Getty Images


VXLAN vs. VLAN: What's the difference?

VLANs offer security and traffic management benefits but have limitations in routing and scale. VXLANs address those challenges by creating a Layer 3 network overlay.

Network practitioners have used virtual LANs for years to link pieces of an application and isolate its data from other applications that use a different set of VLANs. But VLANs have some limitations that inhibit their use in large data centers and cloud environments.

How VLANs work

A VLAN creates an overlay network on top of a physical LAN. The VLAN operates at Layer 2, the data link layer, of the OSI model. Network admins can set up VLANs to segment traffic and resources for specific devices and departments.

VLANs offer enhanced security and traffic management for enterprise networks. But the IEEE 802.1Q standard limits the number of supported VLANs to a maximum of 4,096, due to the 12-bit VLAN tagging method detailed in the standard. This limit presents challenges in current environments with large data centers and clouds. It's especially notable for public clouds where applications simultaneously execute for multiple customers.

In large data centers, executable components that make up an application or provide a service may execute on multiple VMs spread across multiple servers -- in a single facility or in geographically remote centers. Because VLANs operate at Layer 2, application components cannot be routed to different subnets or across the network.

Diagram of VLAN segments for different departments
VLANs can segment traffic for different departments, using specific routing and security policies for each grouping.

How VXLANs work

The original Virtual Extensible LAN (VXLAN) concept has been available for several years. It is not an internet standard, but is documented in Internet Engineering Task Force RFC 7348. VMware and Cisco originally introduced VXLANs, but other equipment vendors eventually adopted them to address VLAN limitations. VXLANs provide a Layer 3 overlay network to resolve VLANs' inability to be routed and limited range of 4,096 VLANs per switching domain.

Applications continue to use VLANs, but VXLANs package an application's VLANs into User Datagram Protocol (UDP) packets that can be routed. VXLANs aren't visible to application components, so admins don't need to make any application changes. Each application receives a full set of 4,096 available VLANs.

VXLANs are identified by a 24-bit VXLAN network identifier (VNI), enabling as many as 16 million VXLANs within a single administrative domain, compared with the 4,096 limit for VLANs.

Diagram of a VXLAN
Learn how VXLAN technology works.


A virtual tunnel endpoint (VTEP) routes data between subnets or across the network. VTEPs often reside within a virtual system hypervisor but can be located within a router. The VTEP that supports a VXLAN must have access to the VLANs an application uses. It must also maintain interfaces to each of the network connections required to reach the systems where application components reside.

VXLANs provide a Layer 3 overlay network to resolve VLANs' inability to be routed and limited range of 4,096 VLANs per switching domain.

Before transmitting data, the VTEP wraps the data in a UDP packet. The packet header includes the destination IP address and an 8-byte VXLAN header. The VXLAN header contains the following info:

  • a 24-bit VNI;
  • an 8-bit flag field that has a single bit set to one; and
  • two other fields, which total 32 bits and are reserved for future use.

The receiving VTEP strips the UDP and VTEP headers before forwarding the VLAN data to the appropriate application components. Neither VTEP modifies the data, so the received data is identical to what the sending application component transmitted.

Multicast to communicate across the network

Rather than sending each packet multiple times, VTEPs use multicast routing to send each outgoing packet once to reach multiple destinations. Network management oversees the assignment of multicast groups and corresponding multicast addresses. Multicast IP addresses are those in the to range. An address is assigned to a VTEP for each application it supports.

When an application component initiates communication with another component, it operates just as it would in a non-VXLAN environment. If the destination is on the same subnet, it uses an Address Resolution Protocol (ARP) broadcast message to locate the other component. If the destination is on a different subnet, the application sends ARP messages for the first hop router, which may also serve as a VTEP. If the router isn't on, the application will send ARP messages to a VTEP.

The VTEP encapsulates the ARP request in UDP and VXLAN headers, sending the packet to the IP multicast group associated with the VXLAN segment to which the communicating components belong.

The VTEP that supports the destination application component removes the UDP and VXLAN headers, leaving the VLAN data just as the transmitting component sent it. The VTEP then locates the destination using an ARP packet, just as it would if the network was limited to a single system. Data packets and response messages transmit using the same methods as the original transmission.

Communicate outside the VXLAN

In some cases, applications need to communicate outside the VXLAN environment. If so, a VXLAN gateway removes the VXLAN and UDP headers and forwards the packet to the destinations. Responses travel to the gateway. VXLAN and UDP headers are attached, and the message travels back using the same way it came. Neither the source VM nor the destination equipment needs to be modified to take part in the interchange.

VXLANs useful for large environments

Many network overlay options are available -- each appropriate for some application environments -- but VXLANs continue to prove their value in large data centers and cloud environments. As organization make network changes or extensions, they can incorporate VXLANs accordingly.

This was last published in August 2022

Dig Deeper on Network Infrastructure