VXLAN (Virtual eXtensible LAN) is a Layer-2 overlay that encapsulates Ethernet frames inside UDP packets but does not encrypt them, making the inner traffic readable on the underlay. A new hands-on lab from Protocol Lab demonstrates this by building a point-to-point VXLAN tunnel between two containers and capturing the plaintext ICMP echo inside the VXLAN header. The lab contrasts VXLAN with WireGuard, which encrypts its payload, highlighting that encapsulation and encryption are separate functions.
How VXLAN Works
VXLAN wraps an inner Ethernet frame (containing IP and ICMP) in a UDP packet with destination port 4789 and adds a VXLAN header that includes a 24-bit Virtual Network Identifier (VNI). In the lab, two nodes (node-a and node-b) are connected via an underlay network (10.0.0.0/24). Each node creates a VXLAN interface named vxlan0 with VNI 100 and points to the remote peer's underlay address. When a ping is sent to the overlay address 10.200.0.2, the kernel encapsulates the ICMP echo request inside a VXLAN packet and sends it across the underlay. The VNI allows up to about 16 million distinct overlays to coexist on the same physical network.
Lab Setup and Execution
The lab uses containerlab to deploy two netshoot containers. After deployment, VXLAN interfaces are created manually with `ip link add type vxlan` commands, specifying the VNI, remote address, destination port, and underlying device. A ping test confirms connectivity across the overlay. A tcpdump capture on the underlay interface (eth1) shows the VXLAN header with VNI 100, followed by the inner ICMP echo request in plain text. The `ip -d link show vxlan0` command confirms the VXLAN parameters.
Key Takeaways
VXLAN provides encapsulation without encryption, so the inner frame is visible on the wire. This contrasts with WireGuard, which encrypts the entire payload. The lab emphasizes that an overlay is not automatically confidential; for secure VXLAN deployment, it should run over a trusted underlay or be combined with encryption like IPsec. Common pitfalls include assuming VXLAN is encrypted, confusing overlay and underlay addresses, and forgetting to match the VNI on both ends. The lab also notes the MTU reduction of about 50 bytes due to the VXLAN header.