Vxlan bgp evpn vlan

eBPFCilium · December 24, 2025, 7:50am

Hello team:

Follow this blog: BGP L2VPN/EVPN support via VXLAN transport
we can setup a VXLAN BGP EVPN lab. but there is no vlan configuration at the leaf switch. i have tried add vlan for the lab. but it’s not succes.
```
vyos@R1# run show configuration
interfaces {
bridge br100 {
enable-vlan
member {
interface eth3 {
native-vlan 10
}
interface eth3.10 {
}
interface vxlan100 {
}
}
}
dummy dum0 {
address 172.29.0.1/32
}
ethernet eth1 {
address 172.29.1.1/31
}
ethernet eth2 {
address 172.29.2.1/31
}
loopback lo {
}
vxlan vxlan100 {
parameters {
nolearning
}
port 4789
source-address 172.29.0.1
vlan-to-vni 10 {
vni 100
}
vni 100
}
}
protocols {
bgp {
address-family {
ipv4-unicast {
maximum-paths {
ibgp 4
}
redistribute {
connected {
}
}
}
l2vpn-evpn {
advertise-all-vni
}
}
neighbor 172.29.1.0 {
peer-group evpn
}
neighbor 172.29.2.0 {
peer-group evpn
}
parameters {
log-neighbor-changes
}
peer-group evpn {
address-family {
ipv4-unicast {
nexthop-self {
}
}
l2vpn-evpn {
nexthop-self {
}
}
}
remote-as 65010
}
system-as 65010
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server ``time1.vyos.net`` {
}
server ``time2.vyos.net`` {
}
server ``time3.vyos.net`` {
}
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name R1
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
}
}
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
[edit]
vyos@R1#
```
what’s configuration that missed caused the ping falure. would you pls help it. thx.

L0crian · December 24, 2025, 6:11pm

The traffic needs somewhere to terminate to, so you need to add a VIF to the bridge:

set interfaces bridge br100 vif 10

SmokeytheCat · December 24, 2025, 10:46pm

I have had success for untagged traffic, just not setting any vlan info under
set interfaces bridge br100 member interface eth3, and without the enable-vlan line

I have also had success for tagged traffic with the following config
set interfaces bridge br100 member interface eth3 allowed-vlan 10, with enable-vlan set.

Haven’t tried anything setup with native-vlan.

What is your incoming traffic eth3 looking like? Tagged on vlan10? My second config for tagged traffic works on my machine ™

SmokeytheCat · December 24, 2025, 10:47pm

I’ve never needed a bridge vif.

For incoming tagged traffic, i’ve only needed:

interface eth3 vif 10
interface bridge br100 enable-vlan
interface bridge br100 member-interface eth3 allowed-vlan 10

This is using the vlan-to-vni config

eBPFCilium · December 27, 2025, 7:21am

Have tried with the tagged incomint traffic with vlan 5.
vyos@R1# run show configuration
interfaces {
bridge br100 {
enable-vlan
member {
interface eth3 {
allowed-vlan 5
allowed-vlan 8
}
interface vxlan100 {
allowed-vlan 5
allowed-vlan 8
}
}
vif 5 {
}
vif 8 {
}
}
dummy dum0 {
address 172.29.0.1/32
}
ethernet eth1 {
address 172.29.1.1/31
}
ethernet eth2 {
address 172.29.2.1/31
}
ethernet eth3 {
vif 5 {
}
}
loopback lo {
}
vxlan vxlan100 {
parameters {
nolearning
}
port 4789
source-address 172.29.0.1
vlan-to-vni 5 {
vni 100
}
vlan-to-vni 8 {
vni 200
}
vni 100
}
}
but still issue.
when R2 ‘s vxlan100 recv the arp request, there is no vlan tag
so drop the pkt and the link to PC2 is no pkt.

eBPFCilium · December 27, 2025, 8:16am

compare with sonic:

root@leaf1:~# bridge vlan show 
port              vlan-id  
docker0           1 PVID Egress Untagged
Ethernet8         5
                  8
Bridge            5
                  8
dummy             1 PVID Egress Untagged
vtep_wluo-5       5 PVID Egress Untagged
vtep_wluo-8       8 PVID Egress Untagged
root@leaf1:~#

but vyos:
there is no pvid configuration.
not sure how to config it .

VyOS:
save^H[edit]
vyos@R1# sudo bridge vlan show 
port              vlan-id  
eth3              5
                  8
br100             1 PVID Egress Untagged
vxlan100          5

Once the configuration:

root@R1:~# bridge vlan add dev vxlan100 vid 5 pvid untagged            
root@R1:~# 
root@R1:~# 
root@R1:~# bridge vlan show 
port              vlan-id  
eth3              5
                  8
br100             1 PVID Egress Untagged
vxlan100          5 PVID Egress Untagged
root@R1:~# 

the ping work fine:

[root@rowan> 70-sonic-vs-bgp-evpn-mutivlan]# lo  clab-xx-PC1 ping 10.1.5.2
PING 10.1.5.2 (10.1.5.2): 56 data bytes
64 bytes from 10.1.5.2: seq=856 ttl=64 time=0.590 ms
64 bytes from 10.1.5.2: seq=857 ttl=64 time=0.276 ms
^C
--- 10.1.5.2 ping statistics ---
858 packets transmitted, 2 packets received, 99% packet loss
round-trip min/avg/max = 0.276/0.433/0.590 ms
[root@rowan> 70-sonic-vs-bgp-evpn-mutivlan]#

eBPFCilium · December 27, 2025, 8:22am

@Apachez

Apachez · December 27, 2025, 12:23pm

Yeah I dunno, I havent done any VXLAN on VyOS (yet).

I can share the experience of worsen performance when doing bridging on VyOS - dunno why. The whole DSA (Distributed Switch Architecture) that is the bridging part in Linux is like being written by drunks or something

Specially for the part when you configure it compared to a regular NOS like EOS from Arista (and the others) where you just do the untagged and tagged and allowed vlans and then call it a day.

Regarding VXLAN when comparing to others you normally do two different VRFs (well actually NETNS in the background).

For Arista the underlay can only exist on VRF=Default and its there where the loopback (dum0) interfaces must be reachable through the routing table (which seems to be missing from the config dump?).

So I would first verify that you can reach a dum0 from one router to the other over the underlay otherwise the VXLAN will never be able to work correctly.

While at it I would also recommend to set MTU 1550 for the underlay (uplink) interfaces because this way there can be MTU 1500 for the overlay (downlink) interfaces since VXLAN on its own will add 50 bytes to each packet.