This is a very common OpenShift interview question:
Why does OVN-Kubernetes use GENEVE instead of VXLAN?
What is GENEVE?
Generic Network Virtualization Encapsulation (GENEVE) is a network encapsulation protocol used to create overlay networks between Kubernetes nodes.
Think of it like putting a packet inside another packet:
Original Pod Packet ↓GENEVE Encapsulation ↓Physical Network ↓GENEVE Decapsulation ↓Destination Pod
Example
Suppose:
Pod A10.128.1.10Worker-1Pod B10.129.2.15Worker-2
The physical network does NOT know these pod networks.
OVN creates a tunnel:
Worker-1 |GENEVE Tunnel |Worker-2
The packet is encapsulated and transported across the underlay network.
Why not VXLAN?
Older SDN solutions used:
VXLANUDP 4789
OpenShift SDN used VXLAN.
OVN-Kubernetes uses:
GENEVEUDP 6081
because GENEVE is more flexible.
VXLAN Header
VXLAN provides:
Outer IPOuter UDPVXLAN HeaderOriginal Packet
VXLAN metadata is limited.
GENEVE Header
GENEVE provides:
Outer IPOuter UDPGENEVE HeaderOptions MetadataOriginal Packet
Key difference: GENEVE supports extensible metadata
Why OVN Loves GENEVE
OVN is a Software Defined Network.
It must transport:
- Pod information
- Network policies
- Security attributes
- Routing information
- Logical network identifiers
GENEVE can carry extra metadata directly inside packets.
Packet + Network ID + Security Context + Routing Info + Tenant Info
VXLAN cannot do this efficiently.
OpenShift OVN Architecture
Pod ↓OVS ↓GENEVE Tunnel ↓OVS ↓Pod
Every worker node maintains tunnels to other workers.
Example:
Worker1 <----GENEVE----> Worker2Worker1 <----GENEVE----> Worker3Worker2 <----GENEVE----> Worker3
OVN dynamically programs these tunnels.
How to Verify GENEVE in OCP
SSH into a node:
oc debug node/<worker>chroot /host
Show OVS interfaces:
ovs-vsctl show
Typical output:
Interface genev_sys_6081type: geneve
You can also use:
ovs-vsctl list interface
Look for:
type=geneve
Check Listening Port
netstat -anu | grep 6081
or
ss -anu | grep 6081
Expected:
UDP 6081
Packet Flow Example
Same Node
Pod A ↓OVS ↓Pod B
No tunnel required.
Different Nodes
Pod A ↓OVS ↓GENEVE Encapsulation ↓Physical Network ↓GENEVE Decapsulation ↓OVS ↓Pod B
Performance Considerations
GENEVE adds overhead.
Typical encapsulation:
EthernetIPUDPGENEVEOriginal Packet
Overhead is roughly:
~50-70 bytes
Because of this, OpenShift automatically adjusts MTU.
Check:
oc get network.operator cluster -o yaml
Look for:
mtu: 1400
Typical:
| Network MTU | Pod MTU |
|---|---|
| 1500 | 1400 |
| 9000 | 8900 |
Troubleshooting GENEVE Issues
MTU Problems
Symptoms:
Intermittent connectivityLarge packets failTimeouts
Check:
ip link
Verify MTU consistency.
Tunnel Failure
Check:
ovs-vsctl show
Look for missing:
genev_sys_6081
Firewall Blocking
GENEVE requires:
UDP 6081
Between all worker and control-plane nodes.
Check:
nc -zvu <node-ip> 6081
Interview Answer (1 Minute)
OVN-Kubernetes uses GENEVE as its overlay encapsulation protocol because GENEVE supports extensible metadata, which is required by OVN’s logical networking model. Unlike VXLAN, which only carries a network identifier, GENEVE can transport additional information such as logical network attributes, security policies, and routing context. In OpenShift, Open vSwitch encapsulates pod traffic into GENEVE packets over UDP port 6081 when communication occurs between nodes. This enables OVN to implement distributed routing, network policies, EgressIP, and other advanced networking features while maintaining a scalable overlay network.