Who invented it?
Created by three companies: Cisco, Arista and VMware, VXLAN RFC7348
When was it invented?
The RFC is published at August 2014, but Cisco documents indicates earlier times
Why VXLAN was invented?
To solve VLAN limitations in Datacenters and Cloud, so it provides scalability by allowing Layer2 encapsulated in UDP or it extends VLAN, this is called MAC-in-UDP (UDP port 4789) Encapsulation.
In addition to helping customer sites to configure layer2 VPN.
VXLAN identifier (VNI) is a 24-bit segment, which means is can provide 16 million VXLAN within same domain.
Diagram source: Cisco
List some of VXLAN uses?
· Datacenters (virtualized hosts) allowing VM's to communicate between two DC's
· Extending Layer2 (VLANS) in remote sites
· Multicast instead of broadcast for example: instead of ARP broadcast in same layer2 domain without it, Multicast is used with VXLAN
Components and Configuration basics?
VXLAN components are:
· VTEP: this is where VXLAN encapsulation and decapsulation is done, basically a Router or A Switch
· VNID: VXLAN network identifier which is the 24-bit segment which identifies the broadcast domain
· NVE: Network virtual interface (logically) created on the VTEP
Examples of VXLAN?
· Within one domain or site: for example in a Datacenter we can have two subnets connected to Core switch to work with VXLAN and Multicast routing
· Between two remote sites with will be implemented with BGP and EVPN
· Virtual machine to virtual machine communication
Configuration initial steps:
1. Enable Multicast
2. IGP configured to reach the RP
3. Configure the Core to be as RP
4. Configure VTEPS(Virtual Tunnel Endpoint) with NVE interfaces (Network Virtual Interface)
5. Make VTEP NVI member of the multicast-group for the VNI (VXLAN Network Identifier)
How to Verify VXLAN?
On VTEPS:
#show ip mroute group-ip
#show ne peers (traffic must be generated first)
#show nve vni
#show run interface nve x
A simple look on VM-TO-VM Unicast communication:
The Basic idea here is to make the communication between VM's using the overlay network created by the VXLAN, the requests from VM#1 to VM#2 will be
Destined to MAC address of VM#2 and the request will be sent to the VTEP which is located on the host will be checking VNI looking for the VM, which the source is associated with.
Then VTEP will check the destination MAC address and see if it is on the same segment and mapped on the VTEP on the remote destination.
The VN segment is the new method of tagging packets but it is 24 bits and this is unlike tagging on the VLAN tagging (802.1Q).
How about Security?
Well, spoofing can happen since we are dealing with MAC addresses, MAC address flooding, UDP flooding, ARP attacks, Double tagging 802.1Q are all potential attacks.
But those risks also do exist in traditional layer2 or even in MPLS and other technologies like GRE.
VXLAN brought a lot of benefits to Networking today and Data Centers and enabled roaming of Layer2 across remote sites, security is not one of those benefits, but might be added in future.
Samer R. Saleem