4  Network Overlay for VMs

4.1 Overview

Canonical’s OpenStack network virtualization relies on two key components: - OVS (Open vSwitch): The data plane forwarding engine - OVN (Open Virtual Network): The control plane that manages OVS

Note: For definitions of terms used in this chapter, see the Glossary.

4.2 Key Components

4.2.1 OVS (Open vSwitch)

Open vSwitch is a production-quality, multilayer virtual switch designed to enable massive network automation through programmatic extension, while still supporting standard management interfaces and protocols.

Key Features: - Software-based switching - OpenFlow protocol support - Flow-based forwarding - Integration with Linux kernel networking

4.2.2 OVN (Open Virtual Network)

OVN is a system to support virtual network abstraction. OVN complements the existing capabilities of OVS to add native support for virtual network abstractions, such as virtual L2 and L3 overlays and security groups.

Key Features: - Logical switches and routers - Distributed routing - ACLs and security groups - Load balancing - NAT

4.3 GENEVE Overlay

GENEVE (Generic Network Virtualization Encapsulation) is the encapsulation protocol used by OVN to create overlay networks. GENEVE is defined in RFC 8926 and provides a flexible, extensible tunneling protocol.

4.3.1 Key Terms

• TEP (Tunnel Endpoint): The IP address used for GENEVE encapsulation (typically the host loopback). Note: GENEVE uses “TEP”, not “VTEP” - VTEP is VXLAN-specific terminology.
• GENEVE Tunnel: The overlay network tunnel between hosts using UDP encapsulation
• Logical Network: The virtual network abstraction created by OVN

4.3.2 How It Works

1. Underlay Network: Physical L3 network (your datacenter fabric) - pure BGP/ECMP routing
2. Overlay Network: GENEVE-encapsulated logical networks created by OVN
3. TEP IP: Each host uses its loopback IP (e.g., 10.0.1.11/32) as the TEP
4. Encapsulation: VM/container traffic is encapsulated in GENEVE (UDP) and routed through the underlay

4.3.3 GENEVE vs VXLAN

• GENEVE: Generic protocol with variable-length options, used by OVN
• VXLAN: MAC-in-UDP encapsulation, uses “VTEP” terminology
• Our Design: Uses GENEVE with host-based TEPs (not switch-based VTEPs)

Reference: RFC 8926 - Geneve: Generic Network Virtualization Encapsulation

4.4 OVN Architecture

┌─────────────────────────────────────────┐
│         OVN Northbound DB               │
│  (Logical switches, routers, ACLs)      │
└─────────────────┬───────────────────────┘
                  │
┌─────────────────▼───────────────────────┐
│         OVN Southbound DB               │
│  (Physical mapping, bindings)           │
└─────────────────┬───────────────────────┘
                  │
        ┌─────────┴─────────┐
        │                   │
┌───────▼──────┐   ┌────────▼────────┐
│  OVN Central │   │  OVN Host Agent │
│   (Control)  │   │ (ovn-controller)│
└──────────────┘   └────────┬────────┘
                            │
                    ┌───────▼───────┐
                    │  Open vSwitch │
                    │   (Dataplane) │
                    └───────────────┘

4.5 OVN-Kubernetes Integration

OVN-Kubernetes reuses the GENEVE overlay infrastructure:

• CNI Plugin: OVN-Kubernetes provides a CNI plugin
• Same TEP: Uses the same host loopback IP as TEP
• Logical Networks: Creates logical switches per Kubernetes namespace or pod network
• Service Networking: Handles Kubernetes services via logical routers

4.6 Common Networking Terms Reference

4.6.1 Underlay Network Terms

• FRR (Free Range Routing): Open source routing suite supporting BGP, OSPF, etc.
• eBGP/iBGP: External/Internal BGP for route advertisement
• ECMP (Equal Cost Multi-Path): Load balancing across multiple equal-cost paths
• WCMP (Weighted Cost Multi-Path): Weighted load balancing
• BFD (Bidirectional Forwarding Detection): Fast failure detection
• VRF (Virtual Routing and Forwarding): Network virtualization at L3
• VRRP (Virtual Router Redundancy Protocol): High availability for routers

4.6.2 Overlay Network Terms

• VXLAN: Alternative to GENEVE (older, more common)
• TEP (VXLAN Tunnel Endpoint): VXLAN equivalent of TEP
• eVPN (Ethernet VPN): BGP-based control plane for VXLAN
• eVPN-MH (Multi-Homing): Multi-homing support in eVPN

4.6.3 Hardware Acceleration

• SR-IOV (Single Root I/O Virtualization): Hardware-based network virtualization
• TC-Flower: Linux Traffic Control classifier
• Tomahawk/Trident Chips: Broadcom switching ASICs

4.6.4 Link Aggregation

• LACP (Link Aggregation Control Protocol): Standard for bundling links
• MLAG (Multi-Chassis Link Aggregation): Link aggregation across switches
• vPC (Virtual Port Channel): Cisco’s MLAG implementation

4.7 Best Practices

1. Use /32 loopbacks for TEPs: Provides stable identity and simplifies routing
2. Advertise TEP IPs via BGP: Enables automatic discovery and routing
3. Keep underlay simple: L3-only, no L2 stretching
4. Monitor MTU: Ensure underlay supports GENEVE overhead (typically 50 bytes)
5. Plan for scale: Start with /32s, summarize only when necessary

4.8 References

• OVN Architecture Documentation - Official OVN architecture
• Open vSwitch Wikipedia - OVS overview
• OVN Wikipedia - OVN overview
• Red Hat OpenStack Platform - Networking with OVN - Comprehensive OVN documentation
• OpenStack OVN Installation Guide - OVN installation
• OpenStack Neutron OVS/OVN Requirements - Version requirements
• RFC 8926 - GENEVE - GENEVE protocol specification