What is VXLAN used for?
VXLANs are used to accomplish network segmentation beyond what classic VLANs can deliver. Classic VLANs offer only 4094 virtual networks, while VXLANs offer up to 16 million. Network segmentation has two primary uses: allowing multiple tenants to share a single physical network without seeing one another’s traffic and allowing for the reuse of IP address space. It’s also possible to configure network segments with differentiated quality-of-service (QoS) policies and service-level agreements (SLAs).
VXLAN is primarily used within large data centers, service provider networks, and cloud operator networks where the 4094 virtual network limit of classic VLANs is too constraining. That said, as VXLAN becomes supported by more—and less expensive—switch processors, it’s beginning to move out of the data center and into campus networks.
Is VXLAN a standard?
Yes, the VXLAN standard was created in 2014 by the IETF and is specified in RFC 7348.
Is VXLAN a Layer 3 standard?
VXLAN is sometimes considered a Layer 3 protocol because it relies on an IP (Layer 3) transport network. It’s sometimes also considered a Layer 4 standard, because it encapsulates Ethernet frames in UDP, affecting Layer 4 UDP by operation.
Does VXLAN replace VLAN?
VXLANs do not entirely replace VLANs; in some circumstances, such as large service provider data centers, both standards may be used. VXLANs may be used to segment the service provider’s global network, isolating each customer on its own VXLAN while enabling each customer to create private VLANs within their VXLAN.
What’s the basic difference between VXLAN, VLAN, and QinQ technologies?
VLAN, QinQ, and VXLAN are all standards used for logically segmenting physical networks into multiple virtual networks. Each standard respectively provides greater scalability than the last. Networks are usually segmented for security reasons and to support differentiated QoS requirements, which are usually part of SLAs.
VLANs were the first to be standardized in 1998; QinQ built on VLANs to expand the number of logical networks that can be created. QinQ also enables enterprise/business VLANs to be supported across public WAN services. VXLAN offers the greatest extensibility and flexibility of the three technologies.
Technically, the differences among these technologies lie in how they tag and encapsulate Ethernet frames before transmission over communications networks.
What are the more technical distinctions between VXLAN, VLAN, and QinQ?
Understanding these different virtualization technologies requires a basic grasp of how Ethernet networks operate. An Ethernet frame consists of a header with data-forwarding information, such as the source and destination MAC and IP addresses, and a payload containing the actual data to be transmitted. For these frames to be successfully forwarded from one location to another, every network element involved in the communications chain, such as network interface cards, switches, and routers, must understand the Ethernet and virtualization standards involved.
VLAN and QinQ both extend the length of the basic Ethernet frame header, requiring that all network devices (both endpoints, as well as all intermediate devices) support the standards. By contrast, VXLAN does not extend the Ethernet frame header, thus only requiring support for the standard on the devices serving as the VTEPs.
The VLAN standard created in 1998 extends Ethernet frame headers by 4 bytes, allowing Ethernet frames to be “tagged” as belonging to one of up to 4094 virtual networks. QinQ extends the VLAN standard to allow 4094 “private” VLANs to be created on each of 4094 “public” VLANs, or 16 million VLANs in total. To get the job done, it also extends the Ethernet frame header by 4 bytes.
Like QinQ, the VXLAN standard, created in 2014, supports up to 16 million virtual networks. While it doesn’t extend the Ethernet frame header, it does require an increased maximum IP packet size, extending IPv4 packets from 1518 bytes to 1554 bytes. VXLAN packets encapsulate the original Ethernet frame inside a UDP packet. The new UDP packet contains both the VXLAN header and the complete original Ethernet frame inside its payload. UDP, often used for delay-sensitive traffic, is the connectionless Layer 4 communications protocol in the core Internet protocol suite that’s a lower-latency alternative to connection-oriented TCP.
Are VXLAN, VLAN, and QinQ typically used together?
Hypothetically, you can use traditional VLANs, QinQ VLANs, and VXLANs all at the same time. This is because of where the network identifiers exist within the data packet. VXLANs don’t change or extend the format of the UDP packet in which they are encapsulated, nor do they change or extend the outer Ethernet frame in which that UDP packet is carried. That’s because VXLAN packets are contained within the payload of a UDP packet (not the header). They include a VXLAN header and the complete original Ethernet frame that ultimately was to be transmitted. VXLAN-in-UDP packets, then, can have outer Ethernet frames that also contain VLAN and QinQ identifiers.
In other words, in a VXLAN packet, there are three places where virtual networks can be defined: the outer Ethernet frame, the VXLAN header, and the inner Ethernet frame, and each of these sets of virtual networks can be completely distinct from one another. This can result in a packet where the outer Ethernet frame can support 16 million virtual networks, the VLXAN header can support an additional 16 million virtual networks, and then the inner Ethernet frame can support another 16 million virtual networks.
In enterprise networking practice, however, networks tend to be either VLAN or VXLAN-based. When technologies are combined, it is typically by network and cloud service providers who offer business customers the ability to use VLANs within their own VXLAN. This scenario makes use of VLANs on the inner Ethernet frame, as well as the virtual network capabilities of the VXLAN header, but does not make use of VLANs on the outer Ethernet frame.
Is VXLAN better than VLAN?
VXLANs and VLANs, while superficially similar, solve the same problem in different ways. This means that they get used in different circumstances and that they are not mutually exclusive.
Today nearly every switch sold can support at least basic VLANs, and most – including many consumer switches – can support QinQ. EVPN-VXLAN support is typically limited to more capable enterprise or carrier-grade switches.
VXLANs are considered the more efficient technology. The reason is that only the switches that contain VTEPs carry an additional look-up table (LUT) burden in a VXLAN-based network, and they only need to do so for the virtual networks for which they have VTEPs, not for the entire network. This contrasts with VLAN-based networks, such as QinQ, which supports the same 16 million potential virtual networks as VXLAN but requires that all switches assume the extra burden.
What are the technical details of VXLAN efficiency, compared to QinQ VLANs?
QinQ VLANs require that every device that may interact with a QinQ packet support the extended Ethernet header. VXLAN requires that every device that may interact with a VXLAN packet support the longer Ethernet frame, but requires only those devices with VTEPs to support decapsulation and reading of the VXLAN header.
Because both classic VLAN and its QinQ extension simply add a tag to the Ethernet frame header, every switch that sees a VLAN or QinQ packet will store metadata about every packet. This results in rapidly expanding LUTs, as each switch needs to know where every single device on the entire network is.
Because VXLANs encapsulate the original Ethernet frame, they separate the network into an “underlay” and an “overlay.” The underlay is the physical network that transmits the UDP packets in which the VXLAN header and the original Ethernet frame reside. The majority of the physical switches transmitting these UDP packets do not need to store information about either the VXLAN header or the original Ethernet frame: all they need to know is where to deliver the UDP packet.
When the UDP packet arrives at a switch with a relevant VTEP, the UDP packet is decapsulated, and the switch with the VTEP then reads the VXLAN header and encapsulated Ethernet frame’s header information, adding that data to its LUT. As a result, only the switches containing VTEPs carry the additional LUT burden of virtual networks in a VXLAN-based network, and they only need to carry that burden for the virtual networks for which they have VTEPs, not for the entire network. This contrasts with VLAN-based networks, where all switches would have to do so.
A large VXLAN-based network is thus far more efficient from a LUT resource usage standpoint than a VLAN/QinQ-based network. However, the VXLAN-based network requires switches that support VTEPs, something currently restricted to higher-end switches.
What is the difference between VXLAN and EVPN?
All types of virtual LANs are a means of segmenting physical networks into multiple, private, virtual networks. Ethernet VPN (EPVN) and VXLAN are frequently used together but they are technically independent with different objectives.
VXLANs expand Layer 2 address space from about 4000 to about 16 million to extend Ethernet networks across broader IP networks, slicing up the physical network so that multiple tenants can share its resources without seeing one another’s traffic. EVPN enables the creation of virtual networks that comprise switch ports and other resources from different equipment and network domains. EVPN is basically a way to enable computers that aren’t connected to the same physical network and might be geographically remote from one another to behave as though they were plugged into the same physical switch, with all nodes part of that EVPN receiving data broadcasts as though connected to a traditional Layer 2 local network.
Why would I use VXLAN and EVPN together?
When you combine these technologies into an EVPN-VXLAN, you gain ultimate network configuration flexibility; the physical location of a computer has no bearing on the network to which it’s connected. A single 32-port switch could have each port exposing a different VXLAN, meaning that a computer plugged into any port would be unable to talk to any other computer plugged into another port on that same switch without a router to provide connectivity. EVPN, however, allows you to build virtual Ethernet networks such that, with the right configuration, computers in two different cities can be part of the same subnet.
What VXLAN solutions does Juniper offer?
Juniper offers VXLAN VTEP support in several of our switches and routers along with options for configuring and managing VXLAN and EVPN-VXLAN data center fabrics:
- Select Juniper networking devices, including QFX Series Switches, EX Series Switches, and MX Series Universal Routers, can serve as VTEPs, forwarding UDP packets containing VXLAN headers and the encapsulated Ethernet frame, because they do not need to be aware of the VXLAN contents.
- EVPN-VXLAN data center fabrics can be managed manually through the Junos operating system CLI, the Junos OS API, or the Juniper Apstra data center fabric manager.
- Juniper’s AI-driven campus fabrics, based on a VXLAN overlay with an EVPN control plane, deliver an efficient and scalable way to build and interconnect enterprise networks with consistency.
- Select Juniper SRX Series Firewalls support security inspection of VXLAN tunnels.