Virtual Extensible LAN (VxLAN) is a standardized encapsulation protocol that stretches layer 2 connections over a layer 3 routed network, and it is primarily used in larger enterprises, service providers, and cloud data centers. VxLAN is an overlay encapsulation protocol that scales up to 16 million logical networks by adding a 24-bit ID to the header, which allows for layer 2 connections over the top of IP networks. VxLAN allows multitenant networks to be isolated from each other but to run as an overlay over a common layer 3 switching fabric called the underlay network.
VxLAN is similar in concept to standard VLANs but is much more scalable beyond the relatively limited number 4,095 VLANs in the 802.1Q specification. Large cloud data centers require a much larger address space of thousands or tens of thousands of customers. This is much larger than traditional VLANs can support, making VxLAN the preferred protocol. The same VLAN concept applies with VxLAN in that only devices in the same VxLAN communicate with each other.
In its most basic form, VxLAN consists of an Ethernet frame put into a UDP packet, with a few extra bytes serving as a header and routed across a network. Layer 2 Ethernet frames are encapsulated into layer 4 UDP datagrams with a default port number of 4789. VxLAN endpoints are used to terminate VxLAN tunnels and can be either physical or virtual termination interfaces. These are referred to as VxLAN tunnel endpoints (VTEPs). The interface that performs the encapsulation and de-encapsulation of layer 2 traffic is the VTEP, as shown in Figure 6.6. This is usually a leaf Ethernet switch at the edge of the data center network and is where the connection between the overlay and the underlay networks are created.
FIGURE 6.6 VxLAN tunnel with endpoints
Generic Routing Encapsulation (GRE) creates a tunnel over a network that allows for private paths to be created over public networks. This is accomplished by the encapsulation, or tunneling, packets using tunnel endpoints that encapsulate and then de-encapsulate traffic at each end of the tunnel. One major advantage of using GRE is that the tunnels can transport multicast packets where public networks cannot. Applications that require multicast such as routing protocols like OSPF, file distribution applications, and video streams benefit from using GRE. Non-IP protocols can now traverse IP-based networks by using this tunneling configuration.
Tunneling is the process of encapsulating packets inside other packets, as shown in Figure 6.7. GRE tunnels are established between two routers, where each router is one end of the GRE tunnel. These routers send and receive GRE packets between each other over the routed network. The intermediate routers only see the outside headers and not the original packet that is hidden inside the packet.
The GRE header is a new IP header wrapped over the original packet. The GRE header contains the new source and destination address of the network being traversed. The original IP packet enters a router, is inserted into a GRE tunnel, and is then routed over the network to the remote GRE terminating router, which then strips the header and forwards the original packet locally. It is important to note that GRE is not in itself a secure protocol. There is no encryption specification. It is common to use a VPN connection through the GRE tunnel for security.