VxLAN is a Layer 2 overlay scheme over a Layer 3 network. Overlays are called VxLAN segments and only a VM and a physical machine (tenant) within the same segment have Layer 2 connectivity. VxLAN segments are uniquely identified using an identifier called the VxLAN Network Identifier (VNI). The VNI is a 24-bit identifier; therefore, an administrative domain can support up to 16 million overlay networks.
Because the scope of the MAC, originated by tenants, is restricted by the VNI, overlapping MAC addresses across segments can be supported without traffic leaking between tenant segments. When a tenant frame traverses a VxLAN overlay network, it is encapsulated by a VxLAN header that contains the VNI. This frame is further encapsulated in a UDP header and L2/L3 headers.
VxLAN can add up to a 50-byte header to the tenant VM frame. For VxLAN to work correctly, this requires that the IP MTU be set to at least 1550 bytes on the network-side interfaces. IP MTU of 1550 should also be set on all transit nodes which carry VxLAN traffic. The point at which a tenant frame is encapsulated (or decapsulated) is referred to as a VxLAN Tunnel Endpoint (or VTEP). VTEPs are typically located on hypervisors but may also be located on physical network switches. Network switches that act as a VTEP are referred to as VxLAN gateways.
The role to encapsulate/decapsulate a frame is performed by a VxLAN Tunnel Endpoint (VTEP), also referred to as a VxLAN gateway. A VxLAN gateway can be a Layer 2 gateway or Layer 3 gateway depending on its capacity. A Layer 2 gateway acts as a bridge connecting VxLAN segments to VLAN segments. A Layer 3 gateway performs much like a Layer 2 gateway, but it is also capable of routing traffic between tenant VLANs.