AI and Machine Learning for networks

13 January 2023


VLAN vs. VXLAN - what’s the difference and is one better than the other?

8 minutes reading

VLAN vs. VXLAN - what’s the difference and is one better than the other?

VM, VDI, VIM, NFVI, VLAN, VXLAN, VNF - the famous ‘V’ that dominates today’s IT world stands, of course, for ‘Virtual’. Every day we use virtualized servers, storage, desktop or networks without even realizing it. The convenience, cost-saving, enhanced features and security are just some of the reasons why we start using virtualization and often never look back.

The same is true for computer networking, where a single physical network can host multiple separated, logical (virtual) networks that may have different topologies and feature sets or even carry traffic of different customers without interfering with each other.

There are multiple protocols and approaches to creating a virtual network, among which we can find the VLANs (Virtual Local Area Network) and VXLANs (Virtual eXtensible Local Area Network). The names of the protocols already suggest that there are some similarities between them, so let’s get into the details.

Improve your network operations. Check how we can help.


VLAN is an extension to the Ethernet protocol, which adds the 802.1Q header to the Ethernet frame. This extra header gives networking devices the ability to tag traffic with a number from 1 to 4094 (called VLAN ID), where each possible number signifies a different virtual network.

Computers and servers connected to a specific, single VLAN will only ever see frames that belong to the same VLAN, as they effectively belong to a network that is separate from other virtual or physical segments. 

VLAN header also adds QoS marking capabilities to Ethernet packets, but we will concentrate on network segmentation in this article.

VLAN network infrastructure

Fig. 1 VLAN network infrastructure

This has been visualized on a simple diagram above, where there is a single physical network underlay consisting of five switches, a firewall and multiple end devices. The switches have been configured in such a way that PCs belong to VLAN 10, IP Cameras belong to VLAN 20, and servers belong to VLAN 30, which gives us three logical networks that are securely separated from each other, even though they use the same physical network infrastructure. The only way they can communicate is over the firewall, which is connected to all three VLANs and can forward traffic between them.

The support for VLANs on networking devices is very widely available, even on inexpensive platforms, and this method of network virtualization is commonly used in most small-business and enterprise networks.

The VLANs are easy to configure in small networks, but the maintenance can actually become problematic in the case of larger environments, where issues with redundancy, loop avoidance and large broadcast domains require extra care.

VXLANs and VXLAN Network Identifier

VXLAN is a tunneling protocol that encapsulates Ethernet frames inside UDP packets. This means that VXLAN does not care what the underlay physical network topology is - as long as it can carry UDP packets, it can be used to provide Ethernet (Layer 2) connectivity between remote network segments.  

Similarly to VLANs, the VXLAN header makes it possible to tag the traffic with a specific number that determines to which virtual network the packet belongs. This number is called VNI (VXLAN network identifier), and it can have over 16 million unique values. 

By properly configuring switches, routers and other entities such as hypervisors, we can assign specific end hosts (servers, virtual machines, firewall interfaces, etc.) to specific virtual networks, thus building new overlay network topologies. An example of that has been shown on the topology below, where tunnels carrying VNI 1000 and VNI 1001 create separate networks. The only way to communicate between these logical networks is through the IPS device, which is connected to both.

VXLAN topology

Fig. 2 VXLAN topology

While the use of VXLAN tunnels started in Data Center environments, it has become more common in Enterprise networks as well. It allows building a topology where connections between networking devices are Layer 3, with the dynamic routing protocol such as OSPF taking care of redundancy, fault detection and loop avoidance. The Layer 2 connectivity over such a Layer 3 network, whenever needed, is provided by the use of VXLAN tunnels.

If so, why are we all not using VXLANs in our networks already?

The networking devices that support it, while relatively common, are usually significantly more expensive. Also, properly configuring VXLAN tunnels requires a lot of manual work or the use of an often complicated tool that can do the job in an automated fashion. A popular approach is to use BGP EVPN, but this extends the requirements for protocols that underlying network devices must support.

Main differences between VLAN and VXLAN

Having a general idea of how VLANs and VXLANs work, let’s compare their main characteristics side-by-side.





Ethernet frame with 802.1Q header

VXLAN header carried by UDP datagram

Underlay requirements

Layer 2 Ethernet connectivity to all endpoints that need to make use of VLANs

Layer 3 connectivity between each VXLAN tunnel endpoint

Redundancy and loop avoidance

Limited to Ethernet-based solutions, such as Spanning Tree Protocol, TRILL, SPB, MC-LAG, switch fabrics

Whatever is supported by Layer 2 and/or Layer 3.
Most commonly a dynamic routing protocol, such as OSPF or BGP, is used.


- only 4094 virtual networks (one can extend this using QinQ, but there are several drawbacks)

 - large Ethernet segments are not recommended
- cannot be natively extended over a Layer 3 network segment

Very high:

 - over 16 million virtual networks

 - pure Layer 3 networks with BGP can be extremely large and with complex topologies

 - can be extended to wherever the Layer 3 connectivity reaches

Ease of configuration and maintenance

Simple in small networks.

Requires extra care and can get troublesome in large environments.

Can use GVRP, VTP or similar protocols to automatically extend VLANs and simplify configuration, but the problems with large Ethernet broadcast domains remain.

Manual configuration is complex, even in small networks.

Can use multicast, BGP or proprietary solutions such as SDN controllers as a control plane that automatically establishes required VXLAN tunnels.
With the proper configuration of such a control plane, adding and extending virtual networks is relatively easy, even in very large networks.


- virtual topologies are mostly limited by the actual physical connections

 - optimal use of available network paths requires extensive use of Ethernet link aggregation, which often requires the use of a proprietary mechanism such as MC-LAG

 - can be tunneled only by Layer 2 tunneling protocols


 - virtual topologies are not limited by the underlying physical network

 - the traffic can be forced using VXLAN tunnels through multiple devices before reaching its destination (so-called Service Chaining)
- optimal use of available network paths is relatively easy to achieve using dynamic routing protocol and ECMP

 - can be tunneled in other Layer 2 or Layer 3 tunneling protocols

Equipement cost



Extra caveats

Requires MTU larger than the standard 1500 bytes. Otherwise, VXLAN datagrams may require fragmentation which is not always possible.

Lower throughput on a single link due to bigger header overhead when compared to Ethernet VLANs.

As you can see, for mechanisms that serve the same purpose, there are quite a few differences between VLANs and VXLANs. But is one better than the other?

As with all things, it depends on the problems we are trying to solve.

If the goal is to separate printer, CCTV and user traffic in a small office, then VLANs will get the job done quickly and easily without the need to deal with the complexities of BGP or SDN controllers. On the other hand, if the goal is to provide connectivity between servers, VMs, and other entities in a large, multi-tenant data center, then choosing VXLAN over VLAN is the only sane solution.

If you want to learn more about networks, check out our other articles:


Network virtualization is present in one way or another in most modern computer networks. The easy-to-use VLANs are commonly encountered as VLAN technology has widespread support in software and hardware. The VXLANs are the newer alternative, which is already prevalent in large data center environments and gains ground in enterprise networks as well. However, there is little chance that VXLANs will completely phase out the use of VLANs, as they remain a fine and inexpensive choice in less complex and less dynamic networks.


Jerzy Kaczmarski

Senior Network Engineer