VXLAN
VXLAN (Virtual eXtensible Local Area Network) is a Layer 2 overlay protocol that tunnels Ethernet frames over a Layer 3 UDP network. It expands the VLAN ID space from 12 bits (4,096 VLANs) to 24 bits, yielding up to 16,777,216 independent segments (VNIs). Defined in RFC 7348, VXLAN is the standard mechanism for stretching Layer 2 domains across routed infrastructure in data center and campus fabrics.
RouterOS supports VXLAN from version 7.1, with IPv6 underlay added in 7.6, VRF support in 7.7, and hardware offloading on selected platforms from 7.18.
Concepts
Section titled “Concepts”The VXLAN Network Identifier (VNI) is the 24-bit segment ID carried in every VXLAN packet. Hosts in the same VNI share a broadcast domain. Hosts in different VNIs are isolated at Layer 2 even when sharing the same physical infrastructure.
A VXLAN Tunnel Endpoint (VTEP) is the device that originates and terminates VXLAN tunnels. In RouterOS, each /interface vxlan instance is a VTEP. The VTEP encapsulates outbound Ethernet frames into UDP datagrams and decapsulates inbound UDP datagrams to recover the original frames.
BUM traffic and replication
Section titled “BUM traffic and replication”BUM traffic (Broadcast, Unknown-unicast, and Multicast) cannot be sent to a single unicast destination because the target VTEP is unknown. RouterOS supports two replication modes:
- Flood and learn (default) — BUM frames are replicated to all configured remote VTEPs (head-end replication). Source MAC-to-VTEP mappings are learned from incoming traffic and stored in the forwarding database (FDB).
- Multicast — BUM frames are sent to a multicast group address. The underlay must support IP multicast (PIM/IGMP). Hardware offloading is disabled when multicast is used.
Encapsulation overhead
Section titled “Encapsulation overhead”VXLAN adds a fixed overhead to each packet:
| Underlay | Overhead |
|---|---|
| IPv4 | 50 bytes (outer Ethernet 14 + IP 20 + UDP 8 + VXLAN 8) |
| IPv6 | 70 bytes (outer Ethernet 14 + IPv6 40 + UDP 8 + VXLAN 8) |
The underlay network MTU must accommodate this overhead. For a standard 1500-byte payload, the underlay MTU must be at least 1550 bytes (IPv4) or 1570 bytes (IPv6).
Prerequisites
Section titled “Prerequisites”- RouterOS 7.1 or later
- IPv4 or IPv6 routed connectivity between all VTEPs
- Underlay MTU raised to accommodate VXLAN overhead (see MTU)
- Firewall permitting UDP port 4789 between VTEP addresses
Interface properties
Section titled “Interface properties”Sub-menu: /interface vxlan
| Property | Default | Description |
|---|---|---|
name | vxlan1 | Interface name |
vni | — | VXLAN Network Identifier (required, 1–16777216) |
port | 4789 | UDP port for sending and receiving VXLAN packets |
local-address | — | Local source IP for outgoing VXLAN packets. Available since v7.7 |
vteps-ip-version | ipv4 | IP version for VTEP addresses (ipv4 or ipv6). IPv6 available since v7.6 |
learning | yes | Dynamically learn remote MAC-to-VTEP mappings and populate FDB |
group | — | Multicast group for BUM traffic replication (requires interface) |
interface | — | Underlay interface for multicast forwarding (requires group) |
bridge | — | Bridge to attach this VXLAN interface to as a slave port |
bridge-pvid | 1 | PVID assigned when VXLAN is added to a VLAN-filtering bridge |
mtu | 1500 | Overlay MTU (inner frame MTU, not underlay) |
dont-fragment | auto | DF flag on outer IPv4 header: auto, disabled, enabled, inherit |
checksum | no | Calculate UDP checksum on transmitted outer packets |
ttl | auto | TTL for outgoing packets (64 for unicast, 1 for multicast) |
max-fdb-size | 4096 | Maximum MAC entries in the forwarding database |
allow-fast-path | yes | Enable Fast Path. Fragmented and flooded packets use slow path. Disabled with VRF. Available since v7.8 |
hw | yes | Enable hardware offloading when supported |
vtep-vrf | main | VRF for the VXLAN interface. Available since v7.7 |
disabled | no | Disable the interface |
VTEP properties
Section titled “VTEP properties”Sub-menu: /interface vxlan vteps
Static remote VTEP entries control where BUM traffic is replicated when flood-and-learn is active.
| Property | Default | Description |
|---|---|---|
interface | — | VXLAN interface this VTEP belongs to |
remote-ip | — | Remote VTEP IP address for BUM replication |
comment | — | Optional description |
Set the underlay interface MTU before creating VXLAN interfaces. On a standard gigabit port:
/interface ethernetset [find default-name=ether1] mtu=1550 l2mtu=1564For jumbo frame environments (recommended for data center use):
/interface ethernetset [find default-name=sfp-sfpplus1] mtu=9500 l2mtu=9500The dont-fragment property on the VXLAN interface controls what happens when an encapsulated packet exceeds the underlay MTU:
| Value | Behaviour |
|---|---|
auto | Use enabled if hardware offloading is active, otherwise inherit inner packet DF |
disabled | DF bit not set — underlay may fragment packets |
enabled | DF bit always set — oversized packets are dropped and ICMP unreachable sent |
inherit | Copy DF bit from inner IPv4 header |
Step 1 — Create the VXLAN interface
Section titled “Step 1 — Create the VXLAN interface”Each router that participates in the overlay requires one /interface vxlan entry per VNI.
/interface vxlanadd name=vxlan1 vni=10Verify the interface is running:
/interface vxlan print detailStep 2 — Add remote VTEPs
Section titled “Step 2 — Add remote VTEPs”For each remote router that should receive BUM traffic, add a VTEP entry pointing to its IP address.
Router 1 (IP 192.168.10.10), pointing at Router 2:
/interface vxlan vtepsadd interface=vxlan1 remote-ip=192.168.10.20Router 2 (IP 192.168.10.20), pointing at Router 1:
/interface vxlan vtepsadd interface=vxlan1 remote-ip=192.168.10.10Both routers must have a route to the peer’s IP via the underlay network.
Step 3 — Attach to a bridge
Section titled “Step 3 — Attach to a bridge”A VXLAN interface carries Ethernet frames, so it must be bridged with local interfaces to extend the Layer 2 domain.
/interface bridgeadd name=bridge1
/interface bridge portadd bridge=bridge1 interface=ether1add bridge=bridge1 interface=vxlan1Hosts on ether1 of Router 1 can now communicate at Layer 2 with hosts on ether1 of Router 2 through the VXLAN tunnel. The bridge learns MAC addresses and the VXLAN FDB learns which remote VTEP holds each remote MAC.
Site-to-site example
Section titled “Site-to-site example”Two offices connected over the internet. Each router extends its local LAN into VNI 100.
Office A — router IP 10.0.0.1, LAN on ether2:
# VXLAN interface/interface vxlanadd name=vxlan-lan vni=100
# Remote VTEP (Office B)/interface vxlan vtepsadd interface=vxlan-lan remote-ip=10.0.0.2
# Bridge: local LAN + VXLAN tunnel/interface bridgeadd name=bridge-lan
/interface bridge portadd bridge=bridge-lan interface=ether2add bridge=bridge-lan interface=vxlan-lan
# Firewall — allow VXLAN from Office B/ip firewall filteradd chain=input protocol=udp src-address=10.0.0.2 dst-port=4789 action=accept comment="VXLAN from Office B"Office B — router IP 10.0.0.2, LAN on ether2:
/interface vxlanadd name=vxlan-lan vni=100
/interface vxlan vtepsadd interface=vxlan-lan remote-ip=10.0.0.1
/interface bridgeadd name=bridge-lan
/interface bridge portadd bridge=bridge-lan interface=ether2add bridge=bridge-lan interface=vxlan-lan
/ip firewall filteradd chain=input protocol=udp src-address=10.0.0.1 dst-port=4789 action=accept comment="VXLAN from Office A"After configuration, hosts on ether2 in both offices share the same Layer 2 broadcast domain.
Multiple VNIs
Section titled “Multiple VNIs”Deploy multiple isolated segments by creating one VXLAN interface per VNI:
/interface vxlanadd name=vxlan-prod vni=100add name=vxlan-dev vni=200add name=vxlan-mgmt vni=300
/interface vxlan vtepsadd interface=vxlan-prod remote-ip=192.168.1.2add interface=vxlan-dev remote-ip=192.168.1.2add interface=vxlan-mgmt remote-ip=192.168.1.2
/interface bridgeadd name=bridge-prodadd name=bridge-devadd name=bridge-mgmt
/interface bridge portadd bridge=bridge-prod interface=ether2add bridge=bridge-prod interface=vxlan-prodadd bridge=bridge-dev interface=ether3add bridge=bridge-dev interface=vxlan-devadd bridge=bridge-mgmt interface=ether4add bridge=bridge-mgmt interface=vxlan-mgmtEach VNI is an independent broadcast domain. Traffic in VNI 100 cannot reach VNI 200 at Layer 2.
IPv6 underlay
Section titled “IPv6 underlay”Since RouterOS 7.6, VXLAN supports IPv6 for the underlay transport. Set vteps-ip-version=ipv6 and use IPv6 addresses in VTEP entries:
/interface vxlanadd name=vxlan1 vni=100 vteps-ip-version=ipv6
/interface vxlan vtepsadd interface=vxlan1 remote-ip=2001:db8::2Multicast BUM replication
Section titled “Multicast BUM replication”Instead of head-end replication to each VTEP, configure a multicast group. The underlay must support IP multicast (PIM sparse-mode or dense-mode with IGMP).
/interface vxlanadd name=vxlan1 vni=10 group=239.1.1.1 interface=ether1group— the multicast group address for BUM trafficinterface— the underlay interface used for multicast forwarding
You still add VTEP entries for known remotes (for known unicast traffic). BUM goes via the multicast group; known unicast goes directly.
Hardware offloading
Section titled “Hardware offloading”RouterOS 7.18 adds hardware-offloaded VXLAN on CRS3xx, CCR2116, and CCR2216 devices. Hardware offloading eliminates the CPU overhead of encapsulation and forwarding at scale.
Use the bridge and bridge-pvid properties on the VXLAN interface to link it directly into a VLAN-filtering bridge. The local-address property (v7.7+) sets the VTEP source IP.
/interface bridgeadd name=bridge1 vlan-filtering=yes
/interface ethernetset [find default-name=sfp-sfpplus1] l2mtu=9500 mtu=9500
# Two VNIs sharing one remote VTEP/interface vxlanadd bridge=bridge1 bridge-pvid=10 local-address=192.168.1.1 name=vxlan-10010 vni=10010add bridge=bridge1 bridge-pvid=20 local-address=192.168.1.1 name=vxlan-10020 vni=10020
# Access ports mapped to each VLAN/VNI/interface bridge portadd bridge=bridge1 interface=sfp-sfpplus3 pvid=10add bridge=bridge1 interface=sfp-sfpplus4 pvid=20
# Remote VTEPs/interface vxlan vtepsadd interface=vxlan-10010 remote-ip=192.168.1.2add interface=vxlan-10020 remote-ip=192.168.1.2
# Loopback/underlay addressing/ip addressadd address=192.168.1.1 interface=lo network=192.168.1.1add address=192.168.10.10/24 interface=sfp-sfpplus1
/ip routeadd dst-address=192.168.1.2 gateway=192.168.10.20
# Enable L3 hardware offloading/interface ethernet switchset 0 l3-hw-offloading=yesHardware offloading limitations
Section titled “Hardware offloading limitations”Underlay (routing encapsulated packets):
- VTEPs not supported over ECMP, bond, bridge, or VLAN sub-interfaces — underlay must be a standalone routed Ethernet port
- VTEPs not supported with multicast or IPv6 underlay
- VTEPs cannot operate within VRFs
Overlay (forwarding between Ethernet and VXLAN):
- VLAN tagging inside VXLAN not supported
- Routing between VNIs not supported
- No IGMP snooping in bridged VXLAN
- MLAG with bridged VXLAN not supported
Forwarding database
Section titled “Forwarding database”The VXLAN FDB records which remote VTEP holds each MAC address. It is populated by data-plane learning (when learning=yes) and visible since RouterOS 7.9:
/interface vxlan fdb printExample output:
0 remote-ip=192.168.10.20 mac-address=AA:BB:CC:DD:EE:01 interface=vxlan1 1 remote-ip=192.168.10.20 mac-address=AA:BB:CC:DD:EE:02 interface=vxlan1To disable learning and use only static FDB entries (useful for controlled environments):
/interface vxlan set vxlan1 learning=noFirewall
Section titled “Firewall”Allow VXLAN traffic on the input chain between VTEP addresses:
# Allow VXLAN from all VTEPs (restrict src-address in production)/ip firewall filteradd chain=input protocol=udp dst-port=4789 action=accept comment="VXLAN" place-before=0For IPv6 underlay:
/ipv6 firewall filteradd chain=input protocol=udp dst-port=4789 action=accept comment="VXLANv6" place-before=0Troubleshooting
Section titled “Troubleshooting”Interface status
Section titled “Interface status”/interface vxlan print detailCheck that running=yes and the interface is not disabled.
VTEP reachability
Section titled “VTEP reachability”# Verify underlay route to remote VTEP/ip route print where dst-address in 192.168.10.0/24
# Ping remote VTEP IP/ping 192.168.10.20 count=4FDB and MAC learning
Section titled “FDB and MAC learning”/interface vxlan fdb print/interface bridge host print where on-interface=vxlan1If the FDB is empty after traffic flows, check that learning=yes and that UDP 4789 is not being blocked.
Packet capture
Section titled “Packet capture”Capture VXLAN encapsulated traffic on the underlay interface:
/tool sniffer quick interface=ether1 ip-protocol=udp port=4789Common problems
Section titled “Common problems”| Symptom | Likely cause | Fix |
|---|---|---|
| Tunnel up, no L2 traffic | VXLAN interface not added to bridge | Add vxlan1 as a bridge port |
| FDB empty after traffic | Firewall blocking UDP 4789 | Add input accept rule for UDP 4789 |
| FDB empty after traffic | learning=no | Enable learning or add static FDB entries |
| Packets dropped silently | MTU mismatch | Raise underlay MTU to at least 1550 (IPv4) or 1570 (IPv6) |
| Intermittent packet loss | DF bit set, underlay fragmentation blocked | Set dont-fragment=disabled or raise underlay MTU |
| HW offload not activating | Unsupported topology (ECMP/bond/bridge underlay) | Use standalone routed Ethernet for the underlay port |
| IPv6 VTEP not learning | vteps-ip-version not set | Set vteps-ip-version=ipv6 on the VXLAN interface |
See Also
Section titled “See Also”- Bridge VLAN Filtering — VLAN-aware bridge configuration
- Switch Chip Features — hardware offloading details per platform
- WireGuard VPN — routed Layer 3 overlay alternative
- MPLS/VPLS — alternative Layer 2 VPN technology