Remember apartment living? The person whose floor somehow got home-delivered pizza at 2 AM? Or when a neighbor's attempt to create healthy dishes somehow ended up teleporting into your unit? Apartment buildings are good because they allow physical partitions. Walls, floor separation, and front doors limit how much your neighbors can intrude on you.
Networks need that separation too. Broadcast storms, security, and performance – all of them would drive large networks insane without network segmentation. This is where VLANs (Virtual Local Area Networks) come in.
Enter VXLAN (Virtual Extensible LAN). The newcomer in network segmentation is quickly rising in popularity. It has several benefits over traditional VLANs. But is it always better? When should you use which? And what is the best way to monitor your network segmentation? Let's explore both technologies and find answers.
VLAN: The traditional approach to network segmentation
Before we start comparing VXLAN and VLAN, let's make sure we're on the same page with what VLAN even is.
A VLAN (Virtual Local Area Network) is a logical broadcast domain that can span across multiple physical switches. A VLAN essentially partitions a physical network at Layer 2 of the OSI model and separates traffic without requiring separate physical networks.
Each VLAN has its own broadcast domain. Broadcast traffic from a device in one VLAN won't reach other devices in other VLANs. ARP requests, DHCP requests, and other broadcast traffic from a device is sent out on all ports of that VLAN except for the port on which the device received the packet.
A few benefits of VLANs are:
- Security is improved by segregating sensitive systems
- Performance is improved because of lower broadcast traffic
- Network management is simplified because network devices are grouped logically instead of physically
- Hardware cost can be reduced by better utilizing switches
VLANs are identified by VLAN IDs (or simply VLANs). The VLAN ID is a number between 1 and 4094 (defined by IEEE 802.1Q standard). Network switches add these as tags to Ethernet frames to indicate which VLAN they belong to.
While this might be old hat to network engineers, VLANs have a few limitations when it comes to modern data centers and cloud network architectures.
- 4,094 VLAN IDs quickly become limiting in multi-tenant and large scale environments
- Spanning Tree Protocol (STP) used to detect loops in VLAN networks blocks redundant network links, reducing overall bandwidth
- VLANs often can't easily be extended beyond Layer 3 boundaries limiting their ability to stretch across a data center
These limitations can become especially problematic in a virtualized environment where you want to move workloads between data centers easily.
VXLAN: Network virtualization for the cloud era
VXLAN (Virtual Extensible LAN) was created to extend the limited VLAN technology by decoupling Layer 2 Ethernet networks from the underlay IP network and providing the large scale, scalable overlay network needed for large, virtualized data centers.
VXLAN is an overlay network in that it creates a logical Layer 2 network over an existing Layer 3 infrastructure.
Let's take a closer look at how VXLAN works:
The core of VXLAN is encapsulation. VXLAN takes regular Layer 2 Ethernet frames and encapsulates them inside UDP packets. The addition of a VXLAN header and a UDP header allows a Layer 2 network to be extended across a Layer 3 IP network.
Below are the parts of VXLAN and how they work together:
- VXLAN Network Identifier (VNI): A 24-bit identifier that supports up to 16 million virtual networks, compared to only 4,094 VLANs in VLAN technology
- VTEP (VXLAN Tunnel Endpoint): The device that performs encapsulation and de-encapsulation of VXLAN packets
- Underlay network: The physical IP network that carries the encapsulated VXLAN traffic
- Overlay network: The virtual Layer 2 network created by VXLAN on top of the underlay
When a device in a VXLAN network segment sends a packet to a device in the same VXLAN, it will go to the originating VTEP, which encapsulates the Ethernet frame with a VXLAN header, UDP header, and IP header. The packet is sent over the IP network to the destination VTEP, where it is de-encapsulated and sent to the destination device.
The encapsulation process provides several substantial advantages to VXLAN:
- Massive scalability – With 16 million possible VXLAN network segments, the limit is basically gone
- Layer 2 adjacency across Layer 3 boundaries – this allows you to move workloads across data centers without having to change IP addresses
- Better link utilization through multipathing protocols such as ECMP (Equal-Cost Multi-Path)
- Multi-tenant environments in cloud scale deployments
VXLAN vs VLAN: When to use which technology
Now we have a basic understanding of both technologies, let's compare them and see when each makes the most sense.
Scale and size considerations
For most small to medium networks with less than 4,000 network segments, traditional VLANs are sufficient. They are easy to configure and understood, are supported by all network devices, and don't add encapsulation overhead.
VXLAN is required when you need to have more than 4,094 network segments, which is common in multi-tenant environments like public clouds or large enterprise multi-department/multi-application environments that need isolation.
Network topology and reach
VLANs make sense when the network topology is contained within a single data center or campus where Layer 2 adjacency already exists. They don't extend well beyond that and require additional planning and configuration to work across wide area geographically distributed locations.
VXLAN was created to solve this issue. VXLAN allows you to extend Layer 2 networks across Layer 3 boundaries and can span across different data centers. This makes it perfect for any multi-site data center setup, disaster recovery, or hybrid cloud architectures.
Performance considerations
VLANs require only 4 bytes of extra overhead for the 4-byte tag in the Ethernet frame. It is processed in hardware on most modern network devices and doesn't slow down traffic, so you'll get close to line-rate throughput for VLAN tagged traffic.
VXLAN requires a lot more encapsulation overhead of at least 50+ bytes per frame and may require more processing resources if your network devices don't have hardware VXLAN offload. In well designed networks with hardware support, you won't notice this in practice.
Management complexity
VLANs are easy to set up and troubleshoot. Most network engineers are familiar with how VLANs work and how to monitor and manage them.
VXLAN networks are more complex to manage. You need to understand both the underlying physical network as well as the virtual overlay networks and workloads running on top. Troubleshooting is more challenging as issues could occur at the overlay or underlay layer and may require capturing traffic at both levels.
Real-world scenarios: VXLAN and VLAN in action
Let's look at some scenarios in practice to help illustrate when each technology makes sense.
Scenario 1: Traditional enterprise with a single data center
- Company: Mid-sized manufacturing firm
- Environment: One primary data center, 50 departments, some basic virtualization
- Recommendation: Traditional VLANs
In this scenario, VLANs provide the network team with enough segmentation to logically isolate each department's network without adding extra complexity. With only 50 departments and basic virtualization, they are nowhere near exhausting the 4,094 VLAN ID limit. The simplicity of VLANs also makes it easier for their IT team to manage the segments, which may not have specialized data center networking experience.
Scenario 2: Cloud service provider with multiple data centers
- Company: Public cloud provider
- Environment: Multiple data centers around the world, thousands of customers, each needing multiple isolated networks
- Recommendation: VXLAN with EVPN
For a cloud provider, VXLAN is really required. A cloud provider will have thousands of customers each requiring multiple network segments and would quickly run out of VLAN IDs. In addition, each customer will also want to create their own logical networks that can span availability zones that may be in different physical locations, which is hard with traditional VLANs.
A cloud provider will want to use VXLAN with EVPN (Ethernet VPN) for the control plane to get the required scalability and flexibility in addition to efficient Layer 2 and Layer 3 forwarding.
Scenario 3: Enterprise with data center migration needs
- Company: Financial services firm
- Environment: Two data centers, wanting to perform live migration of applications between sites
- Recommendation: Hybrid approach – VLANs within data centers, VXLAN between them
In this case, the financial services firm can keep using VLANs for network segmentation within each data center and rely on their existing infrastructure and knowledge base. However, to enable seamless workload mobility between data centers without having to change IP addresses, they can use VXLAN tunnels between the data centers to extend their Layer 2 domains across the WAN connection.
Monitoring VLAN and VXLAN environments with PRTG
Monitoring is important, regardless of whether you're using VLANs, VXLAN, or a combination of both.
Monitoring traditional VLANs
For VLAN environments, you can use the following features in PRTG:
- SNMP sensors on switches to monitor switch ports and track traffic by VLAN ID
- Quality of Service (QoS) monitoring
to verify that prioritized traffic is being given proper handling - Flow protocols like NetFlow, sFlow, etc. for traffic analysis within and between VLANs
- Packet sniffing to inspect VLAN tags and identify any misconfigurations
With PRTG's dashboards, you can easily visualize traffic patterns and quickly determine when broadcast storms or other issues are affecting specific network segments.
Monitoring VXLAN environments
Monitoring VXLAN introduces some additional considerations, in addition to what you would need for any traditional network:
- Monitoring the underlay network to make sure that the physical infrastructure supporting VXLAN tunnels is healthy
- VTEP health and performance to identify any encapsulation/decapsulation bottlenecks
- UDP analysis to inspect VXLAN encapsulated packets
- Integration with orchestration systems to maintain visibility even as virtual networks change dynamically
With PRTG, you can create custom sensors and dashboards that provide visibility into both the underlay and overlay networks, allowing you to quickly identify if issues are occurring in the physical or virtual overlay network.
FAQ: Not-so-obvious questions about VXLAN and VLAN
How do VXLAN and VLAN affect network troubleshooting approaches?
In my experience, one of the most common but least-asked questions about VXLANs versus VLANs is the "what about troubleshooting" question. With traditional VLANs, packets are much easier to troubleshoot. You send a ping, a traceroute, and look at a packet capture and it's the normal thing you know how to troubleshoot. With VXLAN, something is different – a UDP packet instead of a direct Ethernet frame – and troubleshooting the "same" problem requires a different approach.
Encapsulation makes traditional network troubleshooting tools much less useful, because what you see in the packet capture isn't what's actually traversing the network – it's being obscured. To troubleshoot an issue, for example, packet loss between two virtual machines, you would have to take packet captures on both the overlay and underlay sides to see where the issue is. A single capture from the physical switch wouldn't show the actual Ethernet frame with the source and destination MAC addresses anymore.
In addition, often what appears to be a problem on one side of the overlay/underlay might actually be due to an issue on the other side. Packet loss between two VMs may not be a problem between the VMs, but between the hypervisors or network links on the physical infrastructure. The encapsulation adds a new degree of freedom, where issues could manifest on either the overlay or underlay and troubleshooting is more complex.
What are the security implications of choosing VXLAN over VLAN?
Securing VXLAN is both the same and different from securing VLANs. In my experience, security usually isn't the biggest driver for switching to VXLAN, but that doesn't mean security implications should be ignored.
The main similarity is that VXLAN still segments traffic in a way. VXLAN tunnels allow traffic from a virtual network to cross traditional security boundaries on the underlying network. This means that traffic that might have previously gone through a perimeter firewall in a VLAN environment may now be encapsulated inside a VXLAN tunnel and not actually hit a security system.
In addition, the fact that VXLAN uses UDP as a transport means that many traditional network security devices may not actually inspect the encapsulated traffic in a way that you expect. Security approaches for VXLAN environments these days typically look different from traditional VLAN networks and involve things like distributed firewalling at the hypervisor level or security services that understand VXLAN encapsulation.
The bottom line for me in this area is that organizations adopting VXLAN need to make sure their security monitoring has visibility into encapsulated traffic.
How do VXLAN and VLAN compare in terms of operational costs?
This is a question that many comparisons of these technologies don't really address. People focus on the technical aspects of why VXLAN is better, when in my experience, the more important question is how does VXLAN compare in terms of operational costs?
On the negative side, VXLANs require a lot more to work properly and often cause unplanned operational costs. VXLAN performs best on the latest and greatest network hardware with hardware VXLAN offload support. This can mean that older switches and routers need to fall back to software-based VXLAN processing, which affects performance or are excluded from the network and need to be upgraded.
VXLANs also require a much deeper level of understanding. They're more complex and require much more specialized training and experience. Finding network engineers with data center and overlay networking experience can be much more difficult these days.
Monitoring needs to be more specialized as well. Traditional tools and approaches don't have the visibility or detail you need with VXLAN, which can result in needing to buy a new monitoring system.
On the plus side, VXLAN can also reduce operational costs. This is because it uses network infrastructure more efficiently, reduces the need for specialized Layer 2 connectivity services between data centers, and improves disaster recovery capabilities and data center consolidation efforts with workload mobility.
Making the right choice for your network
Picking between VLAN and VXLAN is not always as simple as "VXLAN is better." The choice will depend on your network needs:
- For smaller networks with straightforward segmentation needs, traditional VLANs provide plenty of features without extra complexity.
- For larger scale multi-tenant environments or data centers that need workload mobility or networks spanning multiple sites or to the cloud, VXLAN provides the necessary scale and flexibility.
- For many organizations, a hybrid approach can make sense, using VLANs for local segmentation and VXLAN for extending the network across sites or to the cloud.
Whichever you choose, monitoring both traditional VLAN environments in addition to modern VXLAN overlays is essential. PRTG Network Monitor provides all the tools you need for visibility into your network segmentation infrastructure.
Give PRTG a free 30-day trial and see how powerful unified monitoring can be.