VxLAN duplicate MACs in FDB

almi01 · December 28, 2023, 9:08am

Dear all,

i have set up two RB3011UiAS to interconnect two locations via VxLAN (transporting a total of 4 VLANs). As per the tutorial I added the VxLAN interface as bridge member port. Apparently because of this, I get several MAC duplicates in /interface vxlan fdb and a randomly occuring bridge: tx loop on interface (1)

If I remove the VxLAN interface from the bridge the duplicates are gone (but of course the VLANs are not reachable then). The setup is as follows:
(sfp1 is the Trunk Port carrying all the VLANs)

Router 1

/interface vlan
add comment="VLAN MGMT-SWITCHES" interface=bridge name=vlan1401 vlan-id=1401
add comment="VLAN MGMT-WLAN" interface=bridge name=vlan1404 vlan-id=1404
add comment="VLAN GUESTWL" interface=bridge name=vlan1500 vlan-id=1500

/interface vxlan
add comment="VxLAN-Tunnel R1 <-> R2" local-address=192.168.7.30 mac-address=4A:26:60:3C:E5:FF name=vxlan1 port=8472 vni=10 vrf=main vteps-ip-version=ipv4
/interface vxlan vteps
add interface=vxlan1 remote-ip=172.16.1.2

/interface bridge vlan
add bridge=bridge tagged=sfp1,vxlan1,bridge vlan-ids=1401
add bridge=bridge tagged=sfp1,vxlan1,bridge vlan-ids=1404
add bridge=bridge tagged=sfp1,vxlan1,bridge vlan-ids=1500

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge interface=vxlan1

Router 2

/interface vlan
add comment="VLAN MGMT-SWITCHES" interface=bridge name=vlan1401 vlan-id=1401
add comment="VLAN MGMT-WLAN" interface=bridge name=vlan1404 vlan-id=1404
add comment="VLAN GUESTWL" interface=bridge name=vlan1500 vlan-id=1500

/interface vxlan
add comment="VxLAN-Tunnel R2 <-> R1" local-address=172.16.1.2 mac-address=8A:56:15:A2:D3:00 name=vxlan1 port=8472 vni=10 vrf=main vteps-ip-version=ipv4
/interface vxlan vteps
add interface=vxlan1 remote-ip=192.168.7.30

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp1,vxlan1,ether2 vlan-ids=1401
add bridge=bridge tagged=bridge,sfp1,vxlan1,ether2 vlan-ids=1404
add bridge=bridge tagged=bridge,sfp1,vxlan1,ether2 vlan-ids=1500

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge interface=vxlan1

Examples for duplicates:

R2

 1 remote-ip=0.0.0.0 mac-address=4A:26:60:3C:E5:FF interface=vxlan1 

 2 remote-ip=192.168.7.30 mac-address=4A:26:60:3C:E5:FF interface=vxlan1

R1

14 remote-ip=0.0.0.0 mac-address=9C:1D:58:40:56:1B interface=vxlan1 

15 remote-ip=172.16.1.2 mac-address=9C:1D:58:40:56:1B interface=vxlan1

I guess it has to do with the bridge, does anyone have a pointer?

Thank you very much and best regards,

Alex

netravnen · December 28, 2023, 1:42pm

/interface bridge vlan
add bridge=bridge tagged=bridge,sfp1,vxlan1,ether2 vlan-ids=1401
add bridge=bridge tagged=bridge,sfp1,vxlan1,ether2 vlan-ids=1404
add bridge=bridge tagged=bridge,sfp1,vxlan1,ether2 vlan-ids=1500

Skip tagging the bridge interface unless you need an IP address added to the VLAN (in Cisco terms, an SVI interface).

/interface bridge vlan
add bridge=bridge tagged=sfp1,vxlan1,ether2 vlan-ids=1401
add bridge=bridge tagged=sfp1,vxlan1,ether2 vlan-ids=1404
add bridge=bridge tagged=sfp1,vxlan1,ether2 vlan-ids=1500

I recommend skipping this, too. It is not needed as you are not creating a routed VLAN interface (~SVI) with an IP address added to it.

/interface vlan
add comment="VLAN MGMT-SWITCHES" interface=bridge name=vlan1401 vlan-id=1401
add comment="VLAN MGMT-WLAN" interface=bridge name=vlan1404 vlan-id=1404
add comment="VLAN GUESTWL" interface=bridge name=vlan1500 vlan-id=1500

Have you considered enabling VLAN-filtering for the bridge?

Have you considered only permitting VLAN tagged frames on the VXLAN1 port? - Thereby discarding any untagged frames that might arrive via the tunnel interface (the default is permit both tagged and untagged frames)

/interface bridge port
set [find interface=vxlan1] frame-types=admit-only-vlan-tagged

Thought: Does MT ROS (as of 7.13) even support tagged VLAN frames inside a VXLAN tunnel?

The VNI is usually mapped 1:1 to a VLAN tag.

The documentation does not mention anything concerning encapsulating VLAN tagged frames inside a VXLAN tunnel.

Which sets my expectation only the “usual” 1:1 mapping between a VNI and VLAN tag is currently supported.

With a range of 2^0 (1) to 2^24 (16777216) VNI’s supported. We are not short on available VNI’s to use.

/interface vxlan
add comment="VxLAN-Tunnel R1 <-> R2" local-address=192.168.7.30 name=vxlan1 port=8472 vni=10 vrf=main vteps-ip-version=ipv4
add comment="VxLAN-Tunnel R1 <-> R2" local-address=192.168.7.30 name=vxlan2 port=8472 vni=11 vrf=main vteps-ip-version=ipv4
add comment="VxLAN-Tunnel R1 <-> R2" local-address=192.168.7.30 name=vxlan3 port=8472 vni=12 vrf=main vteps-ip-version=ipv4

/interface vxlan vteps
add interface=vxlan1 remote-ip=172.16.1.2
add interface=vxlan2 remote-ip=172.16.1.2
add interface=vxlan3 remote-ip=172.16.1.2

/interface bridge port
add bridge=bridge interface=vxlan1 frame-types=admit-only-untagged-and-priority-tagged pvid=1401
add bridge=bridge interface=vxlan2 frame-types=admit-only-untagged-and-priority-tagged pvid=1404
add bridge=bridge interface=vxlan3 frame-types=admit-only-untagged-and-priority-tagged pvid=1500

/interface bridge vlan
add bridge=bridge tagged=sfp1,ether2 untagged=vxlan1 vlan-ids=1401
add bridge=bridge tagged=sfp1,ether2 untagged=vxlan2 vlan-ids=1404
add bridge=bridge tagged=sfp1,ether2 untagged=vxlan3 vlan-ids=1500

You have not considered looking into e.g. using ZeroTier for the L2 site-2-site tunnel (instead of VXLAN)?

almi01 · January 10, 2024, 3:36pm

Hello @netravnen and thank you very much for taking the time to comment on this issue.

I will check your recommendentations and try them out, will share here later whether the problem has been fixed.

Thanks a lot and best regards,

Alex