Geneve (Generic Network Virtualization Encapsulation) is a flexible tunneling protocol designed to carry network virtualization overlays across physical infrastructure. Unlike VXLAN’s fixed 24-bit VNI, Geneve uses a variable-length options field that supports rich metadata, making it the protocol of choice for modern SDN and multi-tenant cloud platforms.

This guide compares three implementations for self-hosting Geneve overlay networks: OVN (Open Virtual Network), Open vSwitch (OVS), and the Linux kernel’s native Geneve driver.

What Is Geneve and Why Does It Matter?

Geneve (RFC 8926) was created by the IETF NETEXT working group as a successor to VXLAN, NVGRE, and STT. Its key advantages include:

  • Variable-length options: Unlike VXLAN’s fixed header, Geneve supports arbitrary TLV (Type-Length-Value) options for metadata like security groups, load balancer state, and application context.
  • Protocol agnostic: Works over UDP (port 6081), compatible with any IP network.
  • Multi-tenant isolation: 24-bit Virtual Network Identifier (VNI) supports 16 million isolated segments.
  • Hardware offload support: Modern NICs from Intel, Mellanox, and Broadcom support Geneve TSO/LRO offload.

OVN (Open Virtual Network)

OVN is a full network virtualization platform built on top of OVS. It provides logical switching, routing, load balancing, and firewall capabilities using Geneve as the overlay transport.

GitHub: ovn-org/ovn — ⭐698 | Last updated: May 2026 | Language: C

Key Features

  • Logical switches and routers: Abstraction layer over physical topology
  • Distributed logical routing: No single point of failure for L3 forwarding
  • Native load balancing: L4 load balancer with health checking
  • ACLs and security groups: Stateful firewall rules at the logical port level
  • HA support: Active/standby chassis with GARP redirection

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

version: "3.8"
services:
  ovn-northd:
    image: docker.io/ovn/ovn:latest
    command: ovn-northd
    network_mode: host
    volumes:
      - /var/run/ovn:/var/run/ovn
      - /etc/ovn:/etc/ovn
    restart: unless-stopped

  ovn-controller:
    image: docker.io/ovn/ovn:latest
    command: ovn-controller
    network_mode: host
    volumes:
      - /var/run/ovn:/var/run/ovn
      - /var/run/openvswitch:/var/run/openvswitch
      - /etc/openvswitch:/etc/openvswitch
    depends_on:
      - ovn-northd
    restart: unless-stopped

  ovndb:
    image: docker.io/ovn/ovn:latest
    command: ovn-sb-db --remote=ptcp:6642
    network_mode: host
    volumes:
      - /etc/ovn:/etc/ovn
      - /var/lib/ovn:/var/lib/ovn
    restart: unless-stopped

Installation (Native)

1
2
3
4
5
6
7
8

# Ubuntu/Debian
sudo apt install ovn-host ovn-central openvswitch-switch

# Start OVN services
sudo systemctl enable --now ovn-central ovn-host

# Verify Geneve tunnels
sudo ovs-vsctl show

Open vSwitch (OVS)

Open vSwitch is a production-quality, multilayer virtual switch designed for VM and container environments. It provides the dataplane that OVN builds upon, but can also be used standalone for Geneve tunneling.

GitHub: openvswitch/ovs — ⭐3,952 | Last updated: May 2026 | Language: C

Key Features

  • Geneve tunnel endpoints: Full Geneve encapsulation/decapsulation support
  • OpenFlow programmability: SDN controller integration via OpenFlow 1.3+
  • DPDK acceleration: Userspace datapath for line-rate packet processing
  • Hardware VTEP integration: Interoperability with physical switch Geneve tunnels
  • Monitoring and debugging: Built-in packet capture, flow tracing, and statistics

Docker Compose Deployment

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

version: "3.8"
services:
  ovs-vswitchd:
    image: docker.io/openvswitch/ovs:latest
    command: ovs-vswitchd --pidfile --detach --log-file
    network_mode: host
    privileged: true
    volumes:
      - /var/run/openvswitch:/var/run/openvswitch
      - /etc/openvswitch:/etc/openvswitch
    restart: unless-stopped

  ovsdb-server:
    image: docker.io/openvswitch/ovs:latest
    command: ovsdb-server --remote=punix:/var/run/openvswitch/db.sock
    network_mode: host
    volumes:
      - /var/run/openvswitch:/var/run/openvswitch
      - /etc/openvswitch:/etc/openvswitch
    restart: unless-stopped

Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Initialize OVS database
sudo ovsdb-tool create /etc/openvswitch/conf.db

# Start OVS
sudo ovsdb-server --detach
sudo ovs-vswitchd --detach

# Create Geneve tunnel
sudo ovs-vsctl add-br br-geneve
sudo ovs-vsctl add-port br-geneve geneve0   -- set interface geneve0 type=geneve   options:remote_ip=10.0.0.2   options:key=flow

Linux Kernel Geneve Driver

The Linux kernel includes a native Geneve driver (geneve.ko) since kernel 4.3. It provides a lightweight, zero-dependency Geneve endpoint using the kernel’s built-in networking stack.

GitHub: torvalds/linux — ⭐233,615 | Last updated: May 2026 | Language: C

Key Features

  • Zero external dependencies: Ships with the Linux kernel since v4.3
  • iproute2 integration: Configure via standard ip link commands
  • NETDEV offload support: TSO, GRO, and checksum offload via kernel networking stack
  • Minimal footprint: No userspace daemon required
  • Namespace support: Geneve interfaces work in network namespaces

Configuration

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Load the kernel module
sudo modprobe geneve

# Create a Geneve interface
sudo ip link add geneve0 type geneve   id 100   remote 10.0.0.2   dstport 6081

# Assign IP address and bring up
sudo ip addr add 10.10.0.1/24 dev geneve0
sudo ip link set geneve0 up

# Verify
ip -d link show geneve0

Persistent Configuration (Netplan)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true
  tunnels:
    geneve0:
      mode: geneve
      id: 100
      remote: 10.0.0.2
      addresses: [10.10.0.1/24]

Comparison Table

FeatureOVNOpen vSwitchLinux Kernel Geneve
Geneve SupportFull (via OVS)Full (native)Full (kernel driver)
Logical RoutingYes (distributed)NoNo
Load BalancingYes (native)Via OpenFlowNo
ACLs/FirewallYes (stateful)Via OpenFlowVia iptables/nftables
Hardware OffloadVia OVSYes (DPDK + HW)Yes (NETDEV)
SDN ControllerBuilt-in (OVN Northbound)External (any OpenFlow)None
Container NativeYes (CNI plugin)Yes (CNI plugin)Yes (CNI compatible)
Multi-tenancy16M VNIs16M VNIs16M VNIs
ComplexityHighMediumLow
Best ForFull SDN platformProgrammable switchingLightweight tunnels

Why Self-Host Your Geneve Overlay?

Self-hosting Geneve overlay networks gives organizations complete control over their virtualized network infrastructure. When you manage your own overlay, you maintain full visibility into traffic patterns, security policies, and performance metrics without depending on cloud provider abstractions. This is critical for organizations with compliance requirements, multi-cloud strategies, or hybrid infrastructure deployments.

Running Geneve on your own hardware means you can implement custom traffic engineering policies, integrate with existing monitoring stacks, and optimize the datapath for your specific workload characteristics. Whether you need the full SDN capabilities of OVN for a multi-tenant platform, the programmable switching of OVS for container networking, or the lightweight kernel driver for simple point-to-point tunnels, self-hosting gives you the flexibility to choose the right tool for each deployment scenario.

For Kubernetes networking, see our multi-cluster Kubernetes networking guide covering Submariner and Liqo. If you need network policy enforcement, our Calico vs Cilium vs kube-router comparison covers the leading CNI options. For network simulation testing, check our GNS3 vs EVE-NG vs Containerlab guide.

Geneve in Production: Real-World Deployment Patterns

In production environments, Geneve overlay networks are commonly deployed in three patterns: spine-leaf data center fabrics, multi-tenant cloud platforms, and edge computing clusters. The spine-leaf pattern uses Geneve tunnels between leaf switches to provide any-to-any connectivity without requiring a full mesh of physical links. Multi-tenant platforms leverage Geneve variable-length options to carry tenant identifiers, security group tags, and QoS markings alongside the encapsulated payload. Edge computing deployments use Geneve to bridge geographically distributed sites while maintaining centralized policy enforcement through the OVN northbound database.

For high-availability Geneve deployments, consider deploying multiple OVN controllers across chassis with automatic failover. The ovn-controller process detects peer failures through Southbound database liveness probes and triggers GARP ( Gratuitous ARP ) redirection to maintain connectivity. In OVS-only deployments, use BFD ( Bidirectional Forwarding Detection ) over Geneve tunnels for sub-second failure detection instead of relying on the default UDP keepalive interval.

When sizing your Geneve infrastructure, account for the encapsulation overhead: Geneve adds a minimum of 50 bytes per packet (8-byte Geneve header, 8-byte UDP header, 20-byte IPv4 header, 14-byte Ethernet header). For minimum-size Ethernet frames (64 bytes), this can push packets above the MTU of physical links. Configure your physical network MTU to at least 1600 bytes to accommodate Geneve encapsulation without fragmentation.

FAQ

What is the difference between Geneve and VXLAN?

Geneve uses a variable-length options field that supports arbitrary metadata (TLVs), while VXLAN has a fixed 8-byte header with only a 24-bit VNI. This makes Geneve more flexible for SDN applications that need to carry additional context like security groups or load balancer state. Both use UDP port encapsulation and support 16 million virtual network segments.

Does OVN require Open vSwitch?

Yes, OVN uses OVS as its dataplane. OVN provides the control plane (logical switching, routing, load balancing) while OVS handles the actual packet forwarding. You cannot run OVN without OVS, but you can run OVS standalone without OVN for simpler Geneve tunneling use cases.

Can I use Geneve with Docker containers?

Yes. Both OVN and OVS have CNI (Container Network Interface) plugins that create Geneve-overlayed networks for containers. The OVN-Kubernetes project provides a full CNI implementation for Kubernetes clusters. The Linux kernel Geneve driver can also be used with custom CNI plugins.

What UDP port does Geneve use?

Geneve uses UDP destination port 6081 by default (IANA-assigned). This can be changed during interface creation but port 6081 is the standard and should be allowed through firewalls between Geneve tunnel endpoints.

Does Geneve support hardware offload?

Yes. Modern SmartNICs from Mellanox (ConnectX-5+), Intel (E810), and Broadcom support Geneve TSO (TCP Segmentation Offload), LRO (Large Receive Offload), and checksum offload. OVS with DPDK can also leverage hardware offload through the rte_flow API for line-rate Geneve processing.

Is Geneve better than VXLAN for Kubernetes?

Geneve offers more flexibility for advanced Kubernetes networking scenarios because its variable-length options can carry additional metadata. OVN-Kubernetes uses Geneve by default for this reason. However, for simple pod-to-pod networking, VXLAN provides equivalent performance with broader hardware support. Choose Geneve if you need the extra metadata capabilities; otherwise VXLAN is sufficient.