VXLAN + Linux Bridge causes duplicate ICMP packets (flood-and-learn reflection) – request for guidance / resolution

General questions
1

Dear VyOS Networking Team,

I am writing to report and seek guidance on a reproducible VXLAN behavior observed in a VyOS-based EVPN/VXLAN lab. After extensive troubleshooting, the issue appears to be related to Linux bridge + VXLAN flood-and-learn behavior, resulting in persistent packet duplication. I would appreciate confirmation of whether this is an expected limitation, a known issue, or if there is a recommended mitigation within VyOS.

1. Lab Topology Overview

Environment:

  • Platform: VyOS (recent rolling release)

  • Hypervisor: VMware (vmxnet3 NICs)

  • Overlay: VXLAN

  • Control Plane: BGP EVPN

  • Underlay: OSPF

  • Bridge: Linux bridge (br10)

  • MTU: Verified end-to-end (1600 underlay, 1500 overlay)

Topology (simplified):

Host1
β†’ Leaf R1 (VTEP)
β†’ Spine / RR R3
β†’ Leaf R2 (VTEP)
β†’ Host2

Each leaf has:

  • vxlan10 interface

  • br10 bridge

  • Host-facing interface + vxlan10 as bridge members

  • VNI 10

2. Observed Issue

ICMP connectivity between Host1 and Host2 works, but severe packet duplication is observed consistently.

Example output from Host2:

host2@host2:~$ ping 10.10.1.2
PING 10.10.1.2 (10.10.1.2) 56(84) bytes of data.
64 bytes from 10.10.1.2: icmp_seq=1 ttl=61 time=1.75 ms
64 bytes from 10.10.1.2: icmp_seq=1 ttl=61 time=2.11 ms (DUP!)
64 bytes from 10.10.1.2: icmp_seq=1 ttl=61 time=2.53 ms (DUP!)
64 bytes from 10.10.1.2: icmp_seq=1 ttl=61 time=2.54 ms (DUP!)
64 bytes from 10.10.1.2: icmp_seq=1 ttl=61 time=3.36 ms (DUP!)
...
15 packets transmitted, 1 received, +9 duplicates, 93% packet loss

The same behavior is observed in the reverse direction (Host1 ← Host2).

3. STP Interaction

  • When STP is enabled on all bridges, connectivity works but duplicates persist.

  • When STP is disabled, bridge ports transition to blocking state and Host1–Host2 traffic stops entirely.

This suggests STP is preventing a local loop condition but cannot prevent VXLAN overlay reflection, which aligns with STP’s design limitations.

4. OSPF / Underlay Validation

OSPF is fully converged and validated.

Example from R1:

vyos@R1:~$ show ip route ospf
O   1.1.1.1/32 [110/0] is directly connected, lo
O   10.10.1.0/24 [110/1] is directly connected, br10

  • No underlay routing loops

  • No duplicate OSPF paths

  • No ECMP configured

  • MTU consistency verified

5. EVPN / VXLAN Configuration Validation

EVPN sessions are up and stable:

  • BGP EVPN neighbors established

  • MAC/IP routes are exchanged correctly

  • VTEP loopbacks reachable

VXLAN interface configuration is minimal and standard:

  • Single VNI

  • Unicast VXLAN

  • Linux bridge integration

6. Attempted Mitigations (Not Available in VyOS)

I attempted several common VXLAN mitigations used in other platforms, all of which appear unsupported in VyOS:

  • VXLAN learning disable

  • VXLAN split-horizon / hairpin control

  • Bridge port hairpin disable

  • EVPN MAC-only forwarding (control-plane suppression)

CLI confirmation (example):

set interfaces vxlan vxlan10 learning disable
β†’ Configuration path is not valid

set interfaces bridge br10 member interface vxlan10 hairpin disable
β†’ Configuration path is not valid

Bridge member options are limited to:

  • cost

  • priority

  • bpdu-guard

  • root-guard

  • VLAN parameters

No data-plane loop suppression mechanisms are exposed.

7. Root Cause Analysis (My Understanding)

Based on packet behavior and configuration validation, the issue appears to be:

  • Linux bridge flood-and-learn behavior

  • VXLAN ingress replication

  • No MAC suppression in data plane

  • Packets decapsulated on remote VTEP are re-flooded into VXLAN

  • Resulting in overlay reflection and duplicates

STP can only partially mitigate local loops but cannot control overlay behavior.

8. Questions for the VyOS Team

I would appreciate clarification on the following:

  1. Is VXLAN packet duplication in Linux bridge + VXLAN an expected limitation in VyOS?

  2. Does VyOS currently support EVPN-based MAC suppression in the data plane?

  3. Is there any recommended configuration to avoid VXLAN reflection loops without STP?

  4. Is L3 VXLAN (routed VXLAN without bridge) the intended design path in VyOS?

  5. Are there plans to enhance VXLAN/EVPN behavior (e.g., split-horizon, hairpin control, or OVS integration)?

9. Purpose of This Request

This lab is being used for:

  • VXLAN / EVPN learning

  • SD-WAN architecture experimentation

  • Traffic engineering and policy shaping research

I want to ensure that the observed behavior is well-understood and documented correctly, and to align my design with VyOS’s intended VXLAN capabilities.

Thank you for your time and for the excellent work on VyOS. I appreciate any guidance, confirmation, or documentation you can provide regarding this behavior.

Kind regards,
Vinay Murshilly

1 Like
2

Are you looking for set interfaces vxlan vxlan0 parameters nolearning in #6?