VLAN and VXLAN sound like the same thing with a version number, and the names actively encourage that misreading. They are not versions of each other. A VLAN is a Layer 2 segmentation mechanism that runs inside a switched network. VXLAN is an encapsulation that carries Layer 2 segments across a Layer 3 network. One is a fence; the other is a shipping container. This post explains what each does, why VXLAN exists, and when you actually need it.
For the L2 fundamentals, see the VLAN and Layer 2 switching pillar.
The one-sentence version
A VLAN partitions a switched network into separate broadcast domains using a 12-bit tag. A VXLAN wraps an Ethernet frame inside a UDP/IP packet so that a Layer 2 segment can be tunneled across a routed Layer 3 network, using a 24-bit identifier.
VLANs and VXLANs frequently coexist. A common data-center design has VLANs at the server-facing edge and VXLAN carrying those segments across the fabric. They are not competitors; they operate at different scopes.
Side-by-side
| Property | VLAN (802.1Q) | VXLAN (RFC 7348) |
|---|---|---|
| What it is | L2 tag added to an Ethernet frame | L2 frame encapsulated in UDP/IP |
| Identifier size | 12-bit VLAN ID | 24-bit VNI (VXLAN Network Identifier) |
| Max segments | 4,094 usable | ~16 million |
| Scope | Within a single L2 domain / switched fabric | Across any L3-routed network |
| Transport | Rides directly on Ethernet | Rides on UDP port 4789 over IP |
| Spanning tree dependency | Loop prevention relies on STP | Underlay is routed - no STP across the fabric |
| Typical use | Campus and access-layer segmentation | Data-center fabrics, multi-tenant overlays, DCI |
Why VXLAN exists: three limits of VLANs
1. The 4,094 ceiling
The VLAN ID field is 12 bits. After reserving a couple, you get 4,094 usable VLANs. For a campus, that is plenty. For a cloud provider or a large multi-tenant data center where every customer wants their own isolated segments, 4,094 runs out fast. VXLAN's 24-bit VNI gives roughly 16 million segments - effectively unlimited for any realistic tenant count.
2. VLANs cannot cross a Layer 3 boundary
A VLAN is a Layer 2 construct. It lives within a switched domain. The moment traffic hits a router, the VLAN tag is stripped and the frame becomes a routed packet. You cannot extend VLAN 100 from one data center to another across the routed internet - not natively.
VXLAN solves exactly this. By encapsulating the L2 frame in UDP/IP, it makes the segment portable across any IP network. VLAN 100 in Data Center A and "VLAN 100" in Data Center B can be the same Layer 2 segment, stitched together by VXLAN, even though there are routed hops in between. This is the basis of data-center interconnect (DCI) and stretched-cluster designs.
3. Spanning tree does not scale
A large flat L2 network depends on spanning tree for loop prevention, and spanning tree blocks links. In a big fabric, that means a lot of expensive bandwidth sitting idle, plus the blast radius of an L2 problem covers the whole domain.
VXLAN runs over a routed underlay. The physical network between switches is pure Layer 3 - it uses a routing protocol (OSPF, IS-IS, or BGP) and ECMP, so every link forwards, and there is no spanning tree spanning the fabric. The L2 adjacency that endpoints see is an illusion created by the overlay; the real network underneath is all routed.
How VXLAN actually moves a frame
The component that does the work is the VTEP - VXLAN Tunnel Endpoint. A VTEP is the device (usually a switch, sometimes a server) that sits at the edge of the VXLAN overlay.
- An endpoint sends a normal Ethernet frame into its VLAN.
- The ingress VTEP maps that VLAN to a VNI, wraps the whole frame in a VXLAN header, then a UDP header (destination port 4789), then an IP header addressed to the remote VTEP.
- The routed underlay forwards the resulting IP packet like any other packet - ECMP, normal routing, no STP.
- The egress VTEP receives it, strips the VXLAN/UDP/IP encapsulation, recovers the original Ethernet frame, and delivers it into the matching VLAN on its side.
The two endpoints believe they are on the same LAN segment. They are not - there are routed hops between them. The VTEPs maintain the illusion.
The control plane: VXLAN needs one
Early VXLAN used multicast flood-and-learn to discover which VTEP held which MAC address. It worked but did not scale well. Modern VXLAN deployments pair it with a control plane - almost always EVPN (Ethernet VPN), carried in BGP.
With BGP EVPN, VTEPs advertise their known MAC addresses and host routes to each other via BGP rather than flooding to learn them. This is why you will almost always see "VXLAN" and "EVPN" together: VXLAN is the data-plane encapsulation, EVPN is the control plane that tells each VTEP where everything is. VXLAN moves the frames; EVPN distributes the map.
When you need VXLAN, and when you do not
| Situation | Verdict |
|---|---|
| Campus access network, a few hundred VLANs, single site | Plain VLANs. VXLAN adds complexity you do not need. |
| Modern data-center fabric (spine-leaf) | VXLAN with BGP EVPN. This is the standard design. |
| Need the same L2 segment in two data centers | VXLAN for the DCI - VLANs physically cannot do this. |
| Multi-tenant environment exceeding 4,094 segments | VXLAN - the VLAN ID space is exhausted. |
| Small or mid-size business, one building | Plain VLANs. VXLAN is overkill below data-center scale. |
Common misconceptions
| Misconception | Reality |
|---|---|
| "VXLAN replaces VLANs" | No. VXLAN carries VLANs across L3. Both exist in a VXLAN network - VLANs at the edge, VNIs in the fabric. |
| "VXLAN is just a bigger VLAN" | The bigger ID space is one benefit, but the real point is L3 transport and escaping spanning tree. |
| "VXLAN means no broadcast domains" | Each VNI is still a broadcast domain. VXLAN changes how the domain is transported, not that it exists. |
| "You need multicast for VXLAN" | Old flood-and-learn did. Modern BGP EVPN VXLAN does not. |
Key takeaways
A VLAN is a Layer 2 segmentation tag that lives inside a switched network and tops out at 4,094 segments. VXLAN is an encapsulation that wraps Layer 2 frames in UDP/IP so segments can cross a routed Layer 3 network, scales to ~16 million VNIs, and escapes spanning tree. They are not versions of one thing - they coexist, with VLANs at the edge and VXLAN in the fabric. If you run a single-site campus, plain VLANs are correct. If you run a data-center fabric or need stretched L2 between sites, VXLAN with BGP EVPN is the modern answer.
For the L2 cluster, see the VLAN pillar.
