Skip to content

vxlan create#


The create sub-command under the tools vxlan command creates a VxLAN interface and sets tc rules to redirect traffic to/from a specified interface available in root namespace of a container host.

This combination of a VxLAN interface and tc rules make possible to transparently connect lab nodes running on different VMs/hosts.

VxLAN interface name will be a catenation of a prefix vx- and the interface name that is used to redirect traffic. If the existing interface is named srl_e1-1, then VxLAN interface created for this interface will be named vx-srl_e1-1.


containerlab tools vxlan create [local-flags]



VxLAN tunnels set up with this command are unidirectional in nature. To set the remote endpoint address the --remote flag should be used.


Port number that the VxLAN tunnel will use is set with --port | -p flag. Defaults to 147891.


VNI that the VxLAN tunnel will use is set with --id | -i flag. Defaults to 10.

As mentioned above, the tunnels are set up with a goal to transparently connect containers deployed on different hosts.

To indicate which interface will be "piped" to a VxLAN tunnel the --link | -l flag should be used.


With --dev flag users can set the linux device that should be used in setting up the tunnel.

Normally this flag can be omitted, since containerlab will take the device name which is used to reach the remote address as seen by the kernel routing table.


With --mtu | -m flag it is possible to set VxLAN MTU. Max MTU is automatically set, so this flag is only needed when MTU lower than max is needed to be provisioned.


# create vxlan tunnel and redirect traffic to/from existing interface srl_e1-1 to it
# this effectively means anything that appears on srl_e1-1 interface will be piped to vxlan interface
# and vice versa.

# srl_e1-1 interface exists in root namespace
 ip l show srl_e1-1
617: srl_e1-1@if618: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default 
    link/ether fa:4c:16:11:11:05 brd ff:ff:ff:ff:ff:ff link-netns clab-vx-srl1

# create a vxlan tunnel to a remote vtep with VNI 10 and redirect traffic to srl_e1-1 interface
 clab tools vxlan create --remote -l srl_e1-1 --id 10
INFO[0000] Adding VxLAN link vx-srl_e1-1 under ens3 to remote address with VNI 10
INFO[0000] configuring ingress mirroring with tc in the direction of vx-srl_e1-1 -> srl_e1-1
INFO[0000] configuring ingress mirroring with tc in the direction of srl_e1-1 -> vx-srl_e1-1

# check the created interface
 ip l show vx-srl_e1-1
619: vx-srl_e1-1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/ether 7a:6e:ba:82:a4:6f brd ff:ff:ff:ff:ff:ff

  1. The reason we don't use default 4789 port number is because it is often blocked/filtered in (cloud) environments and we want to make sure that the VxLAN tunnels have higher chances to be established.