IVO Networks · NVGRE Series
Network Virtualization Gateway
Cross-Premise Network Virtualization Appliance
Securely connect your datacenter or private cloud with public cloud environments — with seamless VM migration, IP address preservation, full tenant isolation, and encrypted virtual subnet tunneling.
Module 5 (sub-detail): Change to Purpose-built NVGRE gateway appliance implementing RFC 7637 (Network Virtualization using Generic Routing Encapsulation). Encapsulates Layer 2 frames in GRE over IP, supporting up to 16 million virtual subnets with 24-bit Virtual Subnet Identifiers.
Virtual networks decoupled from physical infrastructure
Traditional datacenter networks tie workload placement to physical network topology. VLANs provide isolation, but they're limited to 4,094 segments, require switch-by-switch configuration, and break when workloads move across Layer 3 boundaries. Scaling a multi-tenant environment on VLANs alone means managing an increasingly fragile network of dependencies.
NVGRE (Network Virtualization using Generic Routing Encapsulation) solves this by creating virtual Layer 2 networks on top of the physical Layer 3 infrastructure. Each virtual network is identified by a 24-bit Virtual Subnet Identifier (VSID) — supporting up to 16 million virtual subnets, compared to the 4K limit of VLANs. Workloads in the same virtual subnet can communicate at Layer 2 regardless of their physical location in the datacenter.
The NVGRE gateway appliance serves as the Network Virtualization Edge (NVE) — the ingress/egress point between virtual and physical networks. It encapsulates tenant Ethernet frames inside GRE headers with the appropriate VSID, tunnels them over the physical IP network, and decapsulates them at the destination NVE. The physical network only needs to provide IP connectivity — no VLAN configuration, no spanning tree, no per-tenant switch programming.
Customer Addresses (CAs) — the IPs assigned to virtual machines — are completely decoupled from **Provider Addresses (PAs)** — the IPs used in the physical network. Multiple tenants can use overlapping IP address ranges without conflict. A tenant can bring their own IP addressing scheme into the datacenter without requiring renumbering or coordination with other tenants or the physical infrastructure.
RFC 7637. 24-bit VSID supports 16 million virtual subnets. GRE Key field carries VSID + 8-bit FlowID for ECMP entropy. Physical network requires only IP connectivity.
What the NVGRE Gateway delivers
A dedicated appliance that bridges virtual and physical networks — enabling hybrid cloud connectivity, live VM migration, and multi-tenant isolation at datacenter scale.
Hybrid cloud connectivity
Securely extend virtual subnets across premise boundaries — connecting your datacenter with public cloud environments through encrypted GRE-over-IPsec tunnels. Tenants bring their own IP address spaces without renumbering.
Seamless VM migration
Move virtual machines between physical hosts — even across Layer 3 boundaries — without changing their IP addresses or reconfiguring network switches. The virtual network follows the workload, not the other way around.
IP address preservation
Customer Addresses (CAs) assigned to VMs are fully decoupled from Provider Addresses (PAs) on the physical network. Workloads retain their IP addresses regardless of physical location, data center, or cloud environment.
Multi-tenant isolation
Each tenant's traffic is tagged with a unique 24-bit Virtual Subnet Identifier. Tenants with overlapping IP ranges coexist on the same physical infrastructure with full Layer 2 isolation — no VLAN coordination required.
Encrypted tunneling
Cross-premise traffic is secured with IPsec encryption. Virtual subnet tunnels between datacenters or between datacenter and cloud traverse the internet with the same encryption standards used for site-to-site VPN.
16 million virtual subnets
The 24-bit VSID supports up to 16 million virtual subnets in a single management domain — a 4,000x increase over the 4,094 limit of 802.1Q VLANs. Each VSID represents a virtual Layer 2 broadcast domain.
ASAFE Integration
Cloud-based management and monitoring
The NVGRE gateway integrates with the ASAFE platform — IVO Networks' cloud-based monitoring, high-availability, and security management system.
High-availability failover (FC4AO)
Proprietary failover technology maintains virtual subnet connectivity when the primary gateway becomes unreachable — automatically redirecting encapsulated traffic to secondary gateways without disrupting tenant VM connectivity.
Real-time monitoring & reporting
Track tunnel health, VSID utilization, encapsulation throughput, and cross-premise connectivity status from a cloud-based dashboard. Monitor per-tenant traffic patterns and gateway resource utilization in real time.
Centralized policy management
Manage VSID assignments, CA-to-PA mapping policies, cross-premise routing configurations, and tenant isolation rules from a single interface across all deployed NVGRE gateways.
SIEM integration
Stream encapsulation metadata, tenant traffic telemetry, and gateway health data to your SIEM for security monitoring, capacity planning, and cross-premise traffic analysis.
ASAFE Platform
Monitoring, failover & security management
ARCHITECTURE
NVGRE protocol components
A standards-based encapsulation protocol (RFC 7637) that virtualizes Layer 2 networks over Layer 3 IP infrastructure — with purpose-built hardware for line-rate encapsulation and decapsulation.
GRE encapsulation with VSID
Tenant Ethernet frames are encapsulated in GRE over IP. The 32-bit GRE Key field carries a 24-bit Virtual Subnet Identifier (VSID) and an 8-bit FlowID for ECMP load distribution. Protocol type 0x6558 (Transparent Ethernet Bridging) identifies the inner payload.
CA/PA address mapping
Customer Addresses (VM IPs) are mapped to Provider Addresses (physical network IPs) through virtualization policy. The gateway maintains the mapping table and performs address translation at encapsulation/decapsulation — enabling overlapping tenant address spaces on shared infrastructure.
Cross-premise gateway
For hybrid cloud deployments, the gateway bridges virtual subnets across premise boundaries using site-to-site IPsec VPN tunnels. Tenant VMs in the cloud communicate with on-premise resources using their original CA addresses — no NAT, no renumbering, no application changes.
SPECIFICATIONS
NVGRE-6000 gateway specifications
Enterprise-grade network virtualization appliance built on the IVO Networks hardened platform with hardware-accelerated GRE encapsulation and IPsec encryption.
| Specification | NVGRE-6000 |
|---|---|
| Form factor | 2U rack-mount |
| Network interfaces | 10GbE |
| Encapsulation protocol | NVGRE (RFC 7637) — GRE over IP |
| Virtual Subnet ID | 24-bit VSID (up to 16M virtual subnets) |
| Address model | Customer Address (CA) / Provider Address (PA) |
| Cross-premise encryption | IPsec (hardware-accelerated) |
| ECMP support | 32-bit GRE Key (VSID + FlowID) for load distribution |
| Broadcast/multicast | Multicast replication or N-way unicast |
| High availability | ASAFE FC4AO failover |
| Management | ASAFE cloud dashboard |
| Target deployment | Enterprise datacenter & hybrid cloud |
GET STARTED
Ready to move workloads without moving IP addresses?
Contact our sales team to discuss your deployment requirements, schedule a demo, or request a proof of concept.
Or call us directly: +1 (650) 286-1300