RJS Network Cloud Academy: Multi-Tenant VXLAN Networks

Multi-Tenant VXLAN Networks: VNI Concepts and Tenant Isolation

Building on our understanding of location-identity separation and VXLAN overlay topologies, we now explore one of the most powerful capabilities of overlay networking: multi-tenant network isolation. This foundation is crucial for understanding how BGP EVPN manages complex multi-tenant environments at scale.

Modern enterprises require sophisticated network segmentation that goes far beyond traditional VLANs. Multi-tenant VXLAN networks provide the scalable, flexible solution that enables secure isolation while maintaining operational simplicity.

The Multi-Tenancy Challenge
Virtual Network Identifier (VNI) Concept
Tenant Identification in VXLAN Headers
Isolation Mechanisms and Packet Flow
Practical Multi-Tenant Scenarios
Foundation for BGP EVPN Control Plane

The Multi-Tenancy Challenge

Traditional networking approaches to multi-tenancy quickly reach their limits in modern enterprise environments. Understanding these limitations helps appreciate why VXLAN multi-tenancy represents such a significant advancement.

Traditional VLAN Limitations

The original approach to network segmentation relied heavily on VLANs, but this creates significant constraints:

Scale Limitations: Only 4,094 VLANs available (12-bit VLAN ID)
Physical Constraints: VLANs tied to physical switch boundaries
Spanning Tree Complexity: Complex protocols required for loop prevention
Operational Overhead: Manual VLAN provisioning across infrastructure

Modern Multi-Tenancy Requirements

Today's enterprise networks must support increasingly complex segmentation needs:

Tenant Type	Example	Isolation Requirements	Scale Needs
Departmental	HR, Finance, Engineering	Security policy enforcement	Hundreds of departments
Application	ERP, CRM, Development	Performance isolation	Thousands of applications
Customer	Multi-tenant SaaS	Complete data isolation	Tens of thousands of customers
Environment	Production, Staging, Development	Change control isolation	Multiple per application

Why Traditional Approaches Fail

Consider a typical enterprise scenario:

50 Departments × 20 Applications × 3 Environments = 3,000 network segments
VLAN Shortage: Only 4,094 VLANs available, already approaching limits
Management Complexity: Manual provisioning across hundreds of switches
Mobility Constraints: Moving workloads requires VLAN reconfiguration

The Scale Reality: Modern enterprises routinely need tens of thousands of isolated network segments. Traditional VLANs simply cannot scale to meet these requirements, creating the urgent need for overlay networking solutions.

Virtual Network Identifier (VNI) Concept

The Virtual Network Identifier (VNI) is VXLAN's solution to the multi-tenancy challenge. This 24-bit identifier enables over 16 million isolated network segments, completely eliminating the VLAN scale limitations.

Address Uniqueness Fundamentals

Before diving into VNI technical details, it's crucial to understand the fundamental principle of address uniqueness in multi-tenant environments. A simple real-world analogy illustrates this concept perfectly.

The Postal Address Analogy

Consider how postal addresses work globally. Take this example address:

133 Heritage County
Bengaluru, Karnataka
India

Within India, there can be only one Bengaluru in Karnataka - the address is unique within its container (country). However, the same city name can exist in different countries without conflict.

Global Address Examples:

City Name	Container 1	Container 2	Conflict?
Kochi	Kerala, India	Kochi Prefecture, Japan	No - Different containers
Patna	Bihar, India	Scotland, UK	No - Different containers
Delhi	India (Capital)	New York, USA	No - Different containers

Network Address Uniqueness Principle

This same principle applies to network addressing in multi-tenant environments:

MAC addresses need to be unique only within a connected L2 domain (one tenant)
IP addresses need to be unique only within a layer 3 network for a specific tenant
Different tenants can use identical IP addresses without conflict
Container isolation ensures addresses remain unique within their scope

Key Insight: Just as countries serve as containers for postal addresses, VNIs serve as containers for network addresses. Within each VNI "container," addresses must be unique, but different VNIs can safely use overlapping address spaces.

VNI Technical Details

The VNI represents a revolutionary expansion in network segmentation capability:

Aspect	Traditional VLAN	VXLAN VNI	Improvement Factor
Identifier Size	12 bits	24 bits	2x bit length
Total Segments	4,094	16,777,216	4,096x capacity
Physical Dependency	Switch-bound	Infrastructure-independent	Complete decoupling
Mobility	Limited	Full mobility	Unlimited flexibility

VNI in the VXLAN Header

Understanding where the VNI sits in the VXLAN packet structure is crucial for grasping how tenant identification works:

VXLAN Header Structure:

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|R|R|R|R|I|R|R|R|            Reserved                           |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|                VXLAN Network Identifier (VNI)            |   Reserved  |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Key Fields:
- I Flag: Indicates valid VNI when set to 1
- VNI: 24-bit tenant identifier (16,777,216 possible values)
- Reserved: Future use and padding

VNI Assignment Strategies

Different organizations use various approaches for VNI assignment:

Sequential Assignment: VNI 10001, 10002, 10003... (simple but no meaning)
Hierarchical Assignment: Department.Application.Environment encoding
Functional Assignment: Specific ranges for different purposes
Customer Assignment: Customer-specific VNI ranges in service provider environments

Example Hierarchical VNI Scheme:

VNI Structure: DDAAEEE (Department.Application.Environment)

Examples:
- VNI 1010001: Dept 10 (HR), App 10 (Payroll), Env 001 (Production)
- VNI 1010002: Dept 10 (HR), App 10 (Payroll), Env 002 (Staging)
- VNI 1020001: Dept 10 (HR), App 20 (Benefits), Env 001 (Production)
- VNI 2010001: Dept 20 (Finance), App 10 (ERP), Env 001 (Production)

Benefits:
- Visual identification of tenant components
- Simplified troubleshooting and management
- Clear organizational mapping

Tenant Identification in VXLAN Headers

Building on our understanding of location-identity separation, tenant identification adds a crucial third dimension to VXLAN packet processing. Let's explore how this works in practice.

Three-Dimensional Network Architecture

Multi-tenant VXLAN networks operate with three distinct information layers:

Dimension	Information Type	Header Location	Purpose
Tenant Identity	Which tenant/segment	VXLAN VNI field	Isolation and policy enforcement
Endpoint Identity	Who is communicating	Inner header (original packet)	End-to-end application communication
Location Identity	Where to deliver	Outer header (VXLAN tunnel)	Infrastructure transport and delivery

Multi-Tenant Packet Flow Example

Let's trace a packet flow in a multi-tenant environment to understand how all three dimensions work together:

Scenario Setup:

Source: HR Payroll Server (Host A, behind Leaf L1, VNI 1010001)
Destination: HR Database Server (Host B, behind Leaf L3, VNI 1010001)
Network: Same tenant (HR Payroll), different physical locations

Step-by-Step Packet Processing:

Step 1: Original Packet Creation

Host A creates packet: Source A → Destination B
Application layer: Payroll database query
No tenant awareness: Host A doesn't know about VNI

Step 2: Tenant Identification (at L1)

L1 receives packet: From Host A destined to Host B
Tenant lookup: Host A belongs to VNI 1010001 (HR Payroll)
Policy check: Verify Host A can communicate within this tenant
VNI assignment: Packet will be encapsulated with VNI 1010001

Step 3: Location Resolution (at L1)

Target lookup: Where is Host B within VNI 1010001?
Database query: Host B (VNI 1010001) → behind L3
Location identified: Packet must be delivered to L3

Step 4: VXLAN Encapsulation (at L1)

Encapsulated Packet Structure:

Outer Header (Location):
- Source IP: L1's VTEP address
- Destination IP: L3's VTEP address
- UDP Port: 4789 (VXLAN)

VXLAN Header (Tenant):
- VNI: 1010001 (HR Payroll Production)
- Flags: I-bit set (valid VNI)

Inner Header (Identity):
- Source: Host A
- Destination: Host B
- Original application payload

Step 5: Underlay Transport

Network routing: Spine switches route based on outer header (L1 → L3)
Tenant transparency: Underlay network unaware of VNI 1010001
Identity protection: Inner packet contents completely encapsulated

Step 6: VXLAN Decapsulation (at L3)

Packet receipt: L3 receives VXLAN packet destined for itself
VNI extraction: L3 reads VNI 1010001 from VXLAN header
Tenant validation: Confirms L3 participates in VNI 1010001
Decapsulation: Removes VXLAN and outer headers
Original recovery: Inner packet revealed: A → B

Step 7: Local Delivery (at L3)

Host lookup: Locate Host B within VNI 1010001
Policy enforcement: Apply tenant-specific policies
Delivery: Forward original packet to Host B
Transparency: Host B receives packet as if directly from Host A

Key Insight: The VNI provides tenant-scoped location resolution. Host B's location is resolved within the context of VNI 1010001, enabling multiple tenants to use overlapping IP addresses without conflict.

Isolation Mechanisms and Packet Flow

Understanding how VXLAN enforces tenant isolation is crucial for appreciating the security and scalability benefits of multi-tenant overlay networks.

Isolation Enforcement Points

Multi-tenant VXLAN networks enforce isolation at multiple levels:

1. Ingress Filtering (Tenant Validation)

Source Validation: Verify host belongs to claimed VNI
Policy Enforcement: Apply tenant-specific communication rules
Access Control: Prevent unauthorized tenant access

2. Encapsulation Isolation (VNI Scoping)

VNI Assignment: Each packet tagged with correct tenant identifier
Database Scoping: Location lookups limited to specific VNI
Cross-Tenant Prevention: No communication between different VNIs

3. Egress Filtering (Delivery Validation)

VNI Verification: Confirm receiving switch participates in VNI
Host Authorization: Validate destination host belongs to VNI
Policy Application: Apply tenant-specific delivery policies

Isolation Violation Prevention

Consider what happens when isolation is attempted to be breached:

Scenario: Cross-Tenant Attack Attempt

Attack Setup:
- Malicious Host M (VNI 2020001 - Finance)
- Target Host T (VNI 1010001 - HR)
- Both behind same physical leaf switch L1

Attack Attempt:
1. Host M creates packet: Source M → Destination T
2. L1 receives packet from Host M
3. L1 tenant lookup: Host M belongs to VNI 2020001
4. L1 target lookup: Search for Host T in VNI 2020001
5. Lookup fails: Host T does not exist in VNI 2020001
6. Packet dropped: No valid destination in tenant scope

Result: Isolation maintained, attack prevented

Address Space Overlap Handling

One of the most powerful features of VNI-based isolation is the ability to handle overlapping IP address spaces:

VNI	Tenant	Host IP	Physical Location
1010001	HR Production	192.168.1.10	Behind L1
2020001	Finance Production	192.168.1.10	Behind L2
3030001	Engineering Production	192.168.1.10	Behind L3

Resolution Process:

Tenant-Scoped Lookup: Each VNI maintains separate address space
No Conflict: Same IP (192.168.1.10) exists in multiple tenants
VNI Context: Location resolution includes VNI: (192.168.1.10, VNI 1010001) → L1
Isolation Maintained: Each tenant's 192.168.1.10 completely isolated

Practical Multi-Tenant Scenarios

Real-world multi-tenant VXLAN deployments address diverse organizational needs. Understanding these scenarios helps appreciate the practical value of VNI-based segmentation.

Enterprise Departmental Segmentation

Scenario: Large corporation with 50 departments, each requiring complete network isolation

Traditional Challenge:

VLAN Exhaustion: 50 departments × multiple applications = VLAN shortage
Cross-Department Leakage: Misconfigured VLANs cause security breaches
Management Complexity: Manual VLAN provisioning across hundreds of switches

VXLAN Multi-Tenant Solution:

VNI Assignment Strategy:
VNI Format: DD0000X (Department.Reserved.Environment)

Examples:
- VNI 1000001: HR Production
- VNI 1000002: HR Development  
- VNI 2000001: Finance Production
- VNI 2000002: Finance Development
- VNI 3000001: Engineering Production

Benefits:
- Complete isolation between departments
- Unlimited scalability (16M+ VNIs available)
- Centralized policy management
- Automated provisioning through orchestration

Multi-Tenant SaaS Platform

Scenario: SaaS provider hosting 10,000+ customer environments

Requirements:

Customer Isolation: Absolute data and network separation
Overlapping Address Spaces: Customers use same private IP ranges
Dynamic Scaling: New customers onboarded rapidly
Compliance: Regulatory requirements for data isolation

VXLAN Implementation:

Customer	VNI	IP Range	Isolation Level
ACME Corp	10001	10.0.0.0/16	Complete isolation
Global Industries	10002	10.0.0.0/16	Complete isolation
TechStart LLC	10003	192.168.0.0/16	Complete isolation

Key Benefits Realized:

Address Space Freedom: Customers use any IP ranges without conflict
Rapid Onboarding: New VNI assignment enables instant customer provisioning
Compliance Assurance: VNI-based isolation meets regulatory requirements
Operational Simplicity: Automated network provisioning reduces manual errors

Campus Network Modernization

Scenario: University campus with diverse user populations and applications

Segmentation Requirements:

Academic Departments: Engineering, Medicine, Business, Arts
User Types: Faculty, Students, Staff, Guests
Device Categories: Laptops, IoT devices, Lab equipment, Servers
Security Zones: Research, Administrative, Public, DMZ

VNI Allocation Strategy:

Hierarchical VNI Design:
Format: DDUUTTXX (Department.User.Type.Extension)

Examples:
- VNI 01010100: Engineering.Faculty.Servers.Research
- VNI 01020200: Engineering.Students.Laptops.General
- VNI 02010100: Medicine.Faculty.Servers.Research
- VNI 02010300: Medicine.Faculty.IoT.Equipment
- VNI 99030400: Guest.Visitor.Mobile.Internet

Benefits:
- Clear organizational hierarchy
- Flexible policy application
- Easy troubleshooting and management
- Room for future growth

Foundation for BGP EVPN Control Plane

Understanding multi-tenant VXLAN networks provides the essential foundation for appreciating why BGP EVPN becomes not just useful, but absolutely necessary for large-scale overlay deployments.

The Control Plane Challenge Multiplied

Multi-tenancy exponentially increases the complexity of the control plane challenges we identified in our location-identity separation discussion:

Single Tenant Challenges:

Location Database: Maintain identity → location mappings
Dynamic Updates: Handle endpoint mobility
Consistent Distribution: Synchronize information across network

Multi-Tenant Complications:

VNI-Scoped Databases: Separate location databases per tenant
Overlapping Address Spaces: Same IP addresses in different VNIs
Selective Distribution: Nodes only need information for their VNIs
Policy Enforcement: Tenant-specific communication rules
Scale Multiplication: Thousands of tenants × thousands of endpoints

Why Traditional Control Planes Fail at Scale

Challenge	Single Tenant Impact	Multi-Tenant Multiplication	Traditional Limit
Flood-and-Learn	Some broadcast overhead	Broadcast per VNI × thousands of VNIs	Network meltdown
Multicast Groups	One group per segment	One group per VNI × hardware limits	Hardware exhaustion
MAC Learning	One MAC table	MAC table per VNI × memory limits	Memory exhaustion
Information Distribution	All nodes get all info	All nodes get all VNI info	Bandwidth/CPU overload

BGP EVPN: The Multi-Tenant Solution

BGP EVPN elegantly solves multi-tenant control plane challenges:

VNI-Aware Route Distribution:

Route Targets: Control which nodes receive which VNI information
Selective Import: Nodes only import routes for their active VNIs
Efficient Distribution: No unnecessary information transfer

Tenant-Scoped Databases:

BGP Routes per VNI: Each VNI gets separate routing table entries
Address Space Isolation: Overlapping IPs handled naturally
Policy Integration: Tenant policies embedded in route attributes

Scalable Architecture:

Route Reflection: Hierarchical distribution reduces control plane load
Incremental Updates: Only changes propagated, not full state
Proven Scale: BGP already handles internet-scale routing

Multi-Tenant BGP EVPN Example

BGP EVPN Route for Multi-Tenant Host:

Route Type: MAC/IP Advertisement (Type 2)
Route Distinguisher: 192.168.1.1:1010001 (Leaf IP:VNI)
VNI: 1010001 (HR Payroll Production)
MAC Address: aa:bb:cc:dd:ee:ff
IP Address: 192.168.100.10
Next Hop: 192.168.1.1 (Leaf L1 VTEP)
Route Target: 1010001:1010001 (VNI-based)

Result:
- Only nodes participating in VNI 1010001 import this route
- Host location known only within tenant scope
- Overlapping IPs in other VNIs don't conflict
- Policy and QoS attributes travel with route

The Perfect Match: BGP EVPN and multi-tenant VXLAN networks are perfectly matched. BGP EVPN's route target mechanism provides exactly the selective information distribution that multi-tenant networks require, while its proven scalability handles the exponential growth in control plane complexity.

What We've Accomplished

Through this exploration of multi-tenant VXLAN networks, we now understand:

VNI Fundamentals: How 24-bit identifiers enable massive scale segmentation
Tenant Isolation: Mechanisms that enforce complete network separation
Overlapping Address Spaces: How VNI scoping enables address reuse
Control Plane Complexity: Why traditional approaches fail in multi-tenant environments
BGP EVPN Necessity: How advanced control planes solve multi-tenant challenges

Next in Your Learning Journey

With solid understanding of multi-tenant concepts, you're ready to explore:

VXLAN Overlay Forwarding: How packets flow through multi-tenant overlay networks
BGP EVPN Route Types: Detailed mechanisms for multi-tenant control plane
Policy Integration: Advanced tenant isolation and communication controls
Orchestration Integration: Automated multi-tenant network provisioning

You now understand how VXLAN's VNI concept enables unprecedented network segmentation scale and flexibility. This multi-tenant foundation is essential for grasping why BGP EVPN represents such a revolutionary advancement in overlay networking control planes. The combination of VNI-based isolation and BGP EVPN's selective distribution creates the powerful, scalable multi-tenant networks that modern enterprises require.

In our previous discussion about overlay networks, we established that:

Location is carried in the outer packet header (where packets travel)
Identity is preserved in the inner packet header (what the packet represents)

Now we add a crucial third element:

Tenant Context is embedded in the VXLAN header (which virtual network the packet belongs to)

Modern Multi-Tenancy Requirements

Data Center Multi-Tenancy Drivers

Modern data centers must support multiple isolated environments for various reasons:

Scenario	Requirements	Challenges
Cloud Service Providers	Customer isolation, scalable tenant onboarding	Overlapping IP addresses, security boundaries
Enterprise Divisions	Department segmentation, compliance isolation	Policy enforcement, inter-tenant communication
Development Environments	Dev/Test/Prod isolation, rapid provisioning	Resource sharing, environment consistency
Regulatory Compliance	Data sovereignty, audit trails	Traffic inspection, compliance reporting

Campus Network Segmentation Evolution

Enterprise campus networks have evolved beyond traditional VLAN-based segmentation:

Traditional Limitations:

4,096 VLAN limit - Insufficient for large enterprises

Spanning tree constraints - Limited topology flexibility

Manual provisioning - Slow tenant onboarding

Limited mobility - Workload movement restrictions

Modern VXLAN-based segmentation addresses these limitations through:

16 million+ virtual networks (24-bit VNI space)
Flexible topologies - No spanning tree limitations
Automated provisioning - Software-defined network creation
Seamless mobility - Workload migration across locations

Tenant Identification in VXLAN Headers

The Three-Dimensional Model

Building on our location-identity separation foundation, multi-tenant VXLAN operates in three dimensions:

Enhanced VXLAN Packet Structure:

Outer Header (Physical Transport):
├── Source Location (Physical source)
├── Destination Location (Physical destination)
└── Tenant Identifier (Virtual network context)

Inner Header (Logical Communication):
├── Source Identity (Original source)
├── Destination Identity (Original destination)
└── Application Data (Payload)

Tenant Context Examples

Consider a data center hosting multiple customers:

Tenant	Virtual Network ID	Use Case	Isolation Level
Red Network	VNI 100	Customer A Production	Complete isolation
Green Network	VNI 200	Customer B Development	Complete isolation
Blue Network	VNI 300	Shared Services	Controlled access
Yellow Network	VNI 400	Management Network	Administrative access

Virtual Network Identifier (VNI) Concept

Understanding VNI Fundamentals

The Virtual Network Identifier (VNI) is the key mechanism that enables multi-tenancy in VXLAN networks:

📖 VNI Definition: A unique identifier carried in the VXLAN header that specifies which virtual network a packet belongs to, enabling tenant isolation and virtual network segmentation on shared physical infrastructure.

VNI Characteristics

24-bit field - Supports 16,777,216 unique virtual networks
Local significance - Can be locally assigned or globally coordinated
Tenant mapping - Direct relationship to customer/tenant identity
Policy association - Links to security and forwarding policies

VNI vs Traditional Segmentation

Aspect	Traditional VLANs	VNI-based VXLAN
Scale	4,096 VLANs	16+ million VNIs
Scope	Local switching domain	Global across data centers
Flexibility	Static configuration	Dynamic, software-defined
Mobility	Limited by physical topology	Seamless across locations
Multi-tenancy	Limited isolation	Complete tenant separation

VXLAN Multi-Tenancy Implementation

VXLAN Header with VNI

VXLAN (Virtual eXtensible Local Area Network) provides multi-tenant capabilities through its header structure:

VXLAN Header Structure:

Outer Ethernet Header:
├── Source MAC: Physical host A
└── Destination MAC: Physical host B

Outer IP Header:
├── Source IP: 192.168.1.10 (Physical host A)
└── Destination IP: 192.168.1.20 (Physical host B)

Outer UDP Header:
├── Source Port: Dynamic (entropy)
└── Destination Port: 4789 (VXLAN)

VXLAN Header (8 bytes):
├── Flags: 0x08 (VNI valid)
├── Reserved: 0x000000
├── VNI: 24-bit tenant identifier
└── Reserved: 0x00

Inner Ethernet Frame:
├── Original tenant packet
└── Application data

VNI Assignment Strategies

Strategy	Description	Use Case	Management
Customer-based	One VNI per customer	Service provider environments	Simple, customer-aligned
Service-based	VNI per application/service	Microservices architectures	Granular, service-aligned
Environment-based	VNI per environment tier	Dev/Test/Prod separation	Lifecycle-aligned
Hierarchical	VNI ranges per organization	Large enterprise deployments	Structured, scalable

Campus Network Segmentation

Modern Campus Requirements

Enterprise campus networks increasingly require sophisticated segmentation capabilities:

Department isolation - HR, Finance, Engineering separation
Compliance requirements - PCI DSS, HIPAA, SOX compliance
Guest networks - Secure visitor access
IoT device segmentation - Building automation, security systems
BYOD support - Personal device isolation

Campus VXLAN Benefits

Campus VXLAN Advantages:

Policy consistency - Uniform security policies across locations

Simplified operations - Centralized management and provisioning

Enhanced mobility - Seamless user/device movement

Improved security - Micro-segmentation capabilities

Future flexibility - Easy network modifications and expansions

Practical Multi-Tenant Scenarios

Scenario 1: Cloud Service Provider

A cloud provider hosts multiple customers with overlapping IP address spaces:

Customer Isolation Example:

Customer A (VNI 1000):
├── Web Tier: 10.0.1.0/24
├── App Tier: 10.0.2.0/24
└── DB Tier: 10.0.3.0/24

Customer B (VNI 2000):
├── Web Tier: 10.0.1.0/24 (Same as Customer A!)
├── App Tier: 10.0.2.0/24 (Same as Customer A!)
└── DB Tier: 10.0.3.0/24 (Same as Customer A!)

Physical Infrastructure:
├── Host 1: 192.168.100.10
├── Host 2: 192.168.100.20
└── Host 3: 192.168.100.30

Key Insight: VNI enables complete isolation despite identical IP addressing schemes.

Scenario 2: Enterprise Multi-Site

A global enterprise with multiple data centers and campus locations:

Location	Tenant/Department	VNI Range	Use Case
HQ Data Center	Production Services	10000-10999	Critical applications
Branch Office A	Sales Department	20000-20099	CRM, collaboration tools
Branch Office B	Engineering	20100-20199	Development, testing
DR Site	Backup/Recovery	30000-30999	Disaster recovery

Scenario 3: Mixed Tenant Communication

Sometimes tenants need controlled inter-communication:

⚠️ Security Consideration: Inter-tenant communication requires careful policy design. Options include:

Shared services VNI - Common services accessible to multiple tenants

Gateway-based routing - Controlled routing between VNIs

Service insertion - Security appliances between tenants

Policy-based forwarding - Conditional inter-tenant access

Connection to BGP EVPN

Multi-Tenancy Challenges

While VNI provides the mechanism for multi-tenancy, several challenges remain in large-scale deployments:

VNI coordination - Ensuring unique VNI assignment across the fabric
Tenant onboarding - Automated provisioning of new virtual networks
Policy distribution - Consistent policy enforcement across all nodes
Route advertising - Efficient distribution of tenant reachability information
Service integration - Connecting virtual networks to external services

BGP EVPN as the Solution

BGP EVPN Multi-Tenant Benefits:

Automated VNI management - Dynamic VNI assignment and distribution

Tenant-aware routing - Per-tenant route tables and policies

Service orchestration - Automated tenant service provisioning

Multi-site connectivity - Seamless tenant extension across data centers

Policy automation - Centralized policy definition and distribution

BGP EVPN extends the multi-tenant VXLAN concept by providing:

Route Type 2 - MAC/IP advertisement with VNI context
Route Type 3 - Inclusive multicast trees per VNI
Route Targets - Tenant-specific route import/export policies
ESI (Ethernet Segment Identifier) - Multi-homing with tenant awareness

Foundation for BGP EVPN Control Plane