create sub-command under the
tools vxlan command creates a VxLAN interface and sets
tc rules to redirect traffic to/from a specified interface available in root namespace of a container host.
This combination of a VxLAN interface and
tc rules make possible to transparently connect lab nodes running on different VMs/hosts.
VxLAN interface name will be a catenation of a prefix
vx- and the interface name that is used to redirect traffic. If the existing interface is named
srl_e1-1, then VxLAN interface created for this interface will be named
containerlab tools vxlan create [local-flags]
VxLAN tunnels set up with this command are unidirectional in nature. To set the remote endpoint address the
--remote flag should be used.
Port number that the VxLAN tunnel will use is set with
--port | -p flag. Defaults to
VNI that the VxLAN tunnel will use is set with
--id | -i flag. Defaults to
As mentioned above, the tunnels are set up with a goal to transparently connect containers deployed on different hosts.
To indicate which interface will be "piped" to a VxLAN tunnel the
--link | -l flag should be used.
--dev flag users can set the linux device that should be used in setting up the tunnel.
Normally this flag can be omitted, since containerlab will take the device name which is used to reach the remote address as seen by the kernel routing table.
--mtu | -m flag it is possible to set VxLAN MTU. Max MTU is automatically set, so this flag is only needed when MTU lower than max is needed to be provisioned.
# create vxlan tunnel and redirect traffic to/from existing interface srl_e1-1 to it
# this effectively means anything that appears on srl_e1-1 interface will be piped to vxlan interface
# and vice versa.
# srl_e1-1 interface exists in root namespace
❯ ip l show srl_e1-1
617: srl_e1-1@if618: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default
link/ether fa:4c:16:11:11:05 brd ff:ff:ff:ff:ff:ff link-netns clab-vx-srl1
# create a vxlan tunnel to a remote vtep 10.0.0.20 with VNI 10 and redirect traffic to srl_e1-1 interface
❯ clab tools vxlan create --remote 10.0.0.20 -l srl_e1-1 --id 10
INFO Adding VxLAN link vx-srl_e1-1 under ens3 to remote address 10.0.0.20 with VNI 10
INFO configuring ingress mirroring with tc in the direction of vx-srl_e1-1 -> srl_e1-1
INFO configuring ingress mirroring with tc in the direction of srl_e1-1 -> vx-srl_e1-1
# check the created interface
❯ ip l show vx-srl_e1-1
619: vx-srl_e1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ether 7a:6e:ba:82:a4:6f brd ff:ff:ff:ff:ff:ff
The reason we don't use default
4789port number is because it is often blocked/filtered in (cloud) environments and we want to make sure that the VxLAN tunnels have higher chances to be established. ↩