If you have been exposed to networking terminologies before, you probably heard of LAN and VLAN terms and what they mean. How about VxLAN? VxLAN (Virtual Extensible Local Area Network) is a networking technology developed to enhance traditional networking technologies by implementing scalable, flexible network infrastructure. We want to explore what problems VxLANs solve and what scenarios you should consider using it.
Understanding VXLAN: What Problems Does it Solve?
Traditional networking technologies were designed to work within static environments built with a specific, rigid purpose. Expanding these networks required a lot of planning and preparation to increase the network's coverage. VLAN networks still have a place within the organization, but the limitations of what can be achieved with them are becoming more apparent as organizations increasingly virtualize their environments.
VLAN Limitations
VLANs are great, and for a lot of purposes, they are enough to scale in a local environment. However, there are limitations that traditional VLANs face when you start to look at virtual environments and their sheer size:
VLAN Ids are capped at 4096, making it difficult to expand instantaneously across large data centers or environments with multiple tenants.
VLANs are constrained to their broadcast layer 2 domain. If you have two distant networks that need layer 2 connectivity, you either need to stretch your L2 boundaries to a large domain or use a layer 3 tunnelling technology such as GRE when this is possible.
Perhaps just as serious is the security aspect of VLANs. VLANs do an incredible job of isolating traffic at Layer 2, but as topologies become more complex, things start to get difficult for traditional VLANs. Multi-tenant environments with overlapping IP addresses are especially difficult to isolate. Managing this segmentation is not ideal and can lead to some complicated configurations to make it work. If your tenants have legal requirements for isolation, then you need to guarantee that there is absolutely no chance of data crossing between tenants.
Introducing VxLAN
VxLAN is the result of the need for scaling up networks while maintaining the isolation and security environments that they demand. It is a standard technology defined in RFC 7348. VxLAN addresses the limitations presented by the VLANs in few different ways:
Unlike VLANs, VxLAN use a 24-bit identifier called the VNI (equivalent to the VLAN ID). This allows for 16 million networks!
By encapsulating the layer 2 frame in a layer 3 packets, VxLAN traffic can cross layer 2 boundaries and be routed on the network. This allows to extend Layer 2 adjacencies across different and distant geographies.
VxLAN allows for multitenancy by uniquely identifying and tunnelling every layer 2 domain between two network nodes. Similar to the VRF concept in MPLS Layer3 VPN, it is possible to have overlapping IP addresses between different tenants.
How VxLAN Works
Let’s look at some of the details about how VxLAN works so that we can better understand how it works and why it works so well in modern data centers and networking environments.
Encapsulation Process
VxLAN works by using all of the original Ethernet frames that are generated but with a VxLAN header. This is known as encapsulation, and it happens at the source VxLAN Tunnel Endpoint (VTEP) before the packet is sent across the network. The encapsulated packet is then transported over a UDP (User Datagram Protocol) tunnel, which then has access to Layer 3 of the network, and thus maintains separation from other traffic.
VxLAN Tunnel Endpoints (VTEPs)
VTEPs are a very important point in the VXLAN architecture design. VTEPs are responsible for handling the creation, reception, and forwarding of encapsulated packets on the network. They terminate VxLAN tunnels. VTEPs can be physical devices like a switch or a router, or they can be virtual devices within a virtual environment.
A VTEP must maintain a mapping table that associates the VxLAN segment identifiers that we spoke about (VNIs) with the corresponding destination VTEPs on the network, which allows it to forward the encapsulated packets to the correct destination without any packet loss.
Control Plane Options
VxLAN technology operates with two control plane mechanisms, which are multicast-based (also known as flood and learn) and unicast-based (controller-driven).
Multicast control plane environments see VLAN relying on the existing IP multicast infrastructure to initialize broadcast, unknown unicast, and multicast traffic within a multicast VxLAN segment of a network. VTEPs also play a role with multicast groups as they use the multicast traffic within the VxLAN segment. VTEPs join multicast groups and then use those multicast addresses to forward the encapsulated packets. The flood-and-learn mechanism discovers and populates the VTEP table so that the process can start.
Unicast-based control planes, on the other hand, use a central controller like an SDN controller that manages these VTEP mapping tables. The responsibilities of this controller involve learning and passing on the correct information to the VTEPs which eliminates the need for using multicast traffic. The result is a simpler network configuration.
VXLAN Use Case Example: Multi-Tenant Data Center Scenario
In this example, we will look at a fictional data center with multiple tenants that needs to isolate the networks for applications and services. Each tenant has access to its own infrastructure that is isolated and scalable while not interfering with other tenants.
A VxLAN can be implemented in this scenario to create isolated networks by using their own separate VNIs. This will take care of each tenant’s network segments and allows the data center to scale its network infrastructure without hitting the limits of traditional VLANs. This is all while improving the isolation between tenants and limiting any leaks between networks.
Some of the benefits of using VxLAN in this scenario include:
Improved Isolation: By using VxLAN technologies, tenants are reassured that their network traffic has no chance of reaching other tenants. It reduces any chances of security breaches or regulatory issues related to the security of these segmented tenants.
Increased Scalability: Scalability is increased many times over by offering 16 million unique VNIs for data centers. This gives administrators unparalleled control over the network, allowing them to scale up not only the tenant’s network capacity but also the data center’s capacity to host most tenants. The provisioning of this infrastructure can be done programmatically through scripts and allows the process to be automated, saving further time and effort on the part of the administrator.
Simplified Network Management: In an ever-increasingly complex networking landscape, it is good to know that VXLAN encapsulation and tunnelling allow for a much simpler network management workflow. This simplicity makes it far easier for administrators to provision and configure network segments with less monitoring required.
Enhanced Traffic Efficiency: New technologies don’t always bring the best efficiencies with them right out of the gate; sometimes, that takes a lot of time to refine and enhance. However, unicast-based control planes allow VxLANs to reduce the levels of broadcast traffic while improving network efficiency. The result is more optimizations from the start, giving performance gains and optimized traffic flows.
Greater Flexibility: Flexibility is the name of the game in data center administration. You need to be able to provision, expand, and de-provision services quickly and reliably at a moment’s notice. VxLAN can be provisioned in both virtual and physical devices, which gives your administration teams the flexibility that they need to get systems up and running and operating smoothly.
Commenti