Time to read: 7 minutes 51 seconds | Published: October 1, 2025
VXLAN What is VXLAN?
Virtual Extensible Local-Area Networks, or VXLANs, are an Internet Engineering Task Force (IETF) network virtualization technology standard. They allow a single physical network to be shared by multiple different organizations, or "tenants", without any one tenant being able to see the network traffic of any other.
VXLANs are analogous to individual units in an apartment building, where each apartment is a separate, private dwelling within a common structure, just as each VXLAN is a discrete, private network segment within a shared physical network.
VXLAN explained
A VXLAN allows a physical network to be segmented into as many as 16 million virtual, or logical, networks. It encapsulates Layer 2 Ethernet frames into a Layer 4 User Datagram Protocol (UDP) packet alongside a VXLAN header. When combined with an Ethernet VPN (EVPN)—which transports Ethernet traffic in virtualized networks using WAN protocols—VXLAN allows Layer 2 networks to be extended across a Layer 3 IP or MPLS network.
Key advantages of VXLAN
Because VXLANs are encapsulated inside a UDP packet, they can run on any network able to transmit UDP packets. The physical layout and geographic distance between nodes of the underlying network don’t matter, as long as the UDP datagrams are forwarded from the encapsulating VXLAN Tunnel Endpoint (VTEP) to the decapsulating VTEP.
When VXLAN combines with EVPN, operators can create virtual networks out of physical network ports on any physical network switches that support the standard and are part of the same Layer 3 network. For example, you could take a port from switch A, two ports from switch B, and another port from switch C and construct a virtual network that appears to all the connected devices as a single physical network. Devices participating in this virtual network cannot see traffic in any other VXLANs or the underlying network fabric.
Problems that VXLAN solves
Just as the rapid adoption of server virtualization has driven dramatic increases in agility and flexibility, virtual networks decoupled from physical infrastructure are easier, faster, and more affordable to operate. For example, they allow multiple tenants to share a single physical network securely, enabling network operators to quickly and economically scale their infrastructures to meet growing demand. The primary reasons to segment networks are privacy and security; to prevent one tenant from seeing or accessing traffic belonging to another tenant.
Operators logically segment their networks like how they’ve long deployed traditional virtual LANs (VLANs). Although VLANs have scaling limitations, VXLANs have ways to overcome them.
- For one, you can theoretically create as many as 16 million VXLANs in an administrative domain, compared to a maximum of 4094 traditional VLANs. This provides network segmentation at the scale required by cloud and service providers to support very large numbers of tenants.
- Secondly, VXLANs enables network segments that stretch between data centers. Traditional VLAN-based network segmentation creates broadcast domains, but as soon as a packet containing VLAN tags hits a router, all of that VLAN information is removed. This means VLANs only travel as far as your underlying Layer 2 network can reach. This is a problem for use cases such as virtual machine (VM) migration which prefers not to cross Layer 3 boundaries.
- By contrast, VXLAN network segmentation encapsulates the original packet inside a UDP packet. As long as all switches and routers in the path support VXLAN, then network segments can extend as far as the physical Layer 3 routed network can reach without the applications running on the virtual overlay network being required to cross any Layer 3 boundaries. As far as the servers connected to the network are concerned, they are part of the same Layer 2 network, even though the underlying UDP packets may have transited one or more routers.
- Lastly, the ability to provide Layer 2 segmentation over the top of an underlying Layer 3 network, combined with the high number of supported network segments, allows servers to be part of the same VXLAN even if remote from one another, while enabling network administrators to keep Layer 2 networks small. Having smaller Layer 2 networks helps avoid MAC table overflow on switches.
Primary VXLAN applications
Service provider and cloud provider VXLAN use cases are straightforward: these operators have large numbers of tenants, or customers, and there are multiple legal, privacy, and ethical reasons why providers must partition one customer’s network traffic from another’s.
In enterprise environments, a tenant might be a user group, department, or other set of network-segmented users or devices created for internal security reasons. For example, Internet of Things (IoT) devices such as data center environmental sensors are prone to compromise, so it’s a sound security practice to isolate IoT network traffic from production network application traffic.
How VXLAN works
The VXLAN tunneling protocol encapsulates Layer 2 Ethernet frames in Layer 4 UDP packets, enabling you to create virtualized Layer 2 subnets that span physical Layer 3 networks. Each segmented subnet is uniquely identified by a VXLAN Network Identifier (VNI).
The entity that performs the encapsulation and decapsulation of packets is called the VXLAN Tunnel Endpoint (VTEP). A VTEP can be an independent network device, such as a physical router or switch, or a virtual switch deployed on a server. VTEPs encapsulate Ethernet frames into VXLAN packets, which are then sent to the destination VTEP over an IP or other Layer 3 network, where they’re decapsulated and forwarded to the destination server.
To support devices that can’t operate as a VTEP on their own, such as bare-metal servers, hardware VTEPs such as select HPE Juniper Networking switches and routers can encapsulate and decapsulate data packets. In addition, VTEPs can reside in hypervisor hosts, such as kernel-based virtual machines (KVMs), to directly support virtualized workloads. This type of VTEP is known as a software VTEP.
Hardware and software VTEPs are shown above.
In the figure above, when VTEP1 receives an Ethernet frame from Virtual Machine 1 (VM1) addressed to Virtual Machine 3 (VM3), it uses the VNI and the destination MAC to look up in its forwarding table for the VTEP to send the packet to. VTEP1 adds a VXLAN header that contains the VNI to the Ethernet frame, encapsulates the frame in a Layer 3 UDP packet, and routes the packet to VTEP2 over the Layer 3 network. VTEP2 decapsulates the original Ethernet frame and forwards it to VM3. VM1 and VM3 are completely unaware of the VXLAN tunnel and the Layer 3 network between them.
HPE VXLAN solutions
HPE Juniper Networking MX Series routers, QFX Series switches, and EX Series switches, and HPE Aruba Networks CX Series switches support EVPN-VXLAN and can act as VTEP gateways, encapsulating/decapsulating VXLAN packets, and route between different VXLANs.
VXLAN FAQs
What is VXLAN used for?
VXLANs are used to accomplish network segmentation beyond what classic VLANs can deliver. Classic VLANs offer only 4094 virtual networks, while VXLANs offer up to 16 million. Network segmentation has two primary uses: allowing multiple tenants to share a single physical network without seeing one another’s traffic and allowing for the reuse of IP address space. It’s also possible to configure network segments with differentiated quality-of-service (QoS) policies and service-level agreements (SLAs).
VXLANs are primarily used in large data centers, service provider networks, and cloud operator networks where the 4094 virtual network limits of classic VLANs is too constraining. That said, as VXLAN becomes supported by more and less expensive switch processors, it’s beginning to move out of the data center and into campus networks.
The VXLAN standard was created in 2014 by the IETF and is specified in RFC 7348.
Is VXLAN a Layer 3 standard?
VXLAN is sometimes considered a Layer 3 protocol because it relies on an IP (Layer 3) transport network. It’s sometimes also considered a Layer 4 standard, because it encapsulates Ethernet frames in UDP, affecting Layer 4 UDP by operation.
Does VXLAN replace VLAN?
VXLANs do not entirely replace VLANs; in some circumstances, such as large service provider data centers, both standards may be used. VXLANs may be used to segment the service provider’s global network, isolating each customer on its own VXLAN while enabling each customer to create private VLANs within their VXLAN.
What’s the basic difference between VXLAN, VLAN, and QinQ technologies?
VLAN, QinQ, and VXLAN are all standards used for logically segmenting physical networks into multiple virtual networks. Each standard respectively provides greater scalability than the last. Networks are usually segmented for security reasons and to support differentiated QoS requirements, which are usually part of SLAs.
VLANs were the first to be standardized in 1998; QinQ built on VLANs to expand the number of logical networks that can be created. QinQ also enables enterprise/business VLANs to be supported across public WAN services. VXLAN offers the greatest extensibility and flexibility of the three technologies.
Technically, the differences among these technologies lie in how they tag and encapsulate Ethernet frames before transmission over communications networks.
Are VXLAN, VLAN, and QinQ typically used together?
Hypothetically, you can use traditional VLANs, QinQ VLANs, and VXLANs all at the same time. This is because of where the network identifiers exist within the data packet. VXLANs don’t change or extend the format of the UDP packet in which they are encapsulated, nor do they change or extend the outer Ethernet frame in which that UDP packet is carried. That’s because VXLAN packets are contained within the payload of a UDP packet (not the header). They include a VXLAN header and the complete original Ethernet frame that ultimately was to be transmitted. VXLAN-in-UDP packets, then, can have outer Ethernet frames that also contain VLAN and QinQ identifiers.
In other words, in a VXLAN packet, there are three places where virtual networks can be defined: the outer Ethernet frame, the VXLAN header, and the inner Ethernet frame, and each of these sets of virtual networks can be completely distinct from one another. This can result in a packet where the outer Ethernet frame can support 16 million virtual networks, the VLXAN header can support an additional 16 million virtual networks, and then the inner Ethernet frame can support another 16 million virtual networks.
In enterprise networking practice, however, networks tend to be either VLAN or VXLAN-based. When technologies are combined, it is typically by network and cloud service providers who offer business customers the ability to use VLANs within their own VXLAN. This scenario makes use of VLANs on the inner Ethernet frame, as well as the virtual network capabilities of the VXLAN header, but does not make use of VLANs on the outer Ethernet frame.
Is VXLAN better than VLAN?
VXLANs and VLANs, while superficially similar, solve the same problem in different ways. This means that they get used in different circumstances and that they are not mutually exclusive.
Today nearly every switch sold can support at least basic VLANs, and most, including many consumer switches, can support QinQ. EVPN-VXLAN support is typically limited to more capable enterprise or carrier-grade switches.
VXLANs are considered the more efficient technology. The reason is that only the switches that contain VTEPs carry an additional look-up table (LUT) burden in a VXLAN-based network, and they only need to do so for the virtual networks for which they have VTEPs, not for the entire network. This contrasts with VLAN-based networks, such as QinQ, which supports the same 16 million potential virtual networks as VXLAN but requires that all switches assume the extra burden.
What is the difference between VXLAN and EVPN?
All types of virtual LANs are a means of segmenting physical networks into multiple, private, virtual networks. Ethernet VPN (EPVN) and VXLAN are frequently used together but they are technically independent with different objectives.
VXLANs expand Layer 2 address space from about 4000 to about 16 million to extend Ethernet networks across broader IP networks, slicing up the physical network so that multiple tenants can share its resources without seeing one another’s traffic. EVPN enables the creation of virtual networks that comprise switch ports and other resources from different equipment and network domains. EVPN is basically a way to enable computers that aren’t connected to the same physical network and might be geographically remote from one another to behave as though they were plugged into the same physical switch, with all nodes part of that EVPN receiving data broadcasts as though connected to a traditional Layer 2 local network.