With the widespread adoption of cloud technology, data centers play a huge role in running key applications and business processes for organizations around the world. In 2022, the IT spending on data centers is expected to be $227 billion, and $237 billion by 2023.
To run these datacenters profitably and deliver quality service to their customers, organizations are constantly trying to squeeze out maximum performance from the hardware. Two technologies, VLANs or Virtual Local Area Networks and VXLANS or Virtual eXtensible Local Area Networks improve network efficiency and contribute to improved security. In this article, we explore what they are, how they work, and the differences in VXLAN vs VLAN.
What is VLAN?
VLAN standards for Virtual LAN or Virtual Local Area Network. VLANs essentially create virtual networks within a local area network and let you group together devices logically. For example, in a LAN in an office or a school, all devices come under one network, with a switch (usually) connecting them. And all of these devices come under one broadcast domain, and maybe even under a single collision domain.
This presents a couple of problems. The packets from different devices may collide, and they’ll have to send again, creating network inefficiencies. This can be avoided by using multiple switches, but it still keeps the devices under the same broadcast domain. The network efficiency decreases further as the number of devices increases.
With a VLAN, you can create multiple networks and broadcast domains of smaller sizes. And you can use these virtual LANs for grouping together devices that frequently communicate with each other. For example, instead of connecting all devices in an office under a single broadcast domain or a single LAN, you can create virtual LANs for the finance department, the HR department, and the marketing department.
How do VLANs work?
They work by creating multiple virtual switches over a single physical switch, with each virtual switch handling the communication for a single VLAN. You can configure individual ports on a physical switch to handle communication only for a single VLAN.
And you can connect these virtual switches to other virtual switches in the same virtual LAN, even if they are on another physical switch.
As you can imagine, this is not scalable; for every VLAN, you’ll need a physical connection between the physical switches. For example, let's say there are three VLANs and two switches involved. To connect the virtual switches on these three VLANS, you’ll need three physical connections. And there are only so many ports on a physical switch.
To solve this, a method was devised to connect multiple switches over a single link called trunk ports. Here, data packets for a single port would be carried over a single port on each physical switch.
As we know, every data packet contains a layer 3 header with destination and source IP address, and a layer 2 header containing the MAC addresses. When data is sent over this trunk port, the information about the VLAN it belongs to is added to the layer 2 header. This tag is called the VID or VLAN ID which identifies the VLAN to which each frame belongs to. This ensures that the data packets in a single VLAN reach only the devices in that virtual LAN.
The VID is a 12-bit field that can create 4096 IDs. But 0 and 4095 are reserved, which means you can have up to 4094 VLANs in a single network.
What is VXLAN?
VXLAN or Virtual eXtensible Local Area Network is a tunneling protocol that carries layer 2 packets over a layer 3 network, that is ethernet over IP.
The need for VXLANs came from the limitations of VLAN, as well as the arrival of server virtualization. Due to its 12 bit identifier, you can only have up to 4094 virtual networks with VLAN. Meanwhile, with VXLAN, a 24-bit identifier — called VXLAN network identifier — is used, with which you can have around 16 million VXLANs.
With server virtualization, each physical server can have multiple virtual servers with its own IP address and operating systems. Different customers or clients may use these virtual servers or virtual machines and to effectively maintain these servers, maintain service continuity, and manage resources efficiently, you need dynamic VM migration. That is, in a data center, you should be able to move virtual machines from one physical server to another without affecting the user.
And for this to happen, the IP address must remain unchanged. So we can only make these changes within the data link layer and due to the constraints with the VID, you can only create a limited number of VLANs.
How VXLAN works
VXLAN creates layer 2 networks that span across layer 3 infrastructure, that is it, ethernet over IP. The ethernet layer works as an overlay network, and IP works as the underlay network. Here, a layer 2 ethernet frame is encapsulated into a VXLAN packet by adding a VXLAN header and a UDP header by a VTEP or a VXLAN Tunnel End Point. The VXLAN header consists of the VXLAN Network Identifier, which identifies the tenant or the virtual server or essentially the specific VXLAN.
The frames from the source server encapsulated by a VTEP are received across the tunnel by another VTEP which decapsulates it and sends it to the destination server. VTEPs can either be a physical device or it could be software deployed on a server.
VLAN vs. VXLAN: What are the differences?
It's time to oppose VLAN vs. VXLAN to take a closer look at their differences. First of all, while VXLANs were developed to overcome the limitations of VLANs, their applications are different, and sometimes VLAN isn’t even mentioned when you’re discussing VXLAN. That said, here are the main differences between VXLAN and VLAN.
VLAN has a 12-bit identifier called VID while VXLAN has a 24-bit identifier called VID network identifier. This means that with VLAN you can create only 4094 networks over ethernet, while with VXLAN, you can create up to 16 million. In terms of the overall infrastructure, you can further isolate networks and improve their efficiency.
In VLAN, a layer 2 network is divided into subnetworks using virtual switches and creating multiple broadcast domains within a single LAN network. In VXLAN, a layer 2 network is overlaid on an IP underlay, and the layer 2 ethernet frame is encapsulated in a UDP packet and sent over a VXLAN tunnel.
VLAN is often used by large businesses to better group devices for improved network performance and security. VLAN does network segmentation just like VXLAN, but its mainly used in data centers for dynamic migration.
Another difference is that VLAN uses the tree spanning protocol, which means half the ports are blocked for use while you can use all the ports in the case of VXLAN, further improving efficiency.
What are the advantages of VLANs?
- Improved security: VLANs let you create more networks with fewer devices. With this, you can segment and group your devices and prevent unauthorized access. Network managers can detect any security issues, set up firewalls, and restrict access to these individual networks. For example, you can keep sensitive data under a private VLAN while opening up a separate VLAN for public use. And even within an organization, segmenting the devices improves security.
- Improved performance: When all the devices are receiving all the messages, it creates congestion over the network. It reduces the bandwidth for communication. With VLAN, you can group together devices that communicate frequently, reduce the broadcast domain, and keep the bandwidth clear. Small broadcast domains are also easy to handle.
- Improved network flexibility: With VLAN, you’re not limited by the physical location of the devices. You can group devices based on their function or the department it belongs to, instead of their physical location. If employees switch to a different location in the company, they can still connect to the same VLAN to work.
- Reduced cost: Switches can usually only reduce the collision domain; you need routers to reduce the broadcast domain, which tends to be expensive. With VLANs, you can segment the network in multiple broadcast domains at a low cost.
- Simplified IT management: For the IT department, small networks with less number of devices are easier to manage and troubleshoot instead of a single large network. They provide more granular control over the networks; depending on the specific use case, you can configure the security for these individual networks.
What are the advantages of VXLANs?
- Improved scalability: Compared to VLAN, VXLAN is highly scalable, allowing 16 million isolated networks. This makes it easy to scale and highly useful in data centers, letting them accommodate more tenants.
- Supports dynamic VN migration: This is very important for continuity of services and efficient utilization of resources in a data center. This lets managers upgrade or maintain servers by shifting the VMs to another server without interrupting the services or the user knowing about it. If businesses want to add redundant servers at a different geographical location, they can manage the VMs using VXLANs. It keeps the data center robust and reliable.
- VXLAN can be easily configured and managed: VXLAN is a software-defined network (even though vendors have developed ASICs for VXLANs), and works as an overlay over an underlying IP network. This means the network can be managed and monitored with a centralized controller.
Being an overlay network brings a lot of additional advantages for VXLAN.
VXLAN: overlay over an underlying IP network
As we discussed earlier, VXLAN is a layer 2 virtual network over a layer 3 IP network. This is possible due to the encapsulation and decapsulation process; at the edges, the layer-2 frames are encapsulated into layer 3 packets which are then routed through the IP network.
This means that the overlay and the physical IP network are decoupled and you can make changes to either network without making any changes to the other. This doesn’t mean there won’t be any impact, if the underlying network can’t handle the traffic, it will affect the performance of the overlay network.
Another benefit is that the possibility of duplicate causing a problem is greatly reduced. With multiple VMs is that if two VMs have the same MAC address, it can create networking problems as the switches won’t know where to send the data packets. But a VXLAN can have duplicate MAC addresses without a problem as long as they’re in a different VXLAN segment.
The decoupled physical and virtual layers also mean tenants are not limited by the IP addresses or broadcast domains of the underlying IP network when planning their virtual networks.
In the MAC Address Table, a switch has to store the MAC Addresses of all the devices it is connected to and keep them updated. This means the more devices they’re connected to the more memory it needs and the higher the cost. With this overlay network, not all devices have to identify the MAC addresses of the VMs and the switch has to learn less number of MAC addresses.
How to deploy VXLAN? Three different methods
The different methods of deploying are more or less where the VTEP is located, whether it's in software or hardware.
1. Host-based VXLAN
As the name suggests, here the VXLAN runs on the host. In this case, a virtual switch acts as a VTEP encapsulating and decapsulating the data packets — and is also referred to as a software VTEP.
The virtual switch encapsulates the data before it goes to the physical network, and is only decapsulated at the destination VTEP. These VTEPs can even be inside hypervisor hosts. And because of this, there’s only IP traffic in the physical network.
2. Gateway-based VXLAN
In a gateway-based VXLAN or a hardware VXLAN, the VTEP is within a switch or a router. These devices will then be referred to as VXLAN gateways.
Here, the switches encapsulate and decapsulate the data packets and create tunnels with other VTEPs. The traffic from the hosts to the gateways will be layer 2, while the rest of the network will see only IP traffic.
3. Hybrid VXLAN
In a hybrid implementation, some of the VTEPs are on hardware while some are on hosts in virtual switches. Here, the traffic flows from the source VTEP to the destination VTEP and either of them may be hardware or software.
Frequently asked questions
What exactly is a VLAN?
VLAN or Virtual Local Area Network creates multiple smaller broadcast domains over a single Ethernet network. They are used to logically group together devices and improve network efficiency and security.
What exactly is VXLAN?
VXLAN or Virtually eXtensible Local Area Networks overlay a layer 2 network on an underlying layer 3 IP network. They’re used for large-scale segmentation and isolation and handle multiple VMs in data centers.
