GENEVE network tunneling protocol
Evolution
Virtual local area network (VLAN) tagging on an IEEE 802.3 network is defined by the 802.1Q standard, which makes it possible to separate traffic from different logical networks within a physical network. Special VLAN tags are attached to each Ethernet frame to assign unique VLAN IDs, allowing a switch to determine the VLAN to which a frame belongs and forward it accordingly. Therefore, traffic from different devices or user groups is separated and isolated without the need for physically isolated networks.
Virtual extensible LAN (VXLAN) is a tunneling technology used to create and connect VLANs across a physical network and extend the maximum number of supported 802.1Q VLANs from 4,094 to up to 16 million. Generic Network Virtualization Encapsulation (GENEVE) is a newer tunneling protocol developed by the Internet Engineering Task Force (IETF) that offers greater flexibility and scalability compared with VXLAN and supports multicast data transmission.
IEEE 802.3 and 802.1Q
The IEEE 802.3 standards (also referred to as Ethernet) are mainly used to transmit data packets on LANs. The nature of the data can vary and includes files, documents, audio, video, web content, email, and more. This definition describes the transfer of data packets by coaxial, copper, twisted pair, and fiber optic cables.
An Ethernet data packet comprises the physical and higher layers known from the Open Systems Interconnection (OSI) reference model, which describes the logical aspects of the network. The layers relevant for the structure and format of Ethernet data packets are:
- the medium access control (MAC) header, which contains the address of the receiver and sender along with other control information;
- the logical link control (LLC) header, which provides details of the type of transmitted data, such as Internet Protocol (IP) and Address Resolution Protocol (ARP); and
- the data area, which contains the user data to be transmitted.
Certain applications have special Ethernet data formats and structures, discussed here, such as Ethernet II (DIX format), Ethernet LLC, or Ethernet Subnetwork Access Protocol (SNAP). An 802.1Q frame has an extended frame structure that includes an additional VLAN tag compared with a normal Ethernet frame. The structure of the 802.1Q frame is:
- Preamble: 7 bytes used to prepare the receiver for the upcoming frame.
- Start frame delimiter (SFD): 1 byte that marks the end of the preamble and the beginning of the frame.
- MAC addresses: 6 bytes for the MAC address of the target device, followed by 6 bytes for the MAC address of the source device.
- 802.1Q tag: 4 bytes with information about the VLAN to which the frame is assigned that provides a VLAN ID, a priority code point (PCP) for quality of service (QoS), and a canonical format indicator (CFI) for network compatibility.
- Type field: 2 bytes with information about the protocol type of the carrier data packet (e.g., IPv4 or ARP).
- Payload data: The rest of the frame contains the payload data, except for the last 4 bytes, which has the:
- Frame check sequence (FCS): a 32-bit checksum computed by the sender and used by the receiver to verify the integrity of the frame.
VXLAN Extension
VXLAN operates in Layer 2 (data link) of the OSI reference model; was developed by Cisco, Arista, and VMware; and is designed to overcome the limitations of traditional LANs in virtual environments and simplify access to cloud resources and applications.
A traditional LAN is based on the MAC address and the physical topology of switches and routers and is limited to a certain number of devices and broadcast domains. This arrangement causes problems when it comes to scaling and distributing resources and applications in a virtual environment.
VXLAN operates on the same layer as IEEE 802.3, but supports the creation of VLANs that operate independently of the physical topology and MAC address. (See also the "STT Encapsulation" box.) It uses a 24-bit VXLAN virtual network identifier (VNI) to identify and distinguish the virtual LANs, which allows multiple VXLANs to be set up in a physical environment, offering improved scalability and flexibility and the possible use of more broadcast domains and devices. VXLAN comprises the following components:
STT Encapsulation
I did not look at stateless transport tunneling (STT) in this article because it is rarely implemented in products. STT is also used as a protocol to create virtual networks independently of the physical topology and MAC address, and also operates in OSI Layer 2. STT is similar to VXLAN and GENEVE in that it uses MAC-in-UDP encapsulation to transfer data between virtual networks. However, it uses a simpler stateless method that requires less computing power. STT does not require a control plane and is therefore easier to implement and manage. One drawback, however, is that it does not offer the same flexibility and scalability as VXLAN and GENEVE.
- Identifier (VNI): a 24-bit value that identifies and distinguishes VLANs.
- Header: the VNI and other control information, such as the source and target UDP ports, used to identify and route the VXLAN data packets.
- Segment: a virtual LAN used by one or more endpoints connected by a VXLAN tunnel.
- Virtual tunnel endpoint (VTEP): a device that encapsulates (and decapsulates) VXLAN data packets and connects VXLAN segments to other VTEPs.
- Tunnel: a logical tunnel that transmits VXLAN data packets over a physical network.
A VXLAN data packet contains both a MAC header and a VXLAN header. The MAC header provides the physical addresses (MAC addresses) of the sender and receiver, whereas the VXLAN header provides the VNI that identifies the VXLAN segment.
A large number of manufacturers support VXLAN in various forms: Cisco Nexus switches and the application-centric infrastructure (ACI); VMware vSphere NSX-V and its successor NSX-T, which works primarily with GENEVE (more about that in a moment); Juniper QFX switches on the Contrail networking platform; Arista EOS switches; and HPE FlexNetwork architecture and Virtual Cloud Network.
Independent VLANs with GENEVE
GENEVE operates in OSI Layer 2 and supports VLANs regardless of the physical topology and MAC addresses. It offers greater flexibility and scalability than VXLAN but also has some issues. GENEVE is an extension of VXLAN and is not compatible with IEEE 802.3. Both the terminal devices and the switches must support the protocol.
GENEVE encapsulates multiple protocols and services in a single tunnel, which can aggravate management complexity. Therefore experienced network admins need to configure and manage GENEVE networks. Moreover, admins can expect performance problems because GENEVE uses a single-tunnel format, increasing the load on switches and routers. Finally, security issues arise because GENEVE's encapsulation of multiple protocols and services in a single tunnel makes it difficult to monitor and control communications between virtual networks.
GENEVE comprises three components: (1) the header, with fields that contain the information required for unpacking and forwarding the data packages in the form of flags (the type of message), protocol type (the protocol in the packet), VNI (identifying the virtual network), and a reserved field (for future extensions); (2) options that supply the additional information required for virtual network management and automation (e.g., endpoint identification, connection identification, endpoint policy); and (3) payload, which moves data from one virtual network to another and can include an arbitrary protocol (e.g., IPv4, IPv6, Ethernet).
Buy this article as PDF
(incl. VAT)