Semester 4 / Computer Networks /Extended VLAN

Extended VLAN

2 min read Last updated Sat Jun 06 2026 07:03:21 GMT+0000 (Coordinated Universal Time)
Open in ChatGPT Open in Claude

VLAN can be extended to different geographically separated sites. VLAN IDs in 1006-4094 range are used for extended VLANs.

Used when an organization’s head office and branches must be in the same VLAN.

Implementation

Site-to-Site IPsec

Layer 3 extension. Routes traffic between subnets across a VPN tunnel. VLANs remain local to each site. Inter-VLAN routing occurs at Layer 3. Most common. Easy to setup. Low risk.

MPLS Layer 3 VPN

Aka. Multi Protocol Label Switching. Layer 3 extension via carrier network. Instead of routing packets through intermediate routers, MPLS created predetermined, labelled paths.

Higher reliability and QoS guarantees than IPsec over the internet. High cost. No encryption by default.

MPLS Layer 2 VPN with VPLS

Virtual Private LAN Service (aka. VPLS) makes the WAN look like a giant switch. Ethernet frames (with 802.1q VLAN tags) are encapsulated inside MPLS labels. ISP’s MPLS network forwards the frames between sites.

Best for legacy applications that need L2 adjacency. Has lot of downsides such as broadcast storms, latency, scalability limits.

VXLAN over IPsec

Aka. Virtual eXtensible Local Area Network. Layer 2 extension. Uses UDP (port 4789). Solves scalability limits of traditional VLANs. Uses 24-bit VNID (which means ~16 million virtual networks). Runs over standard IP networks. Does not have encryption; IPsec is used for security.

VXLAN frames encapsulate Ethernet frames; IPsec frames encapsulate UDP datagrams (Ethernet -> VXLAN -> UDP -> IPsec -> IP).

VXLAN Tunnel Endpoint (aka. VTEP) does encapsulation and decapsulation of VXLAN frames. Could be a hardware switch or a software virtual switch.

Best for data centres and cloud environments.

VXLAN process:

  1. Switch applies 802.1q tag.
  2. Frame forwarded to VTEP.
  3. VTEP applies VXLAN encapsulation over UDP.
  4. IPsec encryption applied on UDP payload.
  5. Transmitted over Internet.

Design Issues

Broadcast traffic

ARP floods, DHCP broadcasts, STP BPDUs propagate across WAN when extending Layer 2.

Latency

WAN delay impacts Layer 2 protocols sensitive to timing.

MTU

VPN encapsulation adds overhead; risk of fragmentation. Requires MTU tuning.

Security

IPsec encryption required. ACL filtering recommended.

Best Practices

  • Prefer Layer 3 routing between sites.
  • Do not stretch VLANs unless required.
  • Preferred technologies: OSPF/BGP over IPsec, MPLS L3VPN, SD-WAN.

Use Layer 2 extension only for:

  • VM mobility requirements.
  • Legacy application Layer 2 dependencies.
  • Data center interconnect.
Was this helpful?
PreviousVirtual Private Network
NextTransport Layer