What is a VXLAN tunnel

Network virtualization with VXLAN and Linux

VXLAN stands for "Virtual Extensible Local Area Network". Standardized in RFC 7348 in August 2014, VXLAN is now also available as a virtual network interface in current Linux kernels. But what is VXLAN about?

What is VXLAN about?

If you read the keywords “virtual” and “LAN”, most people rightly think of VLAN. Here, a large physical network is logically divided into smaller networks. To do this, the corresponding connections are marked with VLAN tags. This can be done either on the sending host (tagged VLAN) or, for example, by the switch (port-based VLAN). These markings are already made on Layer 2, the data link layer in the OSI layer model. As a result, they can be meaningfully evaluated at a very low network level and undesired communication in the network can be suppressed. The IEEE 802.1Q standard defines a 12-bit width for the VLAN tag, which basically results in 4096 possible VLAN networks on an Ethernet installation.

VXLAN was designed to circumvent this limitation. VXLAN introduces a transmission technology based on OSI Layer 3 or Layer 4, which creates virtual Layer 2 environments. With the VXLAN logic, around 16 million (2 to the power of 24) VXLAN Layer 2 networks are possible, which in turn can map 4096 VLAN network sections. Initially, this should also be sufficient for very large Ethernet installations.

How can you set up such a VXLAN?

A VXLAN interface is then provided with, for example


to disposal. This command creates the device “vxlan0” as VXLAN with ID 42 on the physical interface “eth0”. Several VXLAN are differentiated on the basis of their ID. The instruction "group "defines the transmission to multicast and the associated multicast group. Alternatively, an IP of the target host based on the underlying network (eth0) could also be given with the“ remote ”command (unicast operation). With further instructions, the source and Destination ports for the underlying IP network can also be set to "eth0". The IANA standard is UDP port 4789.

With the command line


give the newly created VXLAN network interface a fixed IP address, here in the example

The command


activates the newly created network interface "vxlan0". This means that there is a virtual network based on IP multicast on the physical interface "eth0".

The "vxlan0" interface now basically behaves in the same way as an Ethernet interface. All other computers that select the VXLAN ID 42 and multicast group become part of this virtual Ethernet. On this one could now set up different VLANs again, for example with


set up a new VLAN on the VXLAN interface. In this case, the vxlan interface would not need to be given an IP address.

What can you do with it in practice?

Basically, VXLAN is suitable for use in a very large Ethernet, for example in cloud environments, to overcome the limit of 4096 VLAN.

Use as a test environment for network services

Alternatively, VXLAN can be used very well in test environments or virtualized environments in which full control over the layer 2 network to be used is required. If you want to test network infrastructure components or their configuration, such a completely isolated network is ideal. Control structures inserted by virtualization environments, which are particularly obstructive for such tests, can also be bypassed. My first practical contact with VXLAN was when testing a more complex DHCP setup on several virtual machines in OpenStack. The test was impossible for me on the network interfaces supplied by OpenStack, as I only had limited access to the network configurations on the side of the virtualization host and OpenStack filters dhcp packets from the network stream. This problem could be circumvented elegantly by setting up the test network on VXLAN. At the same time, it was ensured that the DHCP test had no influence on other parts of the OpenStack network. In addition, the Ethernet connection provided by OpenStack remained permanently usable for maintenance and monitoring purposes.

In unicast operation, for example, scenarios are also conceivable in which a Layer 2 network spanned by VXLAN is transported over several locations. There are switches or routers that support VXLAN and can serve as VTEP (VXLAN tunnel endpoints). This is used, for example, to connect two multicast VXLAN networks via unicast between the VTEP and thus transparently set up a large VXLAN.

Is VXLAN Safe?

VXLAN places an additional layer 2 infrastructure on top of an existing Ethernet infrastructure. This works with UDP packets in unicast or multicast. Encryption at the VXLAN level is not provided and would have to be carried out if necessary via higher protocol levels. IPSec solutions or TLS, for example, come into question here. Basically, a VXLAN is on a comparable security level as most other network protocols on Layer 2.

Possible problems?

With VXLAN, the user may encounter an "old friend" in the form of MTU problems. A standard Ethernet frame is 1,518 bytes long. This leaves 1,500 bytes for payload after subtracting the Ethernet header. VXLAN expands the Ethernet header by 50 bytes, which is why the available payload drops to 1,450 bytes. This should be taken into account when setting the MTU. So-called jumbo frames are influenced accordingly. The additional 50 bytes must also be taken into account here.

What does credativ offer?

We would be happy to support and advise you in the design and operation of your network environment. Among other things, we work in the areas of DevOps, network infrastructure and network design. Credativ GmbH has employees with expertise in highly complex network setups for data centers on real hardware as well as in virtual environments. Our focus is on implementation with open source software.