NSX-T 4.x Overlay Networking Demystified: Architecture, MTU, and Troubleshooting

Table of Contents

1. Introduction
2. Overlay Architecture: Hypervisor & Edge VTEPs
   • Overlay Topology Diagram
3. MTU Planning and Configuration
   • MTU Propagation Diagram
4. Deep Troubleshooting: Step by Step
   • Troubleshooting Flow
   • PowerShell and Python Examples
5. Common Issues and Best Practices
6. Summary

---

1. Introduction

NSX-T 4.x overlay networking is the backbone of modern, software-defined data centers. By using technologies like GENEVE encapsulation and Virtual Tunnel Endpoints (VTEPs), NSX-T allows you to build scalable, flexible virtual networks on top of your existing physical infrastructure. This decoupling enhances agility and enables robust micro-segmentation, tenant isolation, and seamless integration with public cloud.

Core Concepts:

• Overlay Networking: Virtualizes network traffic using encapsulation protocols, running over your physical “underlay” hardware.
• VTEP: The logical interface (on each host or edge) that encapsulates and decapsulates overlay packets.
• GENEVE: NSX-T’s encapsulation protocol, supporting extensibility and advanced feature sets.
• Transport Zones: Logical boundaries that determine which hosts and edges participate in specific overlay networks.

---

2. Overlay Architecture: Hypervisor & Edge VTEPs

Hypervisor VTEPs

Every ESXi or KVM host that participates in NSX-T overlay networking is configured as a transport node. A dedicated VMkernel (or equivalent) interface is created for VTEP traffic. These interfaces serve as the endpoints for GENEVE tunnels.

• Multi-VTEP Support: NSX-T 4.x supports multiple VTEPs per node, improving redundancy and scale.
• Dynamic Load Balancing: VTEPs can be load balanced across multiple uplinks for failover and high throughput.

Edge Transport Node VTEPs

NSX Edge nodes enable north-south routing and external connectivity. In NSX-T 4.x, Edge nodes can also be configured with multiple VTEPs for redundancy and throughput.

• Tier-0 Gateway: Handles north-south traffic between physical and virtual worlds.
• Tier-1 Gateway: Provides tenant-level isolation and routing.

Overlay Topology Diagram

---

3. MTU Planning and Configuration

Proper MTU configuration is crucial for overlay stability and performance. A mismatch in MTU settings leads to packet drops and network instability.

How MTU Works with NSX-T Overlays:

• Overlay MTU: Typically 1500 bytes for VM traffic (logical switch).
• GENEVE Overhead: Adds ~50 bytes for encapsulation headers.
• Physical Network MTU: Should be at least 1600 bytes to support encapsulated traffic without fragmentation.

MTU Planning Steps

1. Determine Overlay MTU: Most deployments use 1500 bytes for logical switches.
2. Calculate Required Physical MTU: Add GENEVE overhead (1500 + 50 = 1550 minimum, 1600+ is best).
3. Configure Physical Devices: Set MTU to 1600 or higher on all switches, routers, and physical NICs.
4. Validate End-to-End MTU: Use ping with “Don’t Fragment” (DF) bit to confirm path supports required size.

MTU Propagation Diagram

---

4. Deep Troubleshooting: Step by Step

Network issues in NSX-T overlays can have multiple root causes. Systematic troubleshooting saves time and reduces downtime.

Troubleshooting Workflow

1. Overlay Health:
   • Check transport node and edge status in NSX Manager.
   • Confirm VTEPs are up and have correct IPs.
2. VTEP Status:
   • Use NSX CLI, vSphere, or API to verify VTEP interface status.
3. MTU Verification:
   • Ping between VTEPs using large packet size and DF bit.
   • Validate physical switches allow jumbo frames.
4. GENEVE Packet Inspection:
   • Use packet captures on VTEP interfaces to check encapsulation and GENEVE headers.
5. Log Review:
   • Review NSX Manager, ESXi/KVM, and Edge node logs for errors.
6. Packet Capture & Analysis:
   • Use built-in tools, PowerShell, Python, tcpdump, or Wireshark for deeper analysis.

Troubleshooting Flow

---

PowerShell Validation Examples

Check overlay network and VTEP interface status using PowerCLI:

# Get NSX-T transport nodes
Get-TransportNode

# Check VMkernel interfaces (look for overlay/vtep)
Get-VMHostNetworkAdapter -VMHost <hostname> | Where-Object {$_.PortGroupName -like "*overlay*"}

Validate MTU between hosts:

# Test MTU end-to-end (replace with actual IPs)
Test-Connection -Source <VTEP-IP1> -Destination <VTEP-IP2> -Count 2 -BufferSize 1472 -Fragment

---

Python Packet Analysis Example

Capture and analyze GENEVE packets using Scapy (run as root/admin):

from scapy.all import sniff, GENEVE

def geneve_filter(pkt):
    return GENEVE in pkt

packets = sniff(filter="udp port 6081", prn=lambda x: x.summary(), count=10)
for pkt in packets:
    if geneve_filter(pkt):
        print(pkt.summary())

---

Using Third-Party Tools

• Wireshark:
  • Filter: udp.port == 6081
  • Inspect GENEVE headers and inner payloads.
• tcpdump:
  • On ESXi or Linux:
    tcpdump -i <vtep-interface> udp port 6081 -vv
• Netcat:
  • Verify connectivity between VTEP IPs:
    nc -vz <dest-vtep-ip> 6081

---

5. Common Issues and Best Practices

Common Issues

• MTU Mismatch:
  Packets get dropped or fragmented, leading to unpredictable application behavior.
• VTEP IP Overlaps:
  Duplicate or misconfigured VTEP IPs result in failed encapsulation.
• Firewall Blocking:
  Underlay firewalls blocking UDP 6081 prevent GENEVE traffic.
• Routing Issues:
  Underlay network must have complete reachability between all VTEPs.
• ARP/MAC Table Flaps:
  Frequently changing MAC/IP mappings disrupt overlay stability.

Best Practices

• Always verify MTU at every hop using the largest possible packet size.
• Use dedicated VLANs or VRFs for overlay transport traffic.
• Monitor VTEP health using both NSX Manager and external tools.
• Automate validation checks after any network changes.
• Document all VTEP, transport zone, and Edge node assignments.

---

6. Summary

NSX-T 4.x overlay networking is a powerful tool for building next-generation data centers. Success depends on careful MTU planning, robust VTEP architecture, and a systematic approach to troubleshooting. By using both VMware native tools and third-party utilities, you can maintain high availability, reduce troubleshooting time, and optimize overlay network performance.

---

Disclaimer

The views expressed in this article are those of the author and do not represent the opinions of VMware, my employer or any affiliated organization. Always refer to the official VMware documentation before production deployment.