What is Virtual Extensible LAN (VXLAN)?

Updated on July 18, 2025

Network virtualization has become critical for modern data centers, but traditional VLANs hit a wall at 4,094 segments. Virtual Extensible LAN (VXLAN) smashes through this barrier, enabling up to 16 million logical network segments while stretching Layer 2 networks across Layer 3 infrastructure.

VXLAN addresses the scalability and mobility challenges that network architects face when designing large-scale, multi-tenant environments. Whether you’re building cloud infrastructure or managing enterprise data centers, understanding VXLAN’s encapsulation mechanisms and overlay capabilities is essential for creating flexible, scalable network architectures.

This guide breaks down VXLAN’s technical fundamentals, from packet encapsulation to VTEP operations, helping you understand when and how to implement this powerful network virtualization technology.

Definition and Core Concepts

VXLAN is an Internet Engineering Task Force (IETF) standard network virtualization technology that encapsulates Layer 2 Ethernet frames within Layer 4 User Datagram Protocol (UDP) packets. This creates an overlay network that spans physical Layer 3 IP networks, enabling up to 16 million virtual Layer 2 segments.

Network Virtualization Fundamentals

Network virtualization creates logical networks on top of physical infrastructure. VXLAN implements this by building overlay networks — virtual networks constructed over existing physical networks (the underlay). The underlay network consists of the physical IP infrastructure that transports encapsulated VXLAN packets.

VLAN Limitations Drive VXLAN Adoption

Traditional VLANs use a 12-bit identifier, limiting networks to 4,094 segments. This constraint becomes problematic in large-scale data centers with thousands of tenants or applications requiring network isolation. VXLAN solves this with a 24-bit VXLAN Network Identifier (VNI), supporting approximately 16 million segments.

Key VXLAN Components

The VXLAN Tunnel Endpoint (VTEP) serves as the critical component that performs encapsulation and decapsulation. VTEPs can be physical switches, hypervisors, or software-based network devices. They add and remove VXLAN headers while maintaining MAC address tables for their local segments.

VXLAN uses UDP port 4789 as the standard destination port for all VXLAN traffic. The encapsulation method, called MAC-in-UDP, wraps original Ethernet frames inside UDP packets for transport across the IP underlay network.

How It Works

VXLAN’s operation involves a four-step process: encapsulation at the source VTEP, transmission across the underlay network, decapsulation at the destination VTEP, and final forwarding to the target host.

Original Frame Encapsulation at Source VTEP

When an Ethernet frame from a virtual machine or host reaches the source VTEP, the device determines the destination VXLAN segment based on the inner frame’s VLAN ID or configured mapping policies. The VTEP then adds an 8-byte VXLAN header containing the 24-bit VNI, flags, and reserved fields to the original Ethernet frame.

Next, the VTEP encapsulates this VXLAN frame into a standard UDP header. The source port typically uses a hash of the inner packet fields for load balancing, while the destination port remains 4789. Finally, an outer IP header (containing source and destination VTEP IP addresses) and outer Ethernet header complete the encapsulation process.

Transmission Over Underlay Network

The fully encapsulated packet travels across the underlying Layer 3 IP network like any standard IP packet. Intermediate routers examine only the outer IP header and remain unaware of the VXLAN overlay traffic. This separation allows the overlay and underlay networks to operate independently.

Decapsulation at Destination VTEP

Upon receiving the encapsulated packet, the destination VTEP removes the outer Ethernet, outer IP, and UDP headers. It then strips the VXLAN header and extracts the original Ethernet frame using the VNI to identify the correct local segment.

Forwarding to Destination Host

The destination VTEP forwards the decapsulated original Ethernet frame to the target VM or host within the appropriate local Layer 2 segment. The destination host receives the frame as if it originated from the same physical network segment.

Learning and Flooding (BUM Traffic)

VTEPs learn MAC addresses by observing traffic patterns, similar to traditional Layer 2 switches. For Broadcast, Unknown Unicast, and Multicast (BUM) traffic, VXLAN networks typically use IP multicast in the underlay network or head-end replication, where the source VTEP creates individual copies for each destination VTEP.

Key Features and Components

VXLAN delivers several critical capabilities that address modern data center networking challenges.

Massive Scalability

VXLAN’s 24-bit VNI provides 16 million possible segments compared to VLAN’s 4,094 limit. This scalability supports large cloud environments, extensive multi-tenancy, and complex application architectures without network segmentation constraints.

Layer 2 Over Layer 3 Extension

VXLAN stretches Layer 2 networks across geographically dispersed Layer 3 IP infrastructure. This capability enables seamless workload mobility, disaster recovery scenarios, and consistent network policies across multiple data centers.

Multi-Tenancy Support

Strong isolation between virtual networks allows multiple tenants to share physical infrastructure while maintaining complete network separation. Each tenant can use overlapping IP address spaces without conflicts.

Workload Mobility

VXLAN facilitates seamless VM migration across physical Layer 3 boundaries without requiring IP address changes. Virtual machines maintain their network identity regardless of physical location.

Decoupled Underlay and Overlay Management

The separation between physical (underlay) and virtual (overlay) networks allows independent management and evolution. Network administrators can modify underlay routing protocols or upgrade physical infrastructure without affecting overlay network configurations.

Improved Network Utilization

VXLAN leverages Layer 3 routing protocols like Equal-Cost Multi-Path (ECMP) in the underlay network for efficient load balancing and optimal path utilization.

Use Cases and Applications

VXLAN addresses specific networking challenges across various deployment scenarios.

Large-Scale Data Center Network Virtualization

Modern data centers require logical network segments for numerous workloads, applications, and tenants. VXLAN provides the scalability to support thousands of isolated network segments while maintaining performance and security.

Cloud Service Provider Multi-Tenancy

Cloud providers use VXLAN to isolate customer networks on shared physical infrastructure. Each customer receives dedicated virtual networks with complete isolation from other tenants.

Stretching Layer 2 Networks Across Data Centers

VXLAN enables Layer 2 network extension between geographically separated data centers. This capability supports disaster recovery, workload migration, and business continuity requirements.

Hybrid Cloud Connectivity

Organizations deploying hybrid cloud architectures use VXLAN to maintain consistent networking for workloads spanning on-premises and public cloud environments.

Software-Defined Networking (SDN) and Network Functions Virtualization (NFV)

VXLAN provides the underlying overlay fabric for programmable networks, enabling centralized policy management and dynamic network provisioning.

Microservices Architectures

Container and microservices deployments benefit from VXLAN’s ability to provide Layer 2 connectivity across distributed environments while maintaining service isolation.

Advantages and Trade-offs

VXLAN offers significant benefits but requires careful consideration of potential limitations.

Advantages

• Extreme Scalability: VXLAN’s 16 million segment limit far exceeds traditional VLAN constraints, supporting massive multi-tenant environments.
• Flexibility and Mobility: Layer 2 extension over Layer 3 infrastructure enables VM mobility and network stretching across disparate physical locations.
• Resource Optimization: Efficient Layer 3 routing protocols like ECMP in the underlay network improve bandwidth utilization and provide multiple path redundancy.
• Multi-Tenancy Isolation: Robust logical separation supports multiple customers or applications on shared infrastructure without security concerns.
• Simplified Management: Decoupling underlay from overlay networks simplifies infrastructure changes and reduces operational complexity.
• Vendor Interoperability: Wide industry support ensures compatibility across major networking equipment manufacturers.

Trade-offs and Limitations

• Encapsulation Overhead: VXLAN adds 50-54 bytes of overhead per packet, including the VXLAN header, UDP header, and outer IP header. This requires larger Maximum Transmission Unit (MTU) sizes in the underlay network, typically 1,554 bytes for IPv4.
• Increased Complexity: VXLAN requires careful design and configuration of both underlay and overlay networks. Troubleshooting becomes more complex due to the additional encapsulation layers.
• Underlay Network Requirements: The underlay network must be robust and scalable. Efficient BUM traffic handling often requires IP multicast support, though head-end replication provides an alternative.
• Control Plane Dependence: Optimal VXLAN operation requires a control plane for efficient MAC address learning and VTEP discovery. Options include Ethernet VPN (EVPN) or initial flood-and-learn mechanisms.

Key Terms Appendix

• Virtual Extensible LAN (VXLAN): Network virtualization technology that encapsulates Layer 2 Ethernet frames in Layer 4 UDP packets to create scalable overlay networks.
• VLAN (Virtual Local Area Network): Layer 2 network segmentation technology limited to 4,094 segments using a 12-bit identifier.
• Encapsulation: The process of wrapping a data packet with additional headers for transmission across different network layers.
• UDP (User Datagram Protocol): Connectionless transport protocol used by VXLAN for frame encapsulation.
• VXLAN Network Identifier (VNI): 24-bit identifier for VXLAN segments, enabling up to 16 million unique segments.
• VXLAN Tunnel Endpoint (VTEP): Network device that performs VXLAN encapsulation and decapsulation operations.
• Overlay Network: Virtual network constructed on top of physical network infrastructure.
• Underlay Network: Physical network infrastructure that transports overlay traffic.
• Layer 2 (Data Link Layer): OSI model layer handling MAC addresses and Ethernet frames.
• Layer 3 (Network Layer): OSI model layer managing IP addresses and routing functions.
• Multi-Tenancy: Capability to host multiple independent customer environments on shared infrastructure.
• Workload Mobility: Ability to move virtual machines or containers across physical hosts without network reconfiguration.
• MTU (Maximum Transmission Unit): Largest packet size transmittable without fragmentation.
• EVPN (Ethernet VPN): Control plane protocol used with VXLAN for efficient MAC address learning and VTEP discovery.
• BUM Traffic: Broadcast, Unknown Unicast, and Multicast traffic requiring special handling in overlay networks.
• IP Multicast: Efficient method for sending traffic to multiple interested receivers simultaneously.
• Head-End Replication: Method for handling BUM traffic by replicating packets at the source VTEP.
• ECMP (Equal-Cost Multi-Path): Routing strategy that load balances traffic across multiple paths of equal cost.