Why doesn't ARP request over VXLAN network get response using simple two machine linux setup?

Question

I am testing the native VXLAN functionality of iproute2 in linux network namespaces. The simulated setup involves 2 different namespaces with 1 bridge and 2 veth pairs.

The aim is to have a basic VXLAN between two machines using manual unicast remote address configuration.

You can fully reproduce the setup using the following script:

#!/usr/bin/env bash

set -x

# Create network namespaces
ip netns add sim-vl1-stack
ip netns add sim-vl2-stack

# Create and configure bridge links
ip link add sim-vl-br0 type bridge

ip link set dev sim-vl-br0 up

# Create and configure veth links
ip link add sim-vl1-veth0 type veth peer sim-vl1-veth0p
ip link add sim-vl2-veth0 type veth peer sim-vl2-veth0p

ip link set dev sim-vl1-veth0 master sim-vl-br0
ip link set dev sim-vl2-veth0 master sim-vl-br0

ip link set dev sim-vl1-veth0p netns sim-vl1-stack
ip link set dev sim-vl2-veth0p netns sim-vl2-stack

ip link set dev sim-vl1-veth0 up
ip link set dev sim-vl2-veth0 up

ip -n sim-vl1-stack link set dev sim-vl1-veth0p up
ip -n sim-vl2-stack link set dev sim-vl2-veth0p up

ip -n sim-vl1-stack addr add 172.20.0.1/24 dev sim-vl1-veth0p
ip -n sim-vl2-stack addr add 172.20.0.2/24 dev sim-vl2-veth0p

ip -n sim-vl1-stack link add name sim-vl1-vxlan type vxlan id 1 \
    dev sim-vl1-veth0p remote 172.20.0.2 local 172.20.1.1 dstport 4789
ip -n sim-vl2-stack link add name sim-vl2-vxlan type vxlan id 1 \
    dev sim-vl2-veth0p remote 172.20.0.1 local 172.20.1.2 dstport 4789

ip -n sim-vl1-stack addr add 172.20.1.1/24 dev sim-vl1-vxlan
ip -n sim-vl2-stack addr add 172.20.1.2/24 dev sim-vl2-vxlan

ip -n sim-vl1-stack link set dev sim-vl1-vxlan up
ip -n sim-vl2-stack link set dev sim-vl2-vxlan up

set +x

You can tear down this setup using:

#!/usr/bin/env bash

set -x

# Destroy veth links
ip link del sim-vl1-veth0
ip link del sim-vl2-veth0

# Destroy bridge links
ip link del sim-vl-br0

# Destroy namespaces
ip netns del sim-vl1-stack
ip netns del sim-vl2-stack

set +x

I am not sure why performing a ping from one namespace to another using the VXLAN IP addresses results in an unanswered ARP request over VXLAN. It is possible the namespace is not processing the UDP VXLAN packet correctly when it arrives at the standard port of 4789. What is missing to get the functionality working as intended?

I monitor the network from the second namespace using termshark as follows:

ip netns exec sim-vl2-stack bash
termshark -i sim-vl2-veth0p

Then, I run this command to perform the ping:

ip netns exec sim-vl1-stack ping -c 1 172.20.1.2

I observe the ARP request arriving at the second network namespace over VXLAN, however, there is no follow-up response.

How should I configure this setup differently to get an ARP response over VXLAN? I would like to be able to perform layer 2 and 3 communication between a group of machines by connecting them together using VXLAN using manual unicast. I am starting with the simplest configuration of two machines but I would like to extend this further in a similar manner. This is an area I am new to so there may be a conceptual misunderstanding.

Answer 1

Not sure if it was a typo or misunderstanding, but local should be 172.20.0.1 (for sim-vl1-vxlan) and 172.20.0.2 (for sim-vl2-vxlan) instead.

I observe the ARP request arriving at the second network namespace over VXLAN, however, there is no follow-up response.

termshark -i sim-vl2-veth0p

You would have seen follow-up response if you monitored sim-vl2-vxlan instead. It's just that the response did not get encapsulated and forwarded to the other side because the local address you set didn't make sense.