How to Switch Calico Network Modes: From IPIP to BGP and Cross‑Subnet
This guide explains Calico's default IPIP mode, compares overlay, BGP, and cross‑subnet networking, and provides step‑by‑step commands to verify and change the network mode in a Kubernetes cluster, helping you optimize container network performance.
Calico Network Mode Overview
Calico uses the IPIP network mode by default, which can cause some performance loss; users with latency‑sensitive workloads may notice this.
Overlay Network
An overlay network sits on top of another network and is used in Kubernetes to handle Pod‑to‑Pod traffic when the underlying network does not understand Pod IPs. It encapsulates packets using protocols such as VXLAN or IP‑in‑IP.
Tip: Overlay networks reduce dependence on the underlying network, allowing you to run VXLAN over almost any physical network without changes.
Drawbacks include a slight performance impact due to CPU usage for encapsulation and reduced maximum packet size, and Pod IPs are not routable outside the cluster.
BGP Network
BGP (Border Gateway Protocol) is a standard routing protocol that enables route sharing across networks and is a fundamental building block of the Internet.
Calico’s built‑in BGP support lets Calico peer with physical routers, making Pod IPs routable outside the cluster just like any other workload.
Cross‑Subnet Network
Beyond standard VXLAN or IP‑in‑IP overlays, Calico offers a “cross‑subnet” mode where the underlying network acts as L2 within each subnet. Packets inside a subnet are not encapsulated, providing non‑overlay performance, while cross‑subnet traffic is encapsulated similarly to a regular overlay.
Encapsulation Types
Calico supports two encapsulation types: VXLAN and IP‑in‑IP. VXLAN works in environments where IP‑in‑IP is unsupported (e.g., Azure) but adds slightly larger headers. VXLAN does not use BGP, whereas Calico’s IP‑in‑IP implementation relies on BGP between nodes.
Switching Calico Network Modes
1. Confirm current mode
$ calicoctl get ippool -owide
NAME CIDR NAT IPIPMODE VXLANMODE DISABLED DISABLEBGPEXPORT SELECTOR
default-ipv4-ippool 10.244.0.0/16 true Always Never false false all()
$ ip r | grep bird
blackhole 10.244.32.128/26 proto bird
10.244.58.192/26 via 172.139.20.75 dev tunl0 proto bird onlink
...Tip: The IPIPMODE and VXLANMODE fields indicate the current mode; if the next‑hop interface is tunl0, IPIP mode is active.
2. Switch mode
$ calicoctl patch ippool default-ipv4-ippool --patch '{Linux Ops Smart Journey
The operations journey never stops—pursuing excellence endlessly.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.