Skip to content
MikroTik RouterOS Docs

VXLAN

VXLAN

Section titled “VXLAN”

VXLAN (Virtual Extensible LAN) is an open-standard Layer 2 overlay protocol defined in RFC 7348. It encapsulates Ethernet frames inside UDP packets (destination port 4789), allowing Layer 2 networks to be extended across an IP underlay. RouterOS implements VXLAN as a virtual interface that can be bridged with local ports to create transparent L2 segments spanning multiple sites or routers.

Key characteristics:

  • Layer 2 — carries raw Ethernet frames, preserving broadcast domains across IP networks.
  • Open standard — interoperates with Linux, Cisco, Juniper, and any RFC 7348-compliant device. Both endpoints do not need to be MikroTik.
  • UDP encapsulation — uses UDP port 4789, which traverses NAT and most firewalls more easily than GRE (IP protocol 47).
  • 24-bit VNI — the VXLAN Network Identifier supports up to 16,777,215 isolated segments, far exceeding EoIP’s 65,535 tunnel IDs.
  • No built-in encryption — traffic is unencrypted by default. Combine with WireGuard or IPsec for security.

Prerequisites

Section titled “Prerequisites”
  • RouterOS 6.45 or later on MikroTik endpoints
  • IP connectivity between VTEP addresses (public or routable)
  • Firewall input rules permitting UDP port 4789 between endpoints
  • For multicast mode: multicast routing enabled in the underlay network

Concepts

Section titled “Concepts”

How VXLAN works

Section titled “How VXLAN works”

VXLAN wraps each Ethernet frame in a VXLAN header, UDP header, and outer IP header, then sends it as a normal UDP packet. The receiving VTEP (VXLAN Tunnel Endpoint) strips the headers and delivers the inner Ethernet frame to the local bridge. Devices behind the bridge see a flat Ethernet network — same broadcast domain, same subnet — regardless of physical location.

[ Inner Ethernet frame ]
        ↓ encapsulate
[ Outer IP | UDP (4789) | VXLAN header | Inner Ethernet frame ]
        ↓ IP underlay network
[ Outer IP | UDP (4789) | VXLAN header | Inner Ethernet frame ]
        ↓ decapsulate at remote VTEP
[ Inner Ethernet frame ]

VNI — VXLAN Network Identifier

Section titled “VNI — VXLAN Network Identifier”

The VNI is a 24-bit field (1–16,777,215) that identifies the L2 segment. All VTEPs participating in the same segment must use the same VNI. Traffic with different VNIs is isolated — VMs on VNI 100 cannot communicate with VMs on VNI 200 without a router (or L3 gateway) between them.

VTEPs

Section titled “VTEPs”

A VTEP is the endpoint that performs encapsulation and decapsulation. In RouterOS, a VXLAN interface is itself a VTEP. VTEPs must be able to reach each other over the IP underlay. Each VXLAN interface has a local-address (the source IP used in outer packets) and a list of remote VTEPs configured via /interface vxlan vteps.

VTEP discovery modes

Section titled “VTEP discovery modes”

RouterOS supports three ways to find remote VTEPs:

ModeHow it worksBest for
Point-to-pointManual VTEP entries (static remote-ip per peer)Small deployments, ≤10 sites
Multicast groupOuter IP is a multicast group; BUM traffic is sent to the groupLarge fabrics with multicast-capable underlay
Ingress replicationBUM traffic is unicast-replicated to each known VTEPCloud environments without multicast

BUM traffic = Broadcast, Unknown unicast, Multicast — the traffic that must be flooded to all VTEPs in the segment.

Overhead and MTU

Section titled “Overhead and MTU”

VXLAN adds the following headers to each inner Ethernet frame:

HeaderSize
Outer IPv420 bytes
UDP8 bytes
VXLAN8 bytes
Total overhead50 bytes (IPv4 underlay)

For IPv6 underlay, the outer IP header is 40 bytes, giving 56 bytes total overhead.

On a standard 1500-byte path MTU:

Outer MTUVXLAN overheadInner payload (L2MTU)
1500 bytes50 bytes1450 bytes

Creating a VXLAN Interface

Section titled “Creating a VXLAN Interface”
/interface vxlan add \
    name=vxlan1 \
    vni=10 \
    port=4789 \
    local-address=198.51.100.1

Interface properties:

PropertyDefaultDescription
nameInterface name
vni1VXLAN Network Identifier (1–16,777,215). Must match on all participating VTEPs
port8472UDP destination port. RouterOS defaults to 8472 (Linux convention). Specify port=4789 explicitly to use the IANA-assigned RFC 7348 standard port
local-addressLocal VTEP IP address (source IP in outer UDP/IP packets)
mac-addressautoMAC address of the VXLAN interface. Auto-generated if not specified
mtu1500Inner payload MTU. Reduce if the underlay path MTU is 1500 (set to 1450 for IPv4 underlay)
arpenabledARP mode for the interface
loop-protectoffLoop protection (set if bridging redundant paths)
disablednoWhether the interface is disabled

VTEP Discovery

Section titled “VTEP Discovery”

Point-to-point (manual VTEP entries)

Section titled “Point-to-point (manual VTEP entries)”

Add a remote VTEP entry for each peer. BUM traffic is unicast to each listed VTEP. This is the simplest mode and works without multicast in the underlay.

Site A (local IP 198.51.100.1):

/interface vxlan add \
    name=vxlan1 \
    vni=10 \
    local-address=198.51.100.1


/interface vxlan vteps add \
    interface=vxlan1 \
    remote-ip=203.0.113.1

Site B (local IP 203.0.113.1):

/interface vxlan add \
    name=vxlan1 \
    vni=10 \
    local-address=203.0.113.1


/interface vxlan vteps add \
    interface=vxlan1 \
    remote-ip=198.51.100.1

For three or more sites, add a VTEP entry for every other site on each router.

Multicast group

Section titled “Multicast group”

Set a multicast group address as the remote-ip in a VTEP entry. BUM traffic is sent to that multicast group; all VTEPs subscribed to the group receive it. The underlay network must support IP multicast routing (PIM or similar).

/interface vxlan add \
    name=vxlan1 \
    vni=10 \
    local-address=198.51.100.1


/interface vxlan vteps add \
    interface=vxlan1 \
    remote-ip=239.1.1.10

All routers in the same VXLAN segment add a VTEP entry with the same multicast remote-ip. RouterOS accepts any address in the multicast range (224.0.0.0/4) as a remote-ip value.

Note: The multicast group address must be in the 224.0.0.0/4 range. Ensure your underlay routers have PIM-SM or IGMP snooping configured.

Ingress replication (flood-and-learn)

Section titled “Ingress replication (flood-and-learn)”

Without multicast, BUM traffic can be unicast-replicated to each known VTEP. This is functionally equivalent to point-to-point with multiple VTEP entries. Add all remote VTEPs to each router; RouterOS replicates BUM packets individually to each.

# Three-site ingress replication on Site A (198.51.100.1)
/interface vxlan vteps add interface=vxlan1 remote-ip=203.0.113.1
/interface vxlan vteps add interface=vxlan1 remote-ip=203.0.113.2

Bridging VXLAN for L2 Extension

Section titled “Bridging VXLAN for L2 Extension”

To extend a LAN across sites, add the VXLAN interface and local Ethernet ports to a bridge. The VXLAN interface acts as a virtual wire to the remote site.

Site A — bridge configuration

Section titled “Site A — bridge configuration”

Site A: local subnet 10.10.10.0/24, public IP 198.51.100.1, local port ether2.

# VXLAN interface (already created above)


# Create bridge
/interface bridge add name=br-vxlan


# Add local port and VXLAN interface to the bridge
/interface bridge port add interface=ether2 bridge=br-vxlan
/interface bridge port add interface=vxlan1 bridge=br-vxlan


# Assign IP to the bridge (not ether2 directly)
/ip address add address=10.10.10.1/24 interface=br-vxlan

Site B — bridge configuration

Section titled “Site B — bridge configuration”

Site B: same subnet 10.10.10.0/24, public IP 203.0.113.1, local port ether2.

/interface vxlan add \
    name=vxlan1 \
    vni=10 \
    local-address=203.0.113.1


/interface vxlan vteps add \
    interface=vxlan1 \
    remote-ip=198.51.100.1


/interface bridge add name=br-vxlan


/interface bridge port add interface=ether2 bridge=br-vxlan
/interface bridge port add interface=vxlan1 bridge=br-vxlan


/ip address add address=10.10.10.2/24 interface=br-vxlan

Once both sides are up, hosts at Site A and Site B share the 10.10.10.0/24 subnet. ARP, DHCP broadcasts, and unknown unicast cross the VXLAN tunnel transparently.

Warning: Bridging two sites at L2 merges their broadcast domains. A broadcast storm at one site floods across the tunnel. Enable RSTP to prevent loops if there are redundant paths:

/interface bridge set br-vxlan protocol-mode=rstp

Firewall — allow VXLAN traffic

Section titled “Firewall — allow VXLAN traffic”

VXLAN uses UDP port 4789. Add input accept rules on both routers:

/ip firewall filter add \
    chain=input \
    protocol=udp \
    dst-port=4789 \
    src-address=203.0.113.1 \
    action=accept \
    comment="Allow VXLAN from Site B"

Place this rule before any default drop rule.

MTU Considerations

Section titled “MTU Considerations”

VXLAN adds 50 bytes of overhead on an IPv4 underlay. If the underlay path MTU is 1500 bytes:

1500 (path MTU) - 50 (VXLAN overhead) = 1450 bytes maximum inner payload

Reduce the VXLAN interface MTU to match:

/interface vxlan set vxlan1 mtu=1450

For devices behind the bridge that send full 1500-byte frames, enable TCP MSS clamping on the bridge to avoid black-hole issues for TCP traffic:

/interface bridge set br-vxlan frame-types=all
/ip firewall mangle add \
    chain=forward \
    protocol=tcp \
    tcp-flags=syn \
    action=change-mss \
    new-mss=clamp-to-pmtu \
    passthrough=yes

Alternatively, if you control both endpoints and the intermediate network, configure jumbo frames on the underlay interfaces:

/interface ethernet set ether1 mtu=1600

This gives the outer packet enough room to carry a full 1500-byte inner frame plus 50 bytes of VXLAN overhead.

VXLAN vs EoIP vs GRE

Section titled “VXLAN vs EoIP vs GRE”
VXLANEoIPGRE
OSI layerL2 (Ethernet)L2 (Ethernet)L3
EncapsulationUDP port 4789IP protocol 47 (GRE)IP protocol 47
Header overhead50 bytes (IPv4)28 bytes24 bytes
StandardRFC 7348MikroTik proprietaryRFC 2784
Non-MikroTik compatibleYesNoYes
VNI/segment capacity16,777,215 (24-bit)65,535N/A (L3 only)
KeepaliveNo (protocol-level)YesYes
Multicast supportYes (group or replication)Yes (bridged)Yes
Typical useMulti-vendor L2 overlays, multi-tenant fabricsL2 extension between two MikroTik sitesRouted site-to-site, dynamic routing protocols

When to use VXLAN

Section titled “When to use VXLAN”
  • One or more endpoints are non-MikroTik (Linux, Cisco, Juniper).
  • You need more than 65,535 isolated segments.
  • You are building a multi-tenant or large-scale overlay fabric.
  • The underlay uses NAT or firewalls that block IP protocol 47 but permit UDP.

When to use EoIP

Section titled “When to use EoIP”
  • Both endpoints are MikroTik routers and you need a simple L2 bridge between two sites.
  • You prefer slightly lower overhead (28 vs 50 bytes) for a two-site setup.

When to use GRE

Section titled “When to use GRE”
  • You need L3 routing between sites rather than a shared broadcast domain.
  • You want to run OSPF or BGP over the tunnel.

Troubleshooting

Section titled “Troubleshooting”

Check interface status

Section titled “Check interface status”
/interface vxlan print detail

A healthy interface shows the R (running) flag. If the interface shows no R flag, check IP connectivity and firewall rules.

List VTEP entries

Section titled “List VTEP entries”
/interface vxlan vteps print

Verify that all expected remote IPs are listed and that the associated interface is correct.

Verify bridge membership

Section titled “Verify bridge membership”
/interface bridge port print

Both the local port and the VXLAN interface should appear as bridge ports with status=forwarding.

Ping across the tunnel

Section titled “Ping across the tunnel”
# Ping the remote router's bridge IP
/ping 10.10.10.2


# Ping a host on the remote LAN
/ping 10.10.10.100

Packet capture — verify UDP encapsulation

Section titled “Packet capture — verify UDP encapsulation”
# Capture VXLAN (UDP 4789) on the WAN interface
/tool sniffer quick port=4789 interface=ether1

You should see UDP port 4789 packets between the two public IPs. If you see none, the firewall is blocking UDP 4789 or there is a routing issue in the underlay.

Common problems

Section titled “Common problems”
SymptomLikely causeFix
Interface stays downNo local-address set or unreachableVerify local-address is a routable IP on the router
Interface up, no L2 trafficVXLAN not added to bridge/interface bridge port add interface=vxlan1 bridge=br-vxlan
Ping works but application failsMTU mismatch / fragmentationReduce VXLAN MTU to 1450; enable TCP MSS clamping
VNI mismatchDifferent vni on each endVerify all VTEPs use the same vni value
Multicast not workingPIM not running in underlayEnable PIM-SM or use ingress replication instead
Broadcast stormRedundant L2 path without STPEnable RSTP: /interface bridge set br-vxlan protocol-mode=rstp
UDP blockedFirewall dropping port 4789Add chain=input protocol=udp dst-port=4789 action=accept

See Also

Section titled “See Also”
  • EoIP Tunnels — MikroTik-proprietary L2 tunnels over GRE
  • GRE and IPIP Tunnels — L3 tunnels for routed site-to-site connectivity
  • WireGuard VPN — encrypt VXLAN traffic using a WireGuard underlay
  • IPsec — IPsec transport mode to secure VXLAN UDP traffic