If I'm not mistaken, it looks like the yet-to-be-released v258 might
have the support I desire:
https://github.com/systemd/systemd/pull/36793
As far as I can tell, that allows toggling of `external` and `vnifilter`
on the vxlan0 interface I'd like to create (while not requiring a VNI to
be set).
https://github.com/systemd/systemd/pull/36832
Then this one allows me to set `vlan_tunnel on`.
That leaves needing to figure out how to do the equivalent of (per
vlan/vni):
bridge vlan add dev vxlan0 vid {VLAN} tunnel_info id {VNI}
Any insight would be appreciated, thanks!
-Brad
On 8/12/25 8:39 PM, Brad House wrote:
I'm trying to configure SVD support using systemd-networkd on Ubuntu
24.04LTS, but I can't seem to find the right combination of files and
settings to make it work. I have it working properly in a
one-vxlan-per-bridge mode, but I'd like to have a single vlan-aware
(vlan-filtering enabled) bridge.
I can successfully configure SVD mode using these commands directly to
map VXLAN VNI 100 to VLAN 100 on the bridge and break out a vlan
interface for communication (yes, I've done multiple vlans this way on
the same bridge, just reducing the command set for discussion purposes):
ip link add dev br0 type bridge
ip link set dev br0 type bridge vlan_filtering 1
bridge vlan add vid 100 dev br0 self
ip link add dev vxlan0 type vxlan external local 172.16.0.101 dstport
4789 nolearning
ip link set dev vxlan0 master br0
bridge link set dev vxlan0 vlan_tunnel on
bridge vlan add dev vxlan0 vid 100
bridge vlan add dev vxlan0 vid 100 tunnel_info id 100
ip link add link br0 name vlan100 type vlan id 100 protocol 802.1q
ip addr add 10.10.100.2/24 dev vlan100
I'm using a couple of physical interfaces for BGP-unnumbered peering,
and a dummy interface to house my VTEP endpoint. In all my testing
these are set up the same as well as my FRR configuration. (I've
pasted the non-SVD working full configuration at the end of this email).
I've tried to emulate the above working SVD commands with these
systemd configuration files. I couldn't figure out how to do the same
vxlan0 concept, and not sure what may trigger "tunnel_on" and
"tunnel_info id XXX" commands to be passed. At this point, my bridge
is always showing down, and I'm not entirely sure why. I enabled
debugging but it doesn't seem very helpful in what is going wrong but
I'm pretty sure there's a lot wrong here.
My current iteration of testing looks like the below, but I've tried a
lot of combinations:
========= 20-vxlan100.netdev =========
[NetDev]
Name=vxlan100
Kind=vxlan
[VXLAN]
VNI=100
Local=172.16.0.101
MacLearning=false
DestinationPort=4789
Independent=true
========= 30-bridge-br0.netdev =========
[NetDev]
Name=br0
Kind=bridge
[Bridge]
VLANFiltering=yes
DefaultPVID=none
========= 30-vlan100.netdev =========
[NetDev]
Name=hypervisor
MTUBytes=9000
Kind=vlan
[VLAN]
Id=100
========= 30-vlan100.network =========
[Match]
Name=hypervisor
Type=vlan
[Link]
MTUBytes=9000
[Network]
KeepConfiguration=yes
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
DHCP=no
Address=10.10.100.2/24
========= 30-vxlan100.network =========
[Match]
Name=vxlan100
[Network]
Bridge=br0
[BridgeVLAN]
VLAN=100
========= 40-bridge-br0.network =========
[Match]
Name=br0
[Link]
MTUBytes=9000
[Network]
VLAN=hypervisor
VXLAN=vxlan100
[BridgeVLAN]
VLAN=100
My working bridge-per-vxlan is also below here incase it provides any
additional insights (and I've included my underlay and dummy vtep
interfaces for good measure):
========= 10-eth-mgmt.link =========
[Match]
Type=ether
OriginalName=*
MACAddress=ac:1f:6b:2d:85:83
[Link]
Name=mgmt
WakeOnLan=off
MTUBytes=1500
Duplex=full
AutoNegotiation=yes
========= 10-eth-mgmt.network =========
[Match]
Name=mgmt
[Link]
MTUBytes=1500
[Network]
KeepConfiguration=yes
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
DHCP=no
Address=192.168.1.81/24
DNS=8.8.8.8
DNS=2001:4860:4860::8888
[Route]
Destination=0.0.0.0/0
Gateway=192.168.1.1
========= 10-underlay-iface0.link =========
[Match]
Type=ether
OriginalName=*
Driver=mlx5_core
[Link]
WakeOnLan=off
MTUBytes=9100
BitsPerSecond=25000
Duplex=full
AutoNegotiation=no
========= 10-underlay-iface0.network =========
[Match]
Type=ether
Name=*
Driver=mlx5_core
[Link]
MTUBytes=9100
[Network]
KeepConfiguration=yes
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
DHCP=no
========= 10-vtep.netdev =========
[NetDev]
Name=vtep
Kind=dummy
========= 10-vtep.network =========
[Match]
Name=vtep
[Network]
Address=172.16.0.101/32
========= 30-bridge-ceph.netdev =========
[NetDev]
Name=ceph
Kind=bridge
[Bridge]
VLANFiltering=no
STP=no
========= 30-bridge-hypervisor.netdev =========
[NetDev]
Name=hypervisor
Kind=bridge
[Bridge]
VLANFiltering=no
STP=no
========= 40-vxlan100.netdev =========
[NetDev]
Name=vxlan100
MTUBytes=9000
Kind=vxlan
[VXLAN]
VNI=100
Local=172.16.0.101
MacLearning=false
DestinationPort=4789
Independent=true
========= 40-vxlan200.netdev =========
[NetDev]
Name=vxlan200
MTUBytes=9000
Kind=vxlan
[VXLAN]
VNI=200
Local=172.16.0.101
MacLearning=false
DestinationPort=4789
Independent=true
========= 50-bridge-ceph-vxlan200.network =========
[Match]
Name=vxlan200
[Network]
Bridge=ceph
========= 50-bridge-hypervisor-vxlan100.network =========
[Match]
Name=vxlan100
[Network]
Bridge=hypervisor
========= 60-bridge-ceph.network =========
[Match]
Name=ceph
[Link]
MTUBytes=9000
[Network]
KeepConfiguration=yes
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
DHCP=no
Address=10.10.200.2/24
========= 60-bridge-hypervisor.network =========
[Match]
Name=hypervisor
[Link]
MTUBytes=9000
[Network]
KeepConfiguration=yes
LinkLocalAddressing=ipv6
IPv6AcceptRA=no
DHCP=no
Address=10.10.100.2/24
And again for completeness, my frr config:
service integrated-vtysh-config
hostname node1.testenv.bradhouse.dev
!
log syslog informational
!
!
!
ip nht resolve-via-default
!
ipv6 nht resolve-via-default
!
ip prefix-list VTEP seq 1 permit 172.16.0.101/24 ge 32
!
route-map ALLOW_ALL permit 1
!
route-map ALLOW_VTEP_AND_BGP permit 1
match ip address prefix-list VTEP
!
route-map ALLOW_VTEP_AND_BGP permit 2
match source-protocol bgp
!
route-map ALLOW_VTEP_AND_BGP deny 100
!
router bgp 4220000001
bgp router-id 172.16.0.101
bgp ebgp-requires-policy
bgp log-neighbor-changes
!
! Enable ECMP on multiple eBGP paths
bgp bestpath as-path multipath-relax
! Don't install more than 2 paths for ECMP
maximum-paths 2
!
neighbor PEERS peer-group
neighbor PEERS remote-as external
neighbor PEERS timers 3 9
neighbor PEERS advertisement-interval 5
neighbor PEERS bfd
neighbor PEERS capability extended-nexthop
!
address-family ipv4 unicast
neighbor PEERS activate
neighbor PEERS route-map ALLOW_ALL in
neighbor PEERS route-map ALLOW_VTEP_AND_BGP out
redistribute connected
!
address-family ipv6 unicast
neighbor PEERS activate
neighbor PEERS route-map ALLOW_ALL in
neighbor PEERS route-map ALLOW_VTEP_AND_BGP out
redistribute connected
!
address-family l2vpn evpn
neighbor PEERS activate
neighbor PEERS route-map ALLOW_ALL in
neighbor PEERS route-map ALLOW_ALL out
neighbor PEERS attribute-unchanged next-hop
autort rfc8365-compatible
advertise-all-vni
advertise-svi-ip
!
neighbor enp7s0f0np0 interface peer-group PEERS
neighbor enp7s0f1np1 interface peer-group PEERS
!
Any help that can be provided would be greatly appreciated!
Thanks!
-Brad
