fabric, assign roles (Border, Edge), and let iMaster NCE automatically generate OSPF/BGP‑EVPN configurations, deploy the underlay, and establish control‑plane relationships.

8.3 Virtual Network Management

VN creation involves specifying IP subnets, VLAN IDs, associated external networks, and access points. iMaster NCE translates these intents into device configurations.

8.4 VXLAN Tunnel Automation

BGP EVPN distributes tunnel information between VTEPs, enabling automatic tunnel creation.

8.5 End‑Host Connectivity

After authentication, a user’s traffic is placed into the appropriate VLAN, encapsulated into VXLAN, and forwarded to the Border for DHCP and external access.

Same‑VN intra‑subnet and inter‑subnet communication occurs via VXLAN encapsulation/decapsulation across Edge devices.

External network access is achieved by advertising external routes via BGP to the Border, which forwards traffic to the firewall.