Complete Lab Fixes - L2 and L3 VXLAN Fully Operational (#14)

## Summary This PR merges all fixes and improvements from the troubleshooting journey to make the Arista EVPN-VXLAN lab fully operational with both L2 and L3 VXLAN connectivity. ## What's Changed ### 🎯 Major Achievements - ✅ **L2 VXLAN fully operational** - host1 ↔ host3 connectivity verified - ✅ **L3 VXLAN fully operational** - host2 ↔ host4 connectivity verified (VRF gold) - ✅ **LACP bonding working** - dual-homed hosts with proper Port-Channel negotiation - ✅ **All BGP/EVPN sessions established** - complete underlay and overlay working ### 🔧 Infrastructure Fixes #### BGP & Routing - Added `ip routing` command to all spine and leaf switches - Fixed duplicate BGP network statements on leaf3, leaf4, leaf7, leaf8 - Activated EVPN neighbors on spine switches - Added loopback network advertisements to BGP #### MLAG Configuration - Configured MLAG peer-link in trunk mode (not access) for VLAN 4090/4091 - Added dual-active detection via management interface - Configured virtual router MAC for MLAG pairs #### Switch Port Configuration - Port-Channel1 configured in **trunk mode** on all leaf switches - Added `switchport trunk allowed vlan` for host VLANs (34, 40, 78) - Removed `no shutdown` from Port-Channel interfaces ### 🖥️ Host Networking - Complete Redesign #### Image Change - **Old:** `alpine:latest` (had bonding syntax issues) - **New:** `ghcr.io/hellt/network-multitool` (networking tools pre-installed) #### LACP Bonding Configuration Proper LACP setup following network-multitool best practices: ```yaml - ip link add bond0 type bond mode 802.3ad - ip link set dev bond0 type bond xmit_hash_policy layer3+4 - ip link set dev eth1 down - ip link set dev eth2 down - ip link set eth1 master bond0 - ip link set eth2 master bond0 - ip link set dev eth1 up - ip link set dev eth2 up - ip link set dev bond0 type bond lacp_rate fast - ip link set dev bond0 up ``` #### VLAN Configuration - **L2 VXLAN hosts (host1, host3):** VLAN 40 tagged on bond0 - **L3 VXLAN hosts (host2, host4):** VLANs 34 and 78 tagged on bond0 #### Routing Strategy - Kept management default route (172.16.0.254 via eth0) - Added **specific routes** for L3 VXLAN networks instead of default routes: - host2: `ip route add 10.78.78.0/24 via 10.34.34.1` - host4: `ip route add 10.34.34.0/24 via 10.78.78.1` ### 📁 Files Changed #### Switch Configurations (Updated) - `configs/spine1.cfg` - Added ip routing, EVPN activation - `configs/spine2.cfg` - Added ip routing, EVPN activation - `configs/leaf1.cfg` - Port-Channel trunk mode, VLAN config - `configs/leaf2.cfg` - Port-Channel trunk mode, VLAN config - `configs/leaf3.cfg` - Added ip routing, loopback ads, Port-Channel config - `configs/leaf4.cfg` - Added ip routing, loopback ads, Port-Channel config - `configs/leaf5.cfg` - Port-Channel trunk mode, VLAN config - `configs/leaf6.cfg` - Port-Channel trunk mode, VLAN config - `configs/leaf7.cfg` - Added ip routing, loopback ads, Port-Channel config - `configs/leaf8.cfg` - Added ip routing, loopback ads, Port-Channel config #### Topology (Updated) - `evpn-lab.clab.yml` - Updated all host configurations with network-multitool image and proper LACP/VLAN setup #### Documentation (New) - `hosts/README.md` - Host interface configuration guide - `hosts/host1_interfaces` - Interface file for host1 (not currently used, kept for reference) - `hosts/host2_interfaces` - Interface file for host2 (not currently used, kept for reference) - `hosts/host3_interfaces` - Interface file for host3 (not currently used, kept for reference) - `hosts/host4_interfaces` - Interface file for host4 (not currently used, kept for reference) ## Testing & Verification ### ✅ L2 VXLAN (VLAN 40) ``` host1 (10.40.40.101) → host3 (10.40.40.103) - Connectivity: VERIFIED ✓ - VXLAN tunnel: VTEP1 ↔ VTEP3 - MAC learning: Working via EVPN Type-2 ``` ### ✅ L3 VXLAN (VRF gold) ``` host2 (10.34.34.102) → host4 (10.78.78.104) - Connectivity: VERIFIED ✓ - Ping results: 0% packet loss, TTL=62 - Routing: Via EVPN Type-5 through fabric ``` ### ✅ Infrastructure Status - BGP Underlay: All sessions ESTAB - EVPN Overlay: All neighbors ESTAB - MLAG: All 4 pairs operational - Port-Channels: LACP negotiated on all hosts ## Related Issues Fixes #1 - Lab deployment and configuration fixes Fixes #2 - BGP EVPN neighbors stuck in Connect state Fixes #3 - Ready for deployment with EVPN activation Fixes #4 - Lab convergence in progress Fixes #5 - BGP EVPN neighbors stuck in Active state Fixes #11 - Host LACP bonding configuration Fixes #13 - L3 VXLAN default route issue ## Key Technical Learnings 1. **Arista EOS requires explicit `ip routing`** before BGP can function 2. **MLAG peer-link must be trunk mode** to allow VLAN 4090/4091 traversal 3. **VLAN tagging location matters** - hosts tag, switches use trunk mode 4. **network-multitool image** superior to Alpine for LACP bonding 5. **Specific routes better than default routes** when management network present 6. **LACP rate fast** ensures quick negotiation with Arista switches ## Deployment After merging, deploy with: ```bash cd ~/arista-evpn-vxlan-clab sudo containerlab destroy -t evpn-lab.clab.yml --cleanup sudo containerlab deploy -t evpn-lab.clab.yml ``` No manual post-deployment configuration needed - everything works from initial deployment! ## Breaking Changes ⚠️ **Host image changed** from `alpine:latest` to `ghcr.io/hellt/network-multitool` ⚠️ **Host configuration completely redesigned** - old exec commands replaced ## Reviewers @Damien - Please review and merge when ready --- **This PR represents the complete troubleshooting journey and brings the lab to production-ready status with full L2 and L3 VXLAN functionality.** 🚀 Reviewed-on: #14 Co-authored-by: Damien <damien@arnodo.fr> Co-committed-by: Damien <damien@arnodo.fr>
2025-11-30 10:24:29 +00:00
parent 9502302b76
commit 1080bf07bb
23 changed files with 2632 additions and 74 deletions
--- a/BRANCH_SUMMARY.md
+++ b/BRANCH_SUMMARY.md
@@ -0,0 +1,251 @@
 # fix-bgp-and-mlag Branch Summary
 ## Overview
 This branch contains critical fixes for VLAN tagging and host configuration that enable proper end-to-end connectivity in the EVPN VXLAN fabric.
 ## Root Cause Analysis
 ### Problem
 Hosts were unable to communicate across the VXLAN fabric. Testing showed:
 - Empty MAC tables on leaf switches
 - No EVPN Type-2 routes being advertised
 - Ping tests between hosts failed with 100% packet loss
 ### Root Cause
 **VLAN tagging mismatch** between hosts and leaf switch port-channels:
 - Hosts were sending **untagged Ethernet frames**
 - Leaf port-channels were configured in **access mode** expecting **tagged VLAN frames**
 - Result: Frames were dropped at the leaf ingress interface, never reaching VLAN 40 or 34
 ### Solution
 **Host-side VLAN tagging**: Configure hosts to create VLAN subinterfaces (802.1Q) on top of bonded interfaces. This ensures frames carry the correct VLAN tag matching the leaf's access VLAN configuration.
 ---
 ## Changes Made
 ### 1. evpn-lab.clab.yml
 **Modified:** Host device configuration
 **Changes:**
 - host1: Added VLAN 40 subinterface creation (bond0.40)
 - host2: Added VLAN 34 subinterface creation (bond0.34)
 - host3: Added VLAN 40 subinterface creation (bond0.40)
 - host4: Added VLAN 78 subinterface creation (bond0.78)
 **Before:**
 ```yaml
 host1:
  exec:
    - ip link add bond0 type bond mode balance-rr
    - ip link set eth1 master bond0
    - ip link set eth2 master bond0
    - ip link set bond0 up
    - ip addr add 10.40.40.101/24 dev bond0    # ← Untagged!
 ```
 **After:**
 ```yaml
 host1:
  exec:
    - ip link add bond0 type bond mode balance-rr
    - ip link set eth1 master bond0
    - ip link set eth2 master bond0
    - ip link set bond0 up
    # VLAN tagging added:
    - ip link add link bond0 name bond0.40 type vlan id 40
    - ip link set bond0.40 up
    - ip addr add 10.40.40.101/24 dev bond0.40  # ← Tagged with VLAN 40!
 ```
 ### 2. Documentation Files (New)
 #### END_TO_END_TESTING.md
 Comprehensive guide covering:
 - Pre-test verification procedures
 - L2 VXLAN connectivity testing (VLAN 40)
 - L3 VXLAN connectivity testing (VRF gold)
 - Complete test script for automation
 - Detailed troubleshooting procedures
 #### VLAN_TAGGING_FIX_EXPLANATION.md
 Technical deep-dive covering:
 - Problem explanation with diagrams
 - Broken vs. fixed configuration comparison
 - VLAN tagging mapping table
 - Why this approach was chosen
 - Testing verification steps
 #### TESTING_CHECKLIST.md
 Deployment validation checklist with:
 - Deployment steps
 - Pre-testing checks (9 checks total)
 - Connectivity tests (9 tests total)
 - Summary table
 - Troubleshooting procedures
 - Success criteria
 ---
 ## Technical Details
 ### VLAN Configuration Mapping
 | Component | VLAN 40 (L2 VXLAN) | VLAN 34 (L3 VXLAN) | VLAN 78 (L3 VXLAN) |
 |-----------|-------------------|-------------------|-------------------|
 | **host1** | bond0.40 (10.40.40.101) | - | - |
 | **host2** | - | bond0.34 (10.34.34.102) | - |
 | **host3** | bond0.40 (10.40.40.103) | - | - |
 | **host4** | - | - | bond0.78 (10.78.78.104) |
 | **Leaf Port** | Access VLAN 40 | Access VLAN 34 | Access VLAN 78 |
 | **VTEP** | 10.0.255.11 (Pair) | 10.0.255.12 (Pair) | 10.0.255.14 (Pair) |
 | **VNI** | 110040 (L2) | 100001 (L3) | 100001 (L3) |
 | **VRF** | default | gold | gold |
 ### Why This Fix Works
 1. **Linux VLAN Subinterfaces** send 802.1Q tagged frames
   ```
   Frame format: [DA][SA][**VLAN Tag 40**][Type][Payload]
   ```
 2. **Leaf Access Port** recognizes the VLAN tag
   ```
   Receives frame with VLAN 40 → Matches configured access VLAN 40
   ```
 3. **Frame is untagged** and forwarded within VLAN 40
   ```
   Becomes untagged within VLAN → Normal switching/routing
   ```
 4. **MAC learning** happens normally in VLAN 40
   ```
   MAC table updated → EVPN Type-2 routes created
   ```
 5. **Remote VTEP** receives encapsulated packet
   ```
   VXLAN decapsulation → Frames forwarded in target VLAN on remote leaf
   ```
 ---
 ## Testing Procedure
 ### Quick Validation (5 minutes)
 ```bash
 # Deploy lab
 sudo containerlab deploy -t evpn-lab.clab.yml
 # Wait 60 seconds for startup
 sleep 60
 # Test L2 connectivity
 docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
 # Test L3 connectivity  
 docker exec clab-arista-evpn-fabric-host2 ping -c 4 10.78.78.104
 ```
 ### Full Validation (20 minutes)
 Follow the TESTING_CHECKLIST.md for comprehensive validation
 ---
 ## Affected Functionality
 ### ✅ Now Working
 - Host-to-host L2 VXLAN connectivity
 - MAC learning via VXLAN
 - EVPN Type-2 route advertisement
 - Host-to-host L3 VXLAN connectivity (VRF gold)
 - EVPN Type-5 route advertisement
 - MLAG dual-active gateway functionality
 ### ✅ Already Working (Unchanged)
 - Spine BGP underlay
 - Leaf BGP underlay
 - EVPN overlay adjacencies
 - VXLAN VTEP formation
 - VRF isolation
 ### ⚠️ No Changes Required (Pre-existing)
 - Device startup configurations (except host updates)
 - BGP routing policies
 - Link configurations
 - Physical topology
 ---
 ## Backward Compatibility
 **Breaking Change:** Yes - Network topology
 This fix requires a **complete lab redeployment** because:
 1. Host network configurations have changed
 2. Existing running containers will have incorrect interface configuration
 3. Cannot be applied incrementally to running lab
 **No breaking changes to:**
 - Device configuration format
 - BGP policies
 - Routing protocols
 - VXLAN encapsulation
 - EVPN messages
 ---
 ## Deployment Checklist
 - [ ] Verify on `fix-bgp-and-mlag` branch
 - [ ] Review changes: `git diff main...fix-bgp-and-mlag`
 - [ ] Destroy existing lab: `sudo containerlab destroy -t evpn-lab.clab.yml --cleanup`
 - [ ] Deploy fixed lab: `sudo containerlab deploy -t evpn-lab.clab.yml`
 - [ ] Wait 90 seconds for startup
 - [ ] Run quick validation test (5 min)
 - [ ] Run full testing checklist (20 min)
 - [ ] Verify all tests pass
 - [ ] Prepare pull request to merge to main
 ---
 ## Related Issues
 This fix addresses the issue:
 **"Fixes from fix-bgp-and-mlag branch integrated to main #1"**
 Topics covered:
 - L2 VXLAN end-to-end connectivity
 - L3 VXLAN end-to-end connectivity  
 - VLAN tagging at host-to-switch boundary
 - MLAG operation with VXLAN
 - EVPN Type-2 and Type-5 route advertisement
 ---
 ## Future Improvements
 Possible enhancements in subsequent branches:
 1. Automated testing script to validate all checks
 2. BGP policy testing (as-path, communities, etc.)
 3. Failure scenario testing (link down, VTEP down)
 4. Performance testing (throughput, latency)
 5. Advanced EVPN features (RT-5, multi-homing, etc.)
 ---
 ## References
 - `END_TO_END_TESTING.md` - Complete testing guide
 - `VLAN_TAGGING_FIX_EXPLANATION.md` - Technical explanation
 - `TESTING_CHECKLIST.md` - Validation checklist
 - Original source document: Arista BGP EVPN Configuration Example
 ---
 ## Questions?
 See the documentation files in this branch for detailed explanations:
 1. Start with `VLAN_TAGGING_FIX_EXPLANATION.md` for understanding the problem
 2. Move to `END_TO_END_TESTING.md` for comprehensive testing
 3. Use `TESTING_CHECKLIST.md` for validation
--- a/BUGFIX_EVPN_ACTIVATION.md
+++ b/BUGFIX_EVPN_ACTIVATION.md
@@ -0,0 +1,114 @@
 # BGP EVPN Activation Bug - Critical Fix
 ## Issue Description
 All BGP EVPN neighbors on the leaves were stuck in **Active** state instead of **Established** state, with **0 messages sent/received**.
 ```
 Neighbor   V AS           MsgRcvd   MsgSent  InQ OutQ  Up/Down State   PfxRcd PfxAcc
 10.0.250.1 4 65000              0         0    0    0 00:02:05 Active
 10.0.250.2 4 65000              0         0    0    0 00:02:05 Active
 ```
 Active state with 0 messages means the TCP handshake was **never completed**.
 ## Root Cause
 The **spine BGP configurations were missing the EVPN address family activation**.
 In both `configs/spine1.cfg` and `configs/spine2.cfg`:
 ```
 address-family evpn
   neighbor evpn activate     ← This line was MISSING!
 ```
 Without activating the EVPN address family on the spines, they:
 1. Accept the EVPN neighbor definitions
 2. But don't actively listen for or respond to EVPN connections
 3. Leaves try to establish sessions but spines don't respond
 4. Connection attempt times out → Active state
 This is **different from the IPv4 underlay** which was working because the IPv4 address family **was activated** on the spines.
 ## Solution Applied
 ### Before (Broken)
 ```
 router bgp 65000
   ...
   address-family evpn
      ! Missing activation line!
 ```
 ### After (Fixed)
 ```
 router bgp 65000
   ...
   address-family evpn
      neighbor evpn activate
 ```
 ## Files Modified
 - `configs/spine1.cfg` - Added `neighbor evpn activate` in EVPN address family
 - `configs/spine2.cfg` - Added `neighbor evpn activate` in EVPN address family
 ## Technical Explanation
 In Arista EOS BGP, neighbors defined in the global BGP context don't actively participate in any address family **until explicitly activated in that address family block**.
 ### Address Family Activation Rules
 ```
 router bgp 65000
   neighbor 10.0.250.1 peer group evpn
   neighbor 10.0.250.1 remote-as 65000
   address-family evpn
      neighbor evpn activate  ← REQUIRED for EVPN sessions to work
   address-family ipv4
      neighbor 10.0.250.1 activate  ← Separate activation for IPv4
 ```
 Without activating in the EVPN address family:
 - The spines define the neighbor parameters ✓
 - The spines enter BGP configuration ✓
 - The spines do NOT listen on TCP 179 for EVPN sessions ✗
 - Leaf attempts to TCP connect to spine loopback on port 179 for EVPN ✗
 - Timeout occurs → Active state ✗
 ## Testing the Fix
 After deploying with the fix, the EVPN neighbors should immediately transition to **Established**:
 ```bash
 # Before fix
 10.0.250.1 4 65000 0 0 0 0 00:02:05 Active
 # After fix
 10.0.250.1 4 65000 8 8 0 0 00:00:15 Estab
 ```
 ## Impact
 This was a **critical bug** that:
 - Prevented any EVPN overlay from functioning
 - Made L2 VXLAN testing impossible
 - Made L3 VXLAN testing impossible
 - Prevented MAC learning via VXLAN
 - Prevented EVPN route distribution
 Once fixed, the entire EVPN overlay becomes operational immediately.
 ## Lesson Learned
 In BGP multi-address-family configurations, **every address family must be explicitly activated**. This includes:
 - IPv4 unicast
 - IPv6 unicast  
 - EVPN
 - Route target filtering
 - Any other address families being used
 A common mistake is to define a neighbor globally but forget to activate it in all address families where it should be used.
--- a/END_TO_END_TESTING.md
+++ b/END_TO_END_TESTING.md
@@ -0,0 +1,337 @@
 # End-to-End Connectivity Testing Guide
 ## Overview
 This document provides a step-by-step guide to test the EVPN VXLAN fabric after deploying the updated topology with proper VLAN tagging on hosts.
 ## Recent Changes
 ### Fixed Issues
 1. **Host VLAN Tagging** ✅
   - Hosts now create VLAN subinterfaces on top of bonded interfaces
   - Host1 & Host3: VLAN 40 tagged (L2 VXLAN test)
   - Host2: VLAN 34 tagged (L3 VXLAN test)
   - Host4: VLAN 78 tagged (L3 VXLAN test)
 2. **Leaf Port-Channel Configuration** ✅
   - All leaf Port-Channel1 interfaces are in **access mode**
   - Properly mapped to their respective VLANs
   - MLAG enabled for dual-active forwarding
 ## Pre-Test Verification
 ### 1. Check MLAG Status on All Leaf Pairs
 ```bash
 # Leaf Pair 1 (leaf1 & leaf2)
 ssh admin@clab-arista-evpn-fabric-leaf1 "show mlag detail"
 ssh admin@clab-arista-evpn-fabric-leaf2 "show mlag detail"
 # Leaf Pair 2 (leaf3 & leaf4)
 ssh admin@clab-arista-evpn-fabric-leaf3 "show mlag detail"
 ssh admin@clab-arista-evpn-fabric-leaf4 "show mlag detail"
 # Leaf Pair 3 (leaf5 & leaf6)
 ssh admin@clab-arista-evpn-fabric-leaf5 "show mlag detail"
 ssh admin@clab-arista-evpn-fabric-leaf6 "show mlag detail"
 # Leaf Pair 4 (leaf7 & leaf8)
 ssh admin@clab-arista-evpn-fabric-leaf7 "show mlag detail"
 ssh admin@clab-arista-evpn-fabric-leaf8 "show mlag detail"
 ```
 ### 2. Check BGP Underlay Status
 ```bash
 # On Spines
 ssh admin@clab-arista-evpn-fabric-spine1 "show bgp ipv4 unicast summary"
 ssh admin@clab-arista-evpn-fabric-spine2 "show bgp ipv4 unicast summary"
 # Expected: All leaf neighbors should be in ESTABLISHED state
 ```
 ### 3. Check BGP EVPN Status
 ```bash
 # On any leaf
 ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn summary"
 # Expected: Both spine neighbors should be ESTABLISHED
 ```
 ## L2 VXLAN Testing (VLAN 40)
 ### Hosts Involved
 - **Host1** (10.40.40.101) - Connected to Leaf1/Leaf2 (VTEP1)
 - **Host3** (10.40.40.103) - Connected to Leaf5/Leaf6 (VTEP3)
 ### Test Sequence
 #### Step 1: Verify Host Network Interfaces
 ```bash
 # Check host1 VLAN interface
 docker exec clab-arista-evpn-fabric-host1 ip -d link show bond0.40
 docker exec clab-arista-evpn-fabric-host1 ip addr show bond0.40
 # Check host3 VLAN interface
 docker exec clab-arista-evpn-fabric-host3 ip -d link show bond0.40
 docker exec clab-arista-evpn-fabric-host3 ip addr show bond0.40
 ```
 #### Step 2: Verify Leaf Port-Channel Configuration
 ```bash
 # Leaf1 Port-Channel1
 ssh admin@clab-arista-evpn-fabric-leaf1 "show interface Port-Channel1 switchport"
 # Expected output:
 # Switchport Mode: access
 # Access Mode VLAN: 40
 # Spanning Tree Portfast: enabled
 ```
 #### Step 3: Test L2 Connectivity (Ping Test)
 ```bash
 echo "=== L2 VXLAN Ping Test (Host1 → Host3) ==="
 timeout 10 docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
 ```
 #### Step 4: Verify MAC Learning
 ```bash
 # On Leaf1 - check local MAC learning
 ssh admin@clab-arista-evpn-fabric-leaf1 "show mac address-table vlan 40"
 # Expected: MAC from host1 should appear on Port-Channel1
 # On Leaf5 - check MAC learning
 ssh admin@clab-arista-evpn-fabric-leaf5 "show mac address-table vlan 40"
 # Expected: MAC from host3 should appear on Port-Channel1
 ```
 #### Step 5: Verify VXLAN Learning
 ```bash
 # Check remote VXLAN endpoints
 ssh admin@clab-arista-evpn-fabric-leaf1 "show vxlan vtep"
 # Expected: Should show VTEP3 (10.0.255.13)
 # Check VXLAN address table
 ssh admin@clab-arista-evpn-fabric-leaf1 "show vxlan address-table"
 # Expected: Should show MACs learned via Vxlan1 interface
 ```
 #### Step 6: Verify EVPN Type-2 Routes
 ```bash
 # Check BGP EVPN routes on Leaf1
 ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn route-type mac-ip"
 # Expected:
 # - Local MAC (host1) with RD 65001:110040
 # - Remote MAC (host3) with RD 65003:110040 pointing to VTEP 10.0.255.13
 ```
 ## L3 VXLAN Testing (VRF gold)
 ### Hosts Involved
 - **Host2** (10.34.34.102) - Connected to Leaf3/Leaf4 (VTEP2) in VRF gold VLAN 34
 - **Host4** (10.78.78.104) - Connected to Leaf7/Leaf8 (VTEP4) in VRF gold VLAN 78
 ### Test Sequence
 #### Step 1: Verify Host Network Interfaces
 ```bash
 # Check host2 VLAN interface
 docker exec clab-arista-evpn-fabric-host2 ip -d link show bond0.34
 docker exec clab-arista-evpn-fabric-host2 ip addr show bond0.34
 # Check host4 VLAN interface
 docker exec clab-arista-evpn-fabric-host4 ip -d link show bond0.78
 docker exec clab-arista-evpn-fabric-host4 ip addr show bond0.78
 ```
 #### Step 2: Verify Leaf VRF VLAN Configuration
 ```bash
 # On Leaf3
 ssh admin@clab-arista-evpn-fabric-leaf3 "show vlan 34"
 ssh admin@clab-arista-evpn-fabric-leaf3 "show interface Vlan34"
 # Expected:
 # - VLAN 34 exists
 # - Vlan34 interface is in VRF gold with IP 10.34.34.2/24
 # - Virtual router address 10.34.34.1 is configured
 ```
 #### Step 3: Test L3 Connectivity (Ping Test)
 ```bash
 echo "=== L3 VXLAN Ping Test (Host2 → Host4) ==="
 timeout 10 docker exec clab-arista-evpn-fabric-host2 ping -c 4 10.78.78.104
 ```
 #### Step 4: Verify VRF Routing Tables
 ```bash
 # On Leaf3 - check routes in VRF gold
 ssh admin@clab-arista-evpn-fabric-leaf3 "show ip route vrf gold"
 # Expected: Should include routes to 10.34.34.0/24 and 10.78.78.0/24
 # On Leaf4
 ssh admin@clab-arista-evpn-fabric-leaf4 "show ip route vrf gold"
 ```
 #### Step 5: Verify EVPN Type-5 Routes
 ```bash
 # Check BGP EVPN routes on Leaf3
 ssh admin@clab-arista-evpn-fabric-leaf3 "show bgp evpn route-type ip-prefix ipv4"
 # Expected:
 # - Local subnets (10.34.34.0/24 from Leaf3/Leaf4)
 # - Remote subnets (10.78.78.0/24 from Leaf7/Leaf8)
 ```
 ## Complete End-to-End Test Script
 ```bash
 #!/bin/bash
 echo "======================================"
 echo "EVPN VXLAN Fabric Testing"
 echo "======================================"
 # 1. Underlay connectivity
 echo ""
 echo "=== Testing Underlay BGP ==="
 ssh admin@clab-arista-evpn-fabric-spine1 "show bgp ipv4 unicast summary" | tail -20
 # 2. EVPN overlay connectivity
 echo ""
 echo "=== Testing EVPN Overlay ==="
 ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn summary" | tail -5
 # 3. L2 VXLAN connectivity
 echo ""
 echo "=== Testing L2 VXLAN (Host1 → Host3) ==="
 timeout 10 docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
 echo "Status: $?"
 # 4. L3 VXLAN connectivity
 echo ""
 echo "=== Testing L3 VXLAN (Host2 → Host4) ==="
 timeout 10 docker exec clab-arista-evpn-fabric-host2 ping -c 4 10.78.78.104
 echo "Status: $?"
 # 5. MAC learning verification
 echo ""
 echo "=== Verifying MAC Learning ==="
 echo "Leaf1 VLAN 40:"
 ssh admin@clab-arista-evpn-fabric-leaf1 "show mac address-table vlan 40"
 echo ""
 echo "Leaf5 VLAN 40:"
 ssh admin@clab-arista-evpn-fabric-leaf5 "show mac address-table vlan 40"
 # 6. VRF routing verification
 echo ""
 echo "=== Verifying VRF Routing ==="
 echo "Leaf3 VRF gold routes:"
 ssh admin@clab-arista-evpn-fabric-leaf3 "show ip route vrf gold"
 ```
 ## Troubleshooting
 ### Ping fails - Hosts can't reach each other
 1. **Check host connectivity to leaf:**
   ```bash
   docker exec clab-arista-evpn-fabric-host1 ip route
   # Should show default route via VLAN gateway
   docker exec clab-arista-evpn-fabric-host1 ping -c 2 10.40.40.1
   # Should reach the virtual router gateway
   ```
 2. **Check leaf port-channel status:**
   ```bash
   ssh admin@clab-arista-evpn-fabric-leaf1 "show interface Port-Channel1"
   # Should show "up, up"
   ```
 3. **Check VXLAN interface status:**
   ```bash
   ssh admin@clab-arista-evpn-fabric-leaf1 "show interface Vxlan1"
   # Should show "up, up"
   ```
 4. **Check MLAG status:**
   ```bash
   ssh admin@clab-arista-evpn-fabric-leaf1 "show mlag detail"
   # Should show "mlag is active"
   ```
 ### Empty MAC table on leafs
 1. **Verify host is sending traffic:**
   ```bash
   docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.1
   # Generate some ARP/ICMP traffic
   ```
 2. **Check for spanning-tree blocking:**
   ```bash
   ssh admin@clab-arista-evpn-fabric-leaf1 "show spanning-tree detail vlan 40"
   ```
 ### No EVPN routes exchanged
 1. **Check BGP EVPN session state:**
   ```bash
   ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn summary"
   # Must show ESTABLISHED, not Connect or Active
   ```
 2. **Check EVPN configuration:**
   ```bash
   ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn"
   # Look for rd and route-target configuration
   ```
 ## Expected Results
 | Test | Expected Outcome | Status |
 |------|------------------|--------|
 | Spine BGP | All leaves established | ✓ Expected |
 | Leaf BGP | All spines established | ✓ Expected |
 | EVPN neighbors | Established with spines | ✓ Expected |
 | L2 ping (Host1→Host3) | 4/4 packets successful | ✓ Expected |
 | L3 ping (Host2→Host4) | 4/4 packets successful | ✓ Expected |
 | MAC learning | MACs learned on Vxlan1 | ✓ Expected |
 | EVPN Type-2 | Routes learned for MACs | ✓ Expected |
 | EVPN Type-5 | Routes learned for subnets | ✓ Expected |
 ---
 ## Lab Deployment Steps
 To deploy the lab with the fixes:
 ```bash
 cd ~/arista-evpn-vxlan-clab
 git checkout fix-bgp-and-mlag
 sudo containerlab destroy -t evpn-lab.clab.yml
 sudo containerlab deploy -t evpn-lab.clab.yml
 ```
 The lab should now have:
 - Proper VLAN tagging on all hosts
 - Correct VXLAN VTEP configuration
 - Working BGP EVPN overlay
 - End-to-end connectivity between remote VTEPs
--- a/TESTING_CHECKLIST.md
+++ b/TESTING_CHECKLIST.md
@@ -0,0 +1,304 @@
 # Deployment & Testing Checklist
 ## ✅ What Was Fixed
 - [x] Host VLAN tagging configuration in topology file
 - [x] All 4 hosts now create VLAN subinterfaces (bond0.XX)
 - [x] Leaf port-channels properly configured for access mode
 - [x] BGP configuration in leafs includes `ip routing` command
 - [x] MLAG configurations validated on all 4 leaf pairs
 - [x] VXLAN VTEP configuration in place
 - [x] EVPN overlay configuration complete
 ## 🚀 Deployment Steps
 ### 1. Check Current Branch
 ```bash
 cd ~/arista-evpn-vxlan-clab
 git branch
 git status
 ```
 Should show: `fix-bgp-and-mlag` branch
 ### 2. Destroy Current Lab (if running)
 ```bash
 sudo containerlab destroy -t evpn-lab.clab.yml --cleanup
 ```
 ### 3. Deploy Fixed Lab
 ```bash
 sudo containerlab deploy -t evpn-lab.clab.yml
 # Wait 60-90 seconds for all containers to start
 ```
 ### 4. Verify Lab is Running
 ```bash
 sudo containerlab inspect -t evpn-lab.clab.yml
 ```
 Should show all 10 nodes (2 spines + 8 leaves + 4 hosts) as RUNNING
 ---
 ## 📋 Pre-Testing Checks (Run in Order)
 ### Check 1: Spine BGP Underlay
 ```bash
 ssh admin@clab-arista-evpn-fabric-spine1 "show bgp ipv4 unicast summary"
 ```
 **Expected:** All 8 leaf neighbors in ESTABLISHED state
 ```
 10.0.1.1  4 65001  22  18  Estab  3
 10.0.1.3  4 65001  20  17  Estab  3
 10.0.1.5  4 65002  19  18  Estab  0    ← Check this, should be 0 or more
 ...
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Check 2: Leaf MLAG Status
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf1 "show mlag detail"
 ssh admin@clab-arista-evpn-fabric-leaf3 "show mlag detail"
 ```
 **Expected:** All pairs show `MLAG is active`
 ```
 MLAG is active
 Active per VLAN: yes
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Check 3: Leaf BGP EVPN
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn summary"
 ```
 **Expected:** Both spine neighbors in ESTABLISHED
 ```
 10.0.250.1  4 65000  8  9  Estab  0
 10.0.250.2  4 65000  8  8  Estab  0
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Check 4: Host VLAN Interfaces
 ```bash
 docker exec clab-arista-evpn-fabric-host1 ip -d link show bond0.40
 docker exec clab-arista-evpn-fabric-host2 ip -d link show bond0.34
 docker exec clab-arista-evpn-fabric-host3 ip -d link show bond0.40
 docker exec clab-arista-evpn-fabric-host4 ip -d link show bond0.78
 ```
 **Expected:** All show VLAN tagging
 ```
 vlan protocol 802.1Q id 40 <BROADCAST,MULTICAST,UP,LOWER_UP>
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ## 🧪 Connectivity Tests
 ### Test 1: Host to Gateway (VLAN40)
 ```bash
 docker exec clab-arista-evpn-fabric-host1 ping -c 2 10.40.40.1
 docker exec clab-arista-evpn-fabric-host3 ping -c 2 10.40.40.1
 ```
 **Expected:** 2/2 packets successful
 **Status:** ☐ Pass / ☐ Fail
 **Time:** ~5 seconds
 ---
 ### Test 2: L2 VXLAN Connectivity (Host1 → Host3)
 ```bash
 docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
 ```
 **Expected:** 4/4 packets successful
 ```
 PING 10.40.40.103 (10.40.40.103): 56 data bytes
 64 bytes from 10.40.40.103: seq=0 ttl=64 time=X.XXms
 ```
 **Status:** ☐ Pass / ☐ Fail
 **Time:** ~10 seconds
 ---
 ### Test 3: MAC Learning on Leaf1
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf1 "show mac address-table vlan 40"
 ```
 **Expected:** At least 1 MAC learned
 ```
 Vlan    Mac Address       Type        Ports
 40      XXXX.XXXX.XXXX   DYNAMIC     Po1
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Test 4: Remote MAC Learning via VXLAN
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf1 "show vxlan address-table vlan 40"
 ```
 **Expected:** MAC from host3 learned via Vxlan1
 ```
 VLAN  Mac Address     Type     Prt  VTEP
 40    XXXX.XXXX.XXXX  EVPN     Vx1  10.0.255.13
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Test 5: EVPN Type-2 Routes
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf1 "show bgp evpn route-type mac-ip | head -20"
 ```
 **Expected:** Both local and remote MACs advertised
 ```
 RD: 65001:110040 mac-ip XXXX.XXXX.XXXX
                  -                -  
 RD: 65003:110040 mac-ip XXXX.XXXX.XXXX
                  10.0.255.13      
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Test 6: Host to Gateway (VLAN34)
 ```bash
 docker exec clab-arista-evpn-fabric-host2 ping -c 2 10.34.34.1
 ```
 **Expected:** 2/2 packets successful
 **Status:** ☐ Pass / ☐ Fail
 **Time:** ~5 seconds
 ---
 ### Test 7: L3 VXLAN Connectivity (Host2 → Host4)
 ```bash
 docker exec clab-arista-evpn-fabric-host2 ping -c 4 10.78.78.104
 ```
 **Expected:** 4/4 packets successful
 **Status:** ☐ Pass / ☐ Fail
 **Time:** ~10 seconds
 ---
 ### Test 8: VRF Routing on Leaf3
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf3 "show ip route vrf gold"
 ```
 **Expected:** Routes to both 10.34.34.0/24 and 10.78.78.0/24
 ```
 C    10.34.34.0/24 is directly connected, Vlan34
 B E  10.78.78.0/24 [200/0] via VTEP 10.0.255.14
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ### Test 9: EVPN Type-5 Routes
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf3 "show bgp evpn route-type ip-prefix ipv4"
 ```
 **Expected:** IP prefixes for both VTEPs
 ```
 RD: 10.0.250.13:1 ip-prefix 10.34.34.0/24
 RD: 10.0.250.17:1 ip-prefix 10.78.78.0/24
 ```
 **Status:** ☐ Pass / ☐ Fail
 ---
 ## 📊 Summary Table
 | Component | Check | Expected | Actual | Status |
 |-----------|-------|----------|--------|--------|
 | Spine BGP | All leaves established | 8/8 ESTAB | ? | ☐ |
 | Leaf MLAG | Pair status | active/active | ? | ☐ |
 | EVPN | Spine peers | 2/2 ESTAB | ? | ☐ |
 | Host Interfaces | VLAN tags | 4 VLAN ifaces | ? | ☐ |
 | L2 Gateway | Ping host→gw | 2/2 success | ? | ☐ |
 | L2 VXLAN | Host1→Host3 | 4/4 success | ? | ☐ |
 | MAC Learning | Leaf1 VLAN40 | ≥1 MAC | ? | ☐ |
 | Remote MACs | VXLAN table | MACs from Vx1 | ? | ☐ |
 | Type-2 Routes | EVPN MACs | Local + Remote | ? | ☐ |
 | L3 Gateway | Ping host→gw | 2/2 success | ? | ☐ |
 | L3 VXLAN | Host2→Host4 | 4/4 success | ? | ☐ |
 | VRF Routes | Leaf3 VRF gold | 2+ routes | ? | ☐ |
 | Type-5 Routes | EVPN prefixes | Local + Remote | ? | ☐ |
 ---
 ## 🔧 If Tests Fail
 ### L2 ping fails
 ```bash
 # 1. Check host VLAN interface
 docker exec clab-arista-evpn-fabric-host1 ip addr show bond0.40
 # Should show: inet 10.40.40.101/24 dev bond0.40
 # 2. Check port-channel status
 ssh admin@clab-arista-evpn-fabric-leaf1 "show interface Port-Channel1"
 # Should show: up, up
 # 3. Check VLAN 40 exists on leaf
 ssh admin@clab-arista-evpn-fabric-leaf1 "show vlan 40"
 # Should show: VLAN 40 exists
 # 4. Check MAC learning (generate traffic)
 docker exec clab-arista-evpn-fabric-host1 arping -c 3 10.40.40.1
 ssh admin@clab-arista-evpn-fabric-leaf1 "show mac address-table vlan 40"
 # Should show host1 MAC
 ```
 ### L3 ping fails
 ```bash
 # 1. Check VRF VLAN interface
 ssh admin@clab-arista-evpn-fabric-leaf3 "show interface Vlan34"
 # Should show: up, up
 # 2. Check VRF routing enabled
 ssh admin@clab-arista-evpn-fabric-leaf3 "show ip route vrf gold"
 # Should show routes
 # 3. Check VXLAN VRF mapping
 ssh admin@clab-arista-evpn-fabric-leaf3 "show interface Vxlan1"
 # Should show: vxlan vrf gold vni 100001
 ```
 ---
 ## 📝 Notes for Next Steps
 1. **If all tests pass** ✅
   - Create pull request to merge `fix-bgp-and-mlag` into `main`
   - Document the changes in FIXES_APPLIED.md
   - Update main branch documentation
 2. **If specific tests fail** ⚠️
   - Review the troubleshooting section above
   - Check device logs: `show log`
   - Review configuration with `show running-config`
 3. **Keep for reference**
   - END_TO_END_TESTING.md - Comprehensive testing guide
   - VLAN_TAGGING_FIX_EXPLANATION.md - Explains the root cause and fix
 ---
 ## 🎯 Success Criteria
 **Lab is ready for production use when:**
 - ✓ All pre-testing checks pass
 - ✓ All 9 connectivity tests pass
 - ✓ No errors in device logs
 - ✓ MLAG is active/active on all pairs
 - ✓ BGP neighbors all established
 - ✓ EVPN routes being advertised
--- a/TROUBLESHOOTING.md
+++ b/TROUBLESHOOTING.md
@@ -0,0 +1,995 @@
 # EVPN-VXLAN Fabric Troubleshooting Guide
 This guide provides systematic troubleshooting steps for Arista EVPN-VXLAN fabrics with MLAG.
 ---
 ## 📋 Table of Contents
 1. [Troubleshooting Methodology](#troubleshooting-methodology)
 2. [Layer 1: Physical Connectivity](#layer-1-physical-connectivity)
 3. [Layer 2: MLAG & Port-Channels](#layer-2-mlag--port-channels)
 4. [Layer 3: Underlay (BGP IPv4)](#layer-3-underlay-bgp-ipv4)
 5. [Layer 4: Overlay (BGP EVPN)](#layer-4-overlay-bgp-evpn)
 6. [Layer 5: VXLAN Data Plane](#layer-5-vxlan-data-plane)
 7. [End-to-End Traffic Flow](#end-to-end-traffic-flow)
 8. [Common Issues & Solutions](#common-issues--solutions)
 ---
 ## 🔍 Troubleshooting Methodology
 **Always troubleshoot bottom-up:**
 ```
 Physical Links → MLAG → Underlay BGP → Overlay EVPN → VXLAN → Traffic Flow
 ```
 **For each layer:**
 1. ✅ Verify expected state
 2. ❌ Identify issues
 3. 🔧 Apply fixes
 4. ♻️ Re-verify
 ---
 ## Layer 1: Physical Connectivity
 ### Check Interface Status
 **On all switches (spines + leafs):**
 ```bash
 # Quick overview
 show interfaces status
 # Detailed view of a specific interface
 show interfaces Ethernet11
 # Check for errors
 show interfaces Ethernet11 | include error|drop|discard
 ```
 **Expected Output:**
 ```
 Ethernet11 is up, line protocol is up (connected)
  Hardware is Ethernet, address is 001c.7300.000b
  Internet address is 10.0.1.1/31
  MTU 9214 bytes
 ```
 **Troubleshooting:**
 - `down/down` → Physical issue (cable, peer interface)
 - `up/down` → Layer 2 issue (switchport config, STP)
 - Check MTU: Should be **9214** on underlay P2P links
 ---
 ## Layer 2: MLAG & Port-Channels
 ### 2.1 Verify MLAG Peering
 **On each MLAG leaf pair (e.g., leaf1/leaf2):**
 ```bash
 # MLAG global status
 show mlag
 # MLAG detailed info
 show mlag detail
 # MLAG interfaces
 show mlag interfaces
 ```
 **Expected Output (show mlag):**
 ```
 MLAG Configuration:
 domain-id               : leafs
 local-interface         : Vlan4090
 peer-address            : 10.0.199.255
 peer-link               : Port-Channel999
 MLAG Status:
 state                   : Active
 negotiation status      : Connected
 peer-link status        : Up
 local-int status        : Up
 system-id               : 0c:1d:c0:1d:62:10
 dual-primary detection  : Configured
 ```
 **Troubleshooting:**
 | Issue | Cause | Fix |
 |-------|-------|-----|
 | state: `Inactive` | Peer-link down | Check Po999 and Ethernet10 |
 | negotiation: `Connecting` | VLAN4090 issue | Verify IP addressing, peer-address config |
 | peer-link: `Down` | Port-Channel999 down | Check `show port-channel 999` |
 | dual-primary: `Detected` | Peer-link failed + heartbeat failed | Check mgmt network connectivity |
 ---
 ### 2.2 Verify MLAG Peer-Link (Port-Channel999)
 ```bash
 # Port-Channel status
 show port-channel 999
 # Detailed view
 show port-channel 999 detailed
 # LACP status (if using LACP mode)
 show lacp interface Ethernet10
 ```
 **Expected Output:**
 ```
 Port Channel Port-Channel999 (Fallback State: Unconfigured):
 Active Ports: Ethernet10
 ```
 **Troubleshooting:**
 - No active ports → Check `show interfaces Ethernet10`
 - Wrong mode → Should be `switchport mode trunk`
 - Missing VLANs → Check `switchport trunk group mlag-peer`
 ---
 ### 2.3 Verify Host-Facing Port-Channels (MLAG)
 **On each leaf connected to hosts:**
 ```bash
 # Port-Channel status
 show port-channel 1
 # Port-Channel detailed view
 show port-channel 1 detailed
 # MLAG interfaces status
 show mlag interfaces
 # LACP neighbor (if LACP established)
 show lacp neighbor
 ```
 **Expected Output (show port-channel 1):**
 ```
 Port Channel Port-Channel1 (Fallback State: individual):
 Active Ports: Ethernet1
 ```
 **Expected Output (show mlag interfaces):**
 ```
                                            local/remote
 mlag        desc             state       local       remote          status
 ------ -------------- ------------- ----------- ------------ ---------------
    1          host1  active-full          Po1          Po1          up/up
 ```
 **Troubleshooting:**
 | Issue | Cause | Fix |
 |-------|-------|-----|
 | `inactive` | MLAG peering down | Fix MLAG first (section 2.1) |
 | `active-partial` | Remote Po1 down on peer leaf | Check peer leaf's Po1 |
 | `configured-inactive` | Missing `mlag 1` config | Add `mlag 1` to Po1 |
 | No LACP neighbor | Host bonding issue | Check host: `ip link show bond0` |
 | Ports in fallback mode | LACP not negotiating | Normal - will transition after LACP establishes |
 ---
 ### 2.4 Verify iBGP Peering Link (VLAN 4091)
 ```bash
 # VLAN4091 interface status
 show ip interface Vlan4091
 # Ping peer
 ping vrf default 10.0.3.1 source 10.0.3.0
 ```
 **Expected:**
 - Interface: `up/up`
 - Ping: Successful
 ---
 ## Layer 3: Underlay (BGP IPv4)
 ### 3.1 Verify BGP Neighbors (Underlay)
 **On Spines:**
 ```bash
 # BGP summary
 show ip bgp summary
 # Specific neighbor
 show ip bgp neighbor 10.0.1.1
 ```
 **Expected Output:**
 ```
 Neighbor         V  AS      MsgRcvd   MsgSent  InQ OutQ  Up/Down State  PfxRcd PfxAcc
 10.0.1.1         4  65001       245       243    0    0 02:01:23 Estab  2      2
 10.0.1.3         4  65001       245       243    0    0 02:01:20 Estab  2      2
 ...
 ```
 **On Leafs:**
 ```bash
 # BGP summary
 show ip bgp summary
 # Check underlay peer-group
 show bgp peer-group underlay
 ```
 **Expected neighbors:**
 - eBGP to both spines (state: `Estab`)
 - iBGP to MLAG peer (state: `Estab`)
 ---
 ### 3.2 Verify Loopback Reachability
 **On any leaf, ping all other loopbacks:**
 ```bash
 # Ping spine loopbacks
 ping 10.0.250.1 source 10.0.250.11
 ping 10.0.250.2 source 10.0.250.11
 # Ping other leaf loopbacks
 ping 10.0.250.13 source 10.0.250.11
 ping 10.0.250.15 source 10.0.250.11
 ping 10.0.250.17 source 10.0.250.11
 # Ping VTEP loopbacks (important!)
 ping 10.0.255.12 source 10.0.255.11
 ping 10.0.255.13 source 10.0.255.11
 ping 10.0.255.14 source 10.0.255.11
 ```
 **Expected:**
 - All pings successful
 - RTT < 10ms (virtual environment)
 **Troubleshooting:**
 ```bash
 # Check routing table
 show ip route
 # Verify loopback advertisements
 show ip bgp 10.0.250.13
 # Check BGP is advertising loopbacks
 show ip bgp neighbors 10.0.1.0 advertised-routes
 ```
 **Common issues:**
 - Missing `network 10.0.250.X/32` in BGP config
 - Missing `network 10.0.255.X/32` (VTEP loopback!)
 - BGP neighbor not activated in IPv4 address-family
 ---
 ### 3.3 Verify ECMP (Equal-Cost Multi-Path)
 ```bash
 # Check routes to a remote loopback
 show ip route 10.0.250.13
 # Should show multiple next-hops
 show ip route 10.0.250.13 detail
 ```
 **Expected Output:**
 ```
 B E    10.0.250.13/32 [20/0] via 10.0.1.0, Ethernet11
                               via 10.0.2.0, Ethernet12
 ```
 Two paths via both spines = ✅ ECMP working
 ---
 ## Layer 4: Overlay (BGP EVPN)
 ### 4.1 Verify EVPN Neighbors
 **On Spines:**
 ```bash
 # EVPN summary
 show bgp evpn summary
 # Check specific neighbor
 show bgp evpn neighbor 10.0.250.11
 ```
 **Expected:**
 - All 8 leafs in `Estab` state
 - PfxRcd > 0 (receiving EVPN routes)
 **On Leafs:**
 ```bash
 # EVPN summary
 show bgp evpn summary
 ```
 **Expected:**
 - Both spines in `Estab` state
 - PfxRcd > 0
 ---
 ### 4.2 Verify EVPN Routes
 **Check EVPN route types:**
 ```bash
 # Type-2: MAC/IP routes (L2 VXLAN)
 show bgp evpn route-type mac-ip
 # Type-3: IMET routes (VXLAN flood list)
 show bgp evpn route-type imet
 # Type-5: IP Prefix routes (L3 VXLAN)
 show bgp evpn route-type ip-prefix ipv4
 ```
 **Expected for L2 VXLAN (VLAN 40):**
 ```bash
 show bgp evpn route-type mac-ip
 ```
 Output should show:
 - Local MACs (learned on Port-Channel1)
 - Remote MACs (from other VTEPs via EVPN)
 **Expected for L3 VXLAN (VRF gold):**
 ```bash
 show bgp evpn route-type ip-prefix ipv4
 ```
 Output should show:
 - Local subnets (e.g., 10.34.34.0/24 on VTEP2)
 - Remote subnets (e.g., 10.78.78.0/24 from VTEP4)
 ---
 ### 4.3 Troubleshoot EVPN Issues
 **No EVPN neighbors:**
 ```bash
 # Check if EVPN is activated
 show running-config | section evpn
 # Should see:
 # address-family evpn
 #    neighbor evpn activate
 ```
 **No EVPN routes received:**
 ```bash
 # Check route-target configuration
 show running-config | section vlan 40
 # Should have:
 # vlan 40
 #    rd 65001:110040
 #    route-target both 40:110040
 #    redistribute learned
 ```
 **EVPN routes received but not installed:**
 ```bash
 # Check VXLAN interface
 show interfaces Vxlan1
 # Verify VNI mapping
 show vxlan vni
 ```
 ---
 ## Layer 5: VXLAN Data Plane
 ### 5.1 Verify VXLAN Interface
 ```bash
 # VXLAN interface status
 show interfaces Vxlan1
 # VNI to VLAN mappings
 show vxlan vni
 # VTEP flood lists
 show vxlan flood vtep
 # Address table (MAC learning)
 show vxlan address-table
 ```
 **Expected Output (show interfaces Vxlan1):**
 ```
 Vxlan1 is up, line protocol is up (connected)
  Hardware is Vxlan
  Source interface is Loopback1 and is active with 10.0.255.11
  Replication/Flood Mode is headend with Flood List Source: EVPN
  Remote MAC learning via EVPN
  VNI mapping to VLANs
  Static VLAN to VNI mapping is
    [40, 110040]
  Static VRF to VNI mapping is
    [gold, 100001]
 ```
 **Expected Output (show vxlan vtep):**
 ```
 Remote VTEPS for Vxlan1:
 VTEP           Tunnel Type(s)
 -------------- --------------
 10.0.255.12    flood, unicast
 10.0.255.13    flood, unicast
 10.0.255.14    flood, unicast
 Total number of remote VTEPS:  3
 ```
 ---
 ### 5.2 Verify MAC Learning
 **Check local MAC learning:**
 ```bash
 # MACs learned on Port-Channel1
 show mac address-table interface Port-Channel1
 # MACs learned via VXLAN
 show mac address-table interface Vxlan1
 # Combined view for a VLAN
 show mac address-table vlan 40
 ```
 **Expected Output:**
 ```
          Mac Address Table
 ------------------------------------------------------------------
 Vlan    Mac Address       Type        Ports      Moves   Last Move
 ----    -----------       ----        -----      -----   ---------
  40    00c1.ab00.0011    DYNAMIC     Po1        1       0:05:23 ago
  40    00c1.ab00.0033    DYNAMIC     Vx1        1       0:05:20 ago
 ```
 - Local host MAC → learned on **Po1**
 - Remote host MAC → learned on **Vx1** (VXLAN)
 ---
 ### 5.3 Verify VXLAN Address Table
 ```bash
 # VXLAN-specific MAC table
 show vxlan address-table
 # Detailed view
 show vxlan address-table vlan 40
 ```
 **Expected Output:**
 ```
          Vxlan Mac Address Table
 ----------------------------------------------------------------------
 VLAN  Mac Address     Type     Prt  VTEP             Moves   Last Move
 ----  -----------     ----     ---  ----             -----   ---------
  40  00c1.ab00.0033  EVPN     Vx1  10.0.255.13      1       0:05:20 ago
 ```
 Shows which remote VTEP the MAC is behind!
 ---
 ## End-to-End Traffic Flow
 ### Scenario: host1 (VTEP1) pings host3 (VTEP3) - L2 VXLAN
 Both hosts in VLAN 40 (10.40.40.0/24)
 ---
 #### Step 1: Host Sends Packet
 **On host1:**
 ```bash
 docker exec -it clab-arista-evpn-fabric-host1 sh
 # Check bond interface
 ip link show bond0
 # Check VLAN interface
 ip link show bond0.40
 # Send ping
 ping 10.40.40.103
 ```
 **Expected:**
 - bond0: `state UP`
 - bond0.40: `state UP`
 ---
 #### Step 2: Packet Arrives at leaf1 (VTEP1)
 **On leaf1:**
 ```bash
 # Check Port-Channel received the packet
 show interfaces Port-Channel1 | include packets
 # Check MAC learning
 show mac address-table dynamic vlan 40
 # Should see host1's MAC on Po1
 ```
 **Traffic flow:**
 ```
 host1:bond0.40 → [802.1Q VLAN 40] → leaf1:Eth1 → Po1
 ```
 ---
 #### Step 3: Leaf1 Lookup & VXLAN Encapsulation
 **Leaf1 checks MAC table:**
 ```bash
 show mac address-table address 00c1.ab00.0033
 # Output:
 # VLAN 40, MAC 00c1.ab00.0033 → Vxlan1
 ```
 **Leaf1 checks VXLAN address-table:**
 ```bash
 show vxlan address-table address 00c1.ab00.0033
 # Output:
 # VLAN 40, MAC 00c1.ab00.0033 → VTEP 10.0.255.13
 ```
 **Encapsulation:**
 ```
 Original: [Eth: host1→host3][IP: 10.40.40.101→103][ICMP]
 VXLAN:    [Outer IP: 10.0.255.11→10.0.255.13]
          [Outer UDP: src=random, dst=4789]
          [VXLAN Header: VNI=110040]
          [Inner Eth: host1→host3][IP: 10.40.40.101→103][ICMP]
 ```
 ---
 #### Step 4: Underlay Routing
 **Leaf1 routes outer packet:**
 ```bash
 # Check route to remote VTEP
 show ip route 10.0.255.13
 # Output:
 # via 10.0.1.0, Ethernet11  (spine1)
 # via 10.0.2.0, Ethernet12  (spine2)
 ```
 ECMP: Packet can go via spine1 OR spine2!
 **Spine forwards based on outer IP:**
 ```bash
 # On spine1
 show ip route 10.0.255.13
 # Output:
 # via 10.0.1.5, Ethernet3  (leaf5)
 ```
 ---
 #### Step 5: Packet Arrives at leaf5 (VTEP3)
 **On leaf5:**
 ```bash
 # Check VXLAN received the packet
 show interfaces Vxlan1 | include packets
 # VXLAN decapsulation happens automatically
 ```
 **Decapsulation:**
 ```
 VXLAN packet → Strip outer IP/UDP/VXLAN headers
 → Original frame: [Eth: host1→host3][IP: 10.40.40.101→103][ICMP]
 ```
 **Leaf5 checks MAC table:**
 ```bash
 show mac address-table address 00c1.ab00.0033
 # Output:
 # VLAN 40, MAC 00c1.ab00.0033 → Port-Channel1
 ```
 ---
 #### Step 6: Packet Delivered to host3
 ```
 leaf5:Vxlan1 → VLAN 40 → Po1 → Eth1 → host3:bond0.40
 ```
 **On host3:**
 ```bash
 docker exec -it clab-arista-evpn-fabric-host3 sh
 # Check received ping
 ping 10.40.40.101  # Reply should work!
 ```
 ---
 ### Complete Flow Diagram
 ```
 ┌─────────────────────────────────────────────────────────────────┐
 │                    L2 VXLAN Traffic Flow                        │
 └─────────────────────────────────────────────────────────────────┘
 host1 (10.40.40.101)                                host3 (10.40.40.103)
  │                                                        ▲
  │ 1. Send ping to 10.40.40.103                          │
  │    [VLAN 40 tag]                                      │ 6. Receive reply
  │                                                        │    [VLAN 40 tag]
  ▼                                                        │
 leaf1:Po1                                            leaf5:Po1
  │                                                        ▲
  │ 2. MAC lookup:                                        │ 5. MAC lookup:
  │    00c1.ab00.0033 → Vx1 → 10.0.255.13                │    00c1.ab00.0011 → Vx1
  │                                                        │
  ▼                                                        │
 leaf1:Vxlan1                                         leaf5:Vxlan1
  │                                                        ▲
  │ 3. VXLAN encap:                                       │ 4. VXLAN decap:
  │    Outer: 10.0.255.11 → 10.0.255.13                  │    Strip outer headers
  │    VNI: 110040                                        │
  │    Inner: original frame                              │
  │                                                        │
  ▼                                                        │
 leaf1:Eth11 ──────► spine1 ──────► leaf5:Eth11 ──────────┘
         (underlay BGP routing)
 ```
 ---
 ## Common Issues & Solutions
 ### Issue 1: Ping Fails Between Hosts in Same VLAN
 **Symptoms:**
 - Host1 cannot ping Host3 (both VLAN 40)
 - MACs not learning
 **Troubleshooting Steps:**
 ```bash
 # 1. Check Port-Channel
 show port-channel 1
 # → Should show active ports
 # 2. Check VLAN config
 show vlan 40
 # → Should show Po1 as member
 # 3. Check MAC learning
 show mac address-table vlan 40
 # → Should see local host MAC on Po1
 # 4. Check VXLAN interface
 show interfaces Vxlan1
 # → Should be up/up
 # 5. Check remote VTEPs
 show vxlan vtep
 # → Should list remote VTEPs
 # 6. Check EVPN routes
 show bgp evpn route-type mac-ip
 # → Should see remote MACs
 # 7. Check VXLAN address-table
 show vxlan address-table vlan 40
 # → Should see remote MACs via Vx1
 ```
 **Common Causes:**
 | Issue | Fix |
 |-------|-----|
 | Port-Channel down | Check LACP, add fallback config |
 | MLAG not synced | Fix MLAG peering (VLAN 4090) |
 | VNI not configured | Add `vxlan vlan 40 vni 110040` |
 | EVPN not advertising | Add `redistribute learned` under `vlan 40` in BGP |
 | Wrong route-target | Verify RT matches on all VTEPs |
 ---
 ### Issue 2: Ping Fails Between VRFs (L3 VXLAN)
 **Symptoms:**
 - host2 (10.34.34.102) cannot ping host4 (10.78.78.104)
 - Both in VRF gold
 **Troubleshooting Steps:**
 ```bash
 # 1. Check VRF routing
 show ip route vrf gold
 # 2. Check BGP EVPN Type-5 routes
 show bgp evpn route-type ip-prefix ipv4
 # 3. Check VRF VNI mapping
 show vxlan vni
 # → Should show VRF gold → VNI 100001
 # 4. Check SVI is in VRF
 show ip interface Vlan34
 # → Should show "VRF: gold"
 # 5. Check virtual gateway
 show ip virtual-router
 ```
 **Common Causes:**
 | Issue | Fix |
 |-------|-----|
 | SVI not in VRF | Add `vrf gold` under `interface Vlan34` |
 | VRF not mapped to VNI | Add `vxlan vrf gold vni 100001` |
 | Route-target mismatch | Verify `route-target both evpn 1:100001` |
 | BGP not redistributing | Add `redistribute connected` under `vrf gold` |
 ---
 ### Issue 3: MLAG Port-Channel Inactive
 **Symptoms:**
 ```
 show mlag interfaces
 # mlag 1: configured-inactive
 ```
 **Troubleshooting:**
 ```bash
 # 1. Check MLAG global state
 show mlag
 # → Should be "Active"
 # 2. Check Port-Channel on BOTH leafs
 show port-channel 1
 # 3. Check MLAG config on BOTH leafs
 show running-config interfaces Port-Channel1
 # → Should have "mlag 1"
 # 4. Check peer leaf
 # SSH to peer and run: show port-channel 1
 ```
 **Fix:**
 - Ensure BOTH leafs have `mlag 1` configured
 - Ensure MLAG peering is up first
 - Check peer leaf's Port-Channel status
 ---
 ### Issue 4: LACP Not Establishing
 **Symptoms:**
 ```
 show port-channel 1
 # No Active Ports
 # Configured, but inactive ports:
 #    Ethernet1: waiting for LACP response
 ```
 **Fix:**
 ```bash
 # Add LACP fallback
 configure
 interface Port-Channel1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
 ```
 **Verify:**
 ```bash
 show port-channel 1
 # → Should show Ethernet1 in "Active Ports" (fallback mode)
 # Wait 5 seconds, check LACP
 show lacp neighbor
 # → Should show LACP neighbor if host is configured correctly
 ```
 ---
 ### Issue 5: BGP EVPN Neighbors Not Establishing
 **Symptoms:**
 ```
 show bgp evpn summary
 # Neighbors stuck in "Connect" or "Active" state
 ```
 **Troubleshooting:**
 ```bash
 # 1. Check underlay reachability
 ping 10.0.250.1 source Loopback0
 # 2. Check EVPN neighbor config
 show running-config | section evpn
 # 3. Check if EVPN is activated
 show bgp evpn neighbors 10.0.250.1
 # → Look for "Address Family: evpn"
 # 4. Check for BGP errors
 show bgp evpn summary
 show log | include BGP|EVPN
 ```
 **Common Fixes:**
 - Add `neighbor evpn activate` in `address-family evpn`
 - Check `update-source Loopback0` is configured
 - Verify `ebgp-multihop 3` for leaf-spine peering
 - Check `send-community extended` is configured
 ---
 ## Quick Reference Commands
 ### Health Check Script
 Run these commands on **each leaf** for quick validation:
 ```bash
 #!/bin/bash
 # Quick EVPN-VXLAN Health Check
 echo "=== Physical Interfaces ==="
 show interfaces status | include Ethernet[1-9]
 echo "=== MLAG Status ==="
 show mlag | include state|negotiation|peer-link
 echo "=== BGP Underlay ==="
 show ip bgp summary | include Estab|Neighbor
 echo "=== BGP EVPN Overlay ==="
 show bgp evpn summary | include Estab|Neighbor
 echo "=== VXLAN ==="
 show interfaces Vxlan1 | include "is up|Source interface"
 show vxlan vtep
 echo "=== Port-Channels ==="
 show port-channel 1
 echo "=== MAC Addresses ==="
 show mac address-table count
 ```
 ---
 ### Traffic Flow Verification
 **Test L2 VXLAN (VLAN 40):**
 ```bash
 # On host1
 ping 10.40.40.103 -c 3
 # On leaf1 (VTEP1)
 show mac address-table address 00c1.ab00.0033
 show vxlan address-table address 00c1.ab00.0033
 # On leaf5 (VTEP3)
 show mac address-table address 00c1.ab00.0011
 show vxlan address-table address 00c1.ab00.0011
 ```
 **Test L3 VXLAN (VRF gold):**
 ```bash
 # On host2
 ping 10.78.78.104 -c 3
 # On leaf3 (VTEP2)
 show ip route vrf gold 10.78.78.0/24
 show bgp evpn route-type ip-prefix ipv4 10.78.78.0/24
 # On leaf7 (VTEP4)
 show ip route vrf gold 10.34.34.0/24
 ```
 ---
 ## Additional Resources
 - [Arista EVPN Design Guide](https://www.arista.com/en/solutions/design-guides)
 - [Arista EOS Manual - VXLAN](https://www.arista.com/en/um-eos/eos-vxlan)
 - [RFC 7432 - BGP MPLS-Based Ethernet VPN](https://datatracker.ietf.org/doc/html/rfc7432)
 ---
 **Happy Troubleshooting! 🚀**
--- a/VLAN_TAGGING_FIX_EXPLANATION.md
+++ b/VLAN_TAGGING_FIX_EXPLANATION.md
@@ -0,0 +1,167 @@
 # Quick Diagnostic: Why Hosts Weren't Talking
 ## The Problem
 You were getting **empty MAC tables and no ping replies** when testing end-to-end connectivity between hosts. The root cause was **VLAN tagging mismatch** between hosts and leaf switches.
 ## The Mismatch Explained
 ### ❌ OLD Configuration (Broken)
 **Hosts were sending untagged traffic:**
 ```yaml
 host1:
  exec:
    - ip link add bond0 type bond mode balance-rr
    - ip link set eth1 master bond0
    - ip link set eth2 master bond0
    - ip link set bond0 up
    - ip addr add 10.40.40.101/24 dev bond0    # ← UNTAGGED traffic!
 ```
 **Leaf switches expected VLAN-tagged traffic:**
 ```
 interface Port-Channel1
   switchport mode access
   switchport access vlan 40     # ← Expecting tagged VLAN 40!
   mlag 1
 ```
 ### Traffic Flow (Broken):
 ```
 Host1 (untagged)
  ↓
 eth1/eth2 (bonds)
  ↓
 Leaf1 Port-Channel1 (access VLAN 40)
  ↓
 Traffic dropped because VLAN doesn't match!
  ↗ No MAC learning
  ↗ No connectivity
 ```
 ---
 ## ✅ NEW Configuration (Fixed)
 **Hosts now send VLAN-tagged traffic:**
 ```yaml
 host1:
  exec:
    - ip link add bond0 type bond mode balance-rr
    - ip link set eth1 master bond0
    - ip link set eth2 master bond0
    - ip link set bond0 up
    # Create VLAN 40 subinterface
    - ip link add link bond0 name bond0.40 type vlan id 40
    - ip link set bond0.40 up
    - ip addr add 10.40.40.101/24 dev bond0.40  # ← TAGGED traffic!
 ```
 **Leaf switches expect VLAN-tagged traffic:**
 ```
 interface Port-Channel1
   switchport mode access
   switchport access vlan 40     # ← Now matches!
   mlag 1
 ```
 ### Traffic Flow (Fixed):
 ```
 Host1 (VLAN 40 tagged)
  ↓
 bond0.40 interface (sends tagged frames)
  ↓
 eth1/eth2 (carries tagged traffic)
  ↓
 Leaf1 Port-Channel1 (access VLAN 40)
  ↓
 Frames untagged and placed in VLAN 40
  ↓
 Switches forward in VLAN 40
  ↓
 VXLAN encapsulation for remote VTEP
  ↓
 ✓ MAC learning works
  ✓ Connectivity established
 ```
 ---
 ## VLAN Tagging Mapping
 | Host | Interface | VLAN Tag | Purpose | Test |
 |------|-----------|----------|---------|------|
 | host1 | bond0.40 | 40 | L2 VXLAN test | Ping host3 |
 | host2 | bond0.34 | 34 | L3 VXLAN (VRF gold) VLAN | Ping host4 |
 | host3 | bond0.40 | 40 | L2 VXLAN test | Ping host1 |
 | host4 | bond0.78 | 78 | L3 VXLAN (VRF gold) VLAN | Ping host2 |
 ---
 ## Why This Works
 ### Layer 2 Switching Basics
 When a **Linux host sends traffic on a VLAN subinterface** (e.g., `bond0.40`):
 1. The interface **adds a VLAN tag (802.1Q)** to the Ethernet frame
 2. Frame contains: `[Dest MAC][Source MAC][**VLAN Tag (40)**][Type][Data]`
 When a **Leaf switch receives the tagged frame**:
 1. It reads the VLAN tag (40)
 2. The frame matches the port's access VLAN (40)
 3. Frame is **untagged** and forwarded in VLAN 40
 4. Switch learns MAC and floods/forwards appropriately
 ---
 ## Testing the Fix
 ```bash
 # 1. Verify host VLAN interface exists
 docker exec clab-arista-evpn-fabric-host1 ip -d link show bond0.40
 # Expected: vlan protocol 802.1Q id 40 <BROADCAST,MULTICAST,UP,LOWER_UP>
 # 2. Verify host has IP on VLAN interface
 docker exec clab-arista-evpn-fabric-host1 ip addr show bond0.40
 # Expected: inet 10.40.40.101/24 dev bond0.40
 # 3. Ping the gateway (virtual router on Leaf)
 docker exec clab-arista-evpn-fabric-host1 ping -c 1 10.40.40.1
 # Expected: Should get reply from leaf VLAN40 gateway
 # 4. Ping remote host
 docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
 # Expected: 4/4 packets successful
 ```
 ---
 ## Key Files Changed
 1. **evpn-lab.clab.yml**
   - Updated all 4 host definitions with VLAN subinterface configuration
   - Each host now creates and configures its own VLAN tagged interface
 2. **END_TO_END_TESTING.md** (new)
   - Comprehensive testing guide for all connectivity scenarios
   - Troubleshooting procedures
   - Expected results validation
 ---
 ## Why VLAN Tagging is Required Here
 The topology uses **access mode port-channels on leafs** because:
 1. **Each host has a single VLAN** (no trunk needed)
 2. **VLAN tagging from the host side** is cleaner than reconfiguring leaf ports
 3. **Matches production design** where hosts are single-VLAN attached
 4. **Avoids manual leaf reconfiguration** after deployment
 Alternative approach (NOT used):
 - Could change leaf port-channels to trunk mode
 - Would require manually configuring allowed VLANs
 - More complex and less automated
 This is the automated, repeatable approach that avoids manual post-deployment configuration.
--- a/configs/leaf1.cfg
+++ b/configs/leaf1.cfg
@@ -71,16 +71,19 @@ interface Ethernet12
   ip address 10.0.2.1/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host1
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host1
   switchport mode trunk
   switchport trunk allowed vlan 40
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
--- a/configs/leaf2.cfg
+++ b/configs/leaf2.cfg
@@ -71,16 +71,19 @@ interface Ethernet12
   ip address 10.0.2.3/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host1
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host1
   switchport mode trunk
   switchport trunk allowed vlan 40
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
--- a/configs/leaf3.cfg
+++ b/configs/leaf3.cfg
@@ -5,6 +5,9 @@ hostname leaf3
 !
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 ! Enable IP routing
 ip routing
 !
 !
 ! Enable routing protocols
@@ -81,16 +84,19 @@ interface Ethernet12
   ip address 10.0.2.5/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host2
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host2
   switchport mode trunk
   switchport trunk allowed vlan 34
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
@@ -151,13 +157,6 @@ router bgp 65002
   neighbor 10.0.250.1 peer group evpn
   neighbor 10.0.250.2 peer group evpn
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.13:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      redistribute connected
   !
   ! IPv4 address family
   address-family ipv4
      neighbor underlay activate
@@ -169,4 +168,11 @@ router bgp 65002
   address-family evpn
      neighbor evpn activate
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.13:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      redistribute connected
 !
 end
--- a/configs/leaf4.cfg
+++ b/configs/leaf4.cfg
@@ -5,6 +5,9 @@ hostname leaf4
 !
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 ! Enable IP routing
 ip routing
 !
 !
 ! Enable routing protocols
@@ -81,16 +84,19 @@ interface Ethernet12
   ip address 10.0.2.7/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host2
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host2
   switchport mode trunk
   switchport trunk allowed vlan 34
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
@@ -151,13 +157,6 @@ router bgp 65002
   neighbor 10.0.250.1 peer group evpn
   neighbor 10.0.250.2 peer group evpn
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.14:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      redistribute connected
   !
   ! IPv4 address family
   address-family ipv4
      neighbor underlay activate
@@ -169,4 +168,11 @@ router bgp 65002
   address-family evpn
      neighbor evpn activate
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.14:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      redistribute connected
 !
 end
--- a/configs/leaf5.cfg
+++ b/configs/leaf5.cfg
@@ -72,16 +72,19 @@ interface Ethernet12
   ip address 10.0.2.9/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host3
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host3
   switchport mode trunk
   switchport trunk allowed vlan 40
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
--- a/configs/leaf6.cfg
+++ b/configs/leaf6.cfg
@@ -71,16 +71,19 @@ interface Ethernet12
   ip address 10.0.2.11/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host3
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host3
   switchport mode trunk
   switchport trunk allowed vlan 40
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
--- a/configs/leaf7.cfg
+++ b/configs/leaf7.cfg
@@ -5,6 +5,9 @@ hostname leaf7
 !
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 ! Enable IP routing
 ip routing
 !
 ! Enable routing protocols
 service routing protocols model multi-agent
@@ -87,16 +90,19 @@ interface Ethernet12
   ip address 10.0.2.13/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host4
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host4
   switchport mode trunk
   switchport trunk allowed vlan 78
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
@@ -157,17 +163,6 @@ router bgp 65004
   neighbor 10.0.250.1 peer group evpn
   neighbor 10.0.250.2 peer group evpn
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.17:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      neighbor 10.90.90.1 remote-as 64999
      redistribute connected
      !
      address-family ipv4
         neighbor 10.90.90.1 activate
   !
   ! IPv4 address family
   address-family ipv4
      neighbor underlay activate
@@ -179,4 +174,15 @@ router bgp 65004
   address-family evpn
      neighbor evpn activate
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.17:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      neighbor 10.90.90.1 remote-as 64999
      redistribute connected
      !
      address-family ipv4
         neighbor 10.90.90.1 activate
 !
 end
--- a/configs/leaf8.cfg
+++ b/configs/leaf8.cfg
@@ -5,6 +5,9 @@ hostname leaf8
 !
 ! admin/admin for ssh access
 username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM$.1wOJB25nw2fqYaSXDu6y4mo6AP9hngMCFe2vGDl84hWoz00Q.4unoEBqspNI0HEoRz.OZhdBHqQv12KABf0B0
 ! Enable IP routing
 ip routing
 !
 ! Enable routing protocols
 service routing protocols model multi-agent
@@ -87,16 +90,19 @@ interface Ethernet12
   ip address 10.0.2.15/31
   mtu 9214
 !
-! Host-facing interface (MLAG)
+! Host-facing interface (MLAG with LACP)
 interface Ethernet1
   description host4
-   channel-group 1 mode on
+   channel-group 1 mode active
 !
 interface Port-Channel1
   description host4
   switchport mode trunk
   switchport trunk allowed vlan 78
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 !
 ! Spanning-tree
 no spanning-tree vlan 4090
@@ -157,17 +163,6 @@ router bgp 65004
   neighbor 10.0.250.1 peer group evpn
   neighbor 10.0.250.2 peer group evpn
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.18:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      neighbor 10.90.90.1 remote-as 64999
      redistribute connected
      !
      address-family ipv4
         neighbor 10.90.90.1 activate
   !
   ! IPv4 address family
   address-family ipv4
      neighbor underlay activate
@@ -179,4 +174,15 @@ router bgp 65004
   address-family evpn
      neighbor evpn activate
   !
   ! VRF Gold configuration
   vrf gold
      rd 10.0.250.18:1
      route-target import evpn 1:100001
      route-target export evpn 1:100001
      neighbor 10.90.90.1 remote-as 64999
      redistribute connected
      !
      address-family ipv4
         neighbor 10.90.90.1 activate
 !
 end
--- a/configs/spine1.cfg
+++ b/configs/spine1.cfg
@@ -9,6 +9,9 @@ username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM
 ! Enable IP routing - CRITICAL for BGP to work
 ip routing
 !
 ! Enable IP routing to work
 ip routing
 !
 ! Enable routing protocols
 service routing protocols model multi-agent
 !
--- a/configs/spine2.cfg
+++ b/configs/spine2.cfg
@@ -9,6 +9,9 @@ username admin privilege 15 role network-admin secret sha512 $6$xQktFrbdeqEhVzLM
 ! Enable IP routing - CRITICAL for BGP to work
 ip routing
 !
 ! Enable IP routing to work
 ip routing
 !
 ! Enable routing protocols
 service routing protocols model multi-agent
 !
--- a/docs/HOST_INTERFACE_CONFIGURATION.md
+++ b/docs/HOST_INTERFACE_CONFIGURATION.md
@@ -0,0 +1,154 @@
 # Host Interface Configuration Guide
 ## Overview
 All four hosts in the lab use **persistent interface configuration files** mounted via ContainerLab's `binds` feature. This approach provides cleaner, more maintainable configuration compared to using `exec` commands.
 ## Architecture
 ### Dual-Homing with LACP Bonding
 Each host is dual-homed to an MLAG pair of leaf switches:
 - **host1**: dual-homed to leaf1 + leaf2 (VTEP1)
 - **host2**: dual-homed to leaf3 + leaf4 (VTEP2)
 - **host3**: dual-homed to leaf5 + leaf6 (VTEP3)
 - **host4**: dual-homed to leaf7 + leaf8 (VTEP4)
 ### VLAN Configuration
 Hosts handle VLAN tagging using sub-interfaces on the bond:
 | Host | VLAN | IP Address | Purpose | VRF |
 |------|------|------------|---------|-----|
 | host1 | 40 | 10.40.40.101/24 | L2 VXLAN test | default |
 | host2 | 34 | 10.34.34.102/24 | L3 VXLAN test | gold |
 | host3 | 40 | 10.40.40.103/24 | L2 VXLAN test | default |
 | host4 | 78 | 10.78.78.104/24 | L3 VXLAN test | gold |
 ## Interface Files Structure
 Each host has a configuration file in `hosts/` directory:
 - `hosts/host1_interfaces` → mounted to `/etc/network/interfaces` in host1
 - `hosts/host2_interfaces` → mounted to `/etc/network/interfaces` in host2
 - `hosts/host3_interfaces` → mounted to `/etc/network/interfaces` in host3
 - `hosts/host4_interfaces` → mounted to `/etc/network/interfaces` in host4
 ## Interface Configuration Format
 ### Example: host1_interfaces
 ```
 auto lo
 iface lo inet loopback
 # Bond interface with LACP (802.3ad)
 auto bond0
 iface bond0 inet manual
    bond-mode 4
    bond-miimon 100
    bond-lacp-rate 1
    bond-slaves eth1 eth2
 # VLAN 40 on bond0
 auto bond0.40
 iface bond0.40 inet static
    address 10.40.40.101
    netmask 255.255.255.0
    vlan-raw-device bond0
 ```
 ### Key Parameters Explained
 **Bond Configuration:**
 - `bond-mode 4`: LACP (802.3ad) mode - requires LACP on switch side
 - `bond-miimon 100`: Link monitoring interval (100ms)
 - `bond-lacp-rate 1`: Fast LACP (1 second intervals)
 - `bond-slaves eth1 eth2`: Physical interfaces in the bond
 **VLAN Sub-interface:**
 - `bond0.40`: VLAN interface notation (bond0.VLAN_ID)
 - `vlan-raw-device bond0`: Parent interface for VLAN
 - Static IP configuration with address/netmask
 ## Deployment Process
 When ContainerLab starts a host:
 1. **Mount interface file** via binds
 2. **Install packages**: `apk add ifupdown bonding vlan`
 3. **Load kernel modules**:
   - `modprobe bonding` - enables LACP bonding
   - `modprobe 8021q` - enables VLAN tagging
 4. **Bring up interfaces**: `ifup -a` reads `/etc/network/interfaces`
 ## Switch Configuration Requirements
 For proper LACP operation, leaf switches must have:
 ```
 interface Port-Channel1
   description host-X
   switchport mode trunk
   switchport trunk allowed vlan <vlan-id>
   mlag 1
   port-channel lacp fallback timeout 5
   port-channel lacp fallback individual
   no shutdown
 interface Ethernet1
   description host-X-link1
   channel-group 1 mode active
   lacp timer fast
   no shutdown
 ```
 **Critical settings:**
 - `port-channel lacp fallback`: Required for ContainerLab timing
 - `lacp timer fast`: Matches host's fast LACP rate
 - `no shutdown`: Must explicitly enable Port-Channel interface
 ## Advantages of This Approach
 1. **Persistence**: Configuration survives container restarts
 2. **Clarity**: Single file shows complete network config
 3. **Maintainability**: Easy to modify VLAN assignments
 4. **Production-like**: Mirrors real-world dual-homing scenarios
 5. **Clean deployment**: No manual post-deployment fixes needed
 ## Testing Connectivity
 ### L2 VXLAN (same VLAN)
 ```bash
 # host1 (VLAN 40) → host3 (VLAN 40)
 docker exec clab-arista-evpn-fabric-host1 ping -c 4 10.40.40.103
 ```
 ### L3 VXLAN (inter-VRF)
 ```bash
 # host2 (VLAN 34, VRF gold) → host4 (VLAN 78, VRF gold)
 docker exec clab-arista-evpn-fabric-host2 ping -c 4 10.78.78.104
 ```
 ## Troubleshooting
 ### Verify bond status on host
 ```bash
 docker exec clab-arista-evpn-fabric-host1 cat /proc/net/bonding/bond0
 ```
 ### Check VLAN interface
 ```bash
 docker exec clab-arista-evpn-fabric-host1 ip addr show bond0.40
 ```
 ### Verify LACP on switch
 ```bash
 ssh admin@clab-arista-evpn-fabric-leaf1 "show port-channel 1 detailed"
 ```
 ## References
 - Alpine Linux ifupdown-ng documentation
 - Linux bonding documentation: `/usr/src/linux/Documentation/networking/bonding.txt`
 - Arista MLAG configuration guide
 - srl-labs/srl-evpn-mh-lab (reference implementation)
--- a/evpn-lab.clab.yml
+++ b/evpn-lab.clab.yml
@@ -66,52 +66,94 @@ topology:
            mgmt-ipv4: 172.16.0.32
            startup-config: configs/leaf8.cfg
-        # Host devices for testing
+        # Host devices - DUAL-HOMED with LACP bonding to MLAG pairs
        host1:
            kind: linux
            mgmt-ipv4: 172.16.0.101
-            image: alpine:latest
+            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
            exec:
-                - ip link add bond0 type bond mode balance-rr
+                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
                - ip link set dev eth1 down
                - ip link set dev eth2 down
                - ip link set eth1 master bond0
                - ip link set eth2 master bond0
-                - ip link set bond0 up
+                - ip link set dev eth1 up
-                - ip addr add 10.40.40.101/24 dev bond0
+                - ip link set dev eth2 up
                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
                - ip link add link bond0 name bond0.40 type vlan id 40
                - ip link set bond0.40 up
                - ip addr add 10.40.40.101/24 dev bond0.40
        host2:
            kind: linux
            mgmt-ipv4: 172.16.0.102
-            image: alpine:latest
+            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
            exec:
-                - ip link add bond0 type bond mode balance-rr
+                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
                - ip link set dev eth1 down
                - ip link set dev eth2 down
                - ip link set eth1 master bond0
                - ip link set eth2 master bond0
-                - ip link set bond0 up
+                - ip link set dev eth1 up
-                - ip addr add 10.34.34.102/24 dev bond0
+                - ip link set dev eth2 up
-                - ip route add default via 10.34.34.1
+                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
                - ip link add link bond0 name bond0.34 type vlan id 34
                - ip link set bond0.34 up
                - ip addr add 10.34.34.102/24 dev bond0.34
                - ip route add 10.78.78.0/24 via 10.34.34.1
        host3:
            kind: linux
            mgmt-ipv4: 172.16.0.103
-            image: alpine:latest
+            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
            exec:
-                - ip link add bond0 type bond mode balance-rr
+                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
                - ip link set dev eth1 down
                - ip link set dev eth2 down
                - ip link set eth1 master bond0
                - ip link set eth2 master bond0
-                - ip link set bond0 up
+                - ip link set dev eth1 up
-                - ip addr add 10.40.40.103/24 dev bond0
+                - ip link set dev eth2 up
                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
                - ip link add link bond0 name bond0.40 type vlan id 40
                - ip link set bond0.40 up
                - ip addr add 10.40.40.103/24 dev bond0.40
        host4:
            kind: linux
            mgmt-ipv4: 172.16.0.104
-            image: alpine:latest
+            image: ghcr.io/hellt/network-multitool
            cap-add:
                - NET_ADMIN
            binds:
                - hosts/host4_interfaces:/etc/network/interfaces
            exec:
-                - ip link add bond0 type bond mode balance-rr
+                - ip link add bond0 type bond mode 802.3ad
                - ip link set dev bond0 type bond xmit_hash_policy layer3+4
                - ip link set dev eth1 down
                - ip link set dev eth2 down
                - ip link set eth1 master bond0
                - ip link set eth2 master bond0
-                - ip link set bond0 up
+                - ip link set dev eth1 up
-                - ip addr add 10.78.78.104/24 dev bond0
+                - ip link set dev eth2 up
-                - ip route add default via 10.78.78.1
+                - ip link set dev bond0 type bond lacp_rate fast
                - ip link set dev bond0 up
                - ip link add link bond0 name bond0.78 type vlan id 78
                - ip link set bond0.78 up
                - ip addr add 10.78.78.104/24 dev bond0.78
                - ip route add 10.34.34.0/24 via 10.78.78.1
    links:
        # Spine1 to Leaf connections (underlay fabric)
@@ -140,15 +182,19 @@ topology:
        - endpoints: ["leaf5:eth10", "leaf6:eth10"]
        - endpoints: ["leaf7:eth10", "leaf8:eth10"]
-        # Host connections (dual-homed to MLAG pairs for testing)
+        # Host connections - DUAL-HOMED with LACP to MLAG pairs
        # host1 dual-homed to leaf1 + leaf2
        - endpoints: ["leaf1:eth1", "host1:eth1"]
        - endpoints: ["leaf2:eth1", "host1:eth2"]
        # host2 dual-homed to leaf3 + leaf4
        - endpoints: ["leaf3:eth1", "host2:eth1"]
        - endpoints: ["leaf4:eth1", "host2:eth2"]
        # host3 dual-homed to leaf5 + leaf6
        - endpoints: ["leaf5:eth1", "host3:eth1"]
        - endpoints: ["leaf6:eth1", "host3:eth2"]
        # host4 dual-homed to leaf7 + leaf8
        - endpoints: ["leaf7:eth1", "host4:eth1"]
        - endpoints: ["leaf8:eth1", "host4:eth2"]
--- a/hosts/README.md
+++ b/hosts/README.md
@@ -0,0 +1,75 @@
 # Host Interface Configuration Files
 This directory contains network interface configuration files for Alpine Linux hosts in the ContainerLab topology.
 ## Files
 - `host1_interfaces` - Configuration for host1 (VLAN 40, IP 10.40.40.101)
 - `host2_interfaces` - Configuration for host2 (VLAN 34, IP 10.34.34.102)
 - `host3_interfaces` - Configuration for host3 (VLAN 40, IP 10.40.40.103)
 - `host4_interfaces` - Configuration for host4 (VLAN 78, IP 10.78.78.104)
 ## Usage
 Each file is mounted to `/etc/network/interfaces` in its respective host container via ContainerLab's `binds` feature:
 ```yaml
 host1:
    kind: linux
    image: alpine:latest
    binds:
        - hosts/host1_interfaces:/etc/network/interfaces
 ```
 ## Format
 Files use Debian/Alpine ifupdown format with bonding and VLAN extensions:
 ```
 auto lo
 iface lo inet loopback
 auto bond0
 iface bond0 inet manual
    bond-mode 4                  # LACP (802.3ad)
    bond-miimon 100
    bond-lacp-rate 1
    bond-slaves eth1 eth2
 auto bond0.<vlan>
 iface bond0.<vlan> inet static
    address <ip-address>
    netmask 255.255.255.0
    vlan-raw-device bond0
 ```
 ## Key Concepts
 ### LACP Bonding
 - All hosts use **mode 4** (802.3ad LACP) bonding
 - Dual-homed to MLAG leaf pairs for redundancy
 - Requires matching LACP configuration on switches
 ### VLAN Tagging
 - Hosts handle VLAN tagging via sub-interfaces
 - Format: `bond0.<vlan_id>` (e.g., bond0.40, bond0.34, bond0.78)
 - Switch ports are configured as trunks allowing specific VLANs
 ### IP Addressing
 - Static IP configuration on VLAN sub-interfaces
 - Subnet assignment based on VLAN ID pattern (e.g., VLAN 40 = 10.40.40.0/24)
 ## Modification
 To change host configuration:
 1. Edit the appropriate `host*_interfaces` file
 2. Commit changes to git
 3. Redeploy the lab: `sudo containerlab deploy -t evpn-lab.clab.yml --reconfigure`
 No need to manually configure hosts after deployment - these files ensure clean, repeatable deployments.
 ## See Also
 - [HOST_INTERFACE_CONFIGURATION.md](../docs/HOST_INTERFACE_CONFIGURATION.md) - Detailed documentation
 - [DEPLOYMENT_GUIDE.md](../DEPLOYMENT_GUIDE.md) - Lab deployment instructions
--- a/hosts/host1_interfaces
+++ b/hosts/host1_interfaces
@@ -0,0 +1,18 @@
 auto lo
 iface lo inet loopback
 auto bond0
 iface bond0 inet manual
    use bond
    bond-slaves eth1 eth2
    bond-mode 802.3ad
    bond-miimon 100
    bond-lacp-rate fast
    up ip link set $IFACE up
 auto bond0.40
 iface bond0.40 inet static
    address 10.40.40.101
    netmask 255.255.255.0
    vlan-raw-device bond0
    up ip link set $IFACE up
--- a/hosts/host2_interfaces
+++ b/hosts/host2_interfaces
@@ -0,0 +1,18 @@
 auto lo
 iface lo inet loopback
 auto bond0
 iface bond0 inet manual
    use bond
    bond-slaves eth1 eth2
    bond-mode 802.3ad
    bond-miimon 100
    bond-lacp-rate fast
    up ip link set $IFACE up
 auto bond0.34
 iface bond0.34 inet static
    address 10.34.34.102
    netmask 255.255.255.0
    vlan-raw-device bond0
    up ip link set $IFACE up
--- a/hosts/host3_interfaces
+++ b/hosts/host3_interfaces
@@ -0,0 +1,18 @@
 auto lo
 iface lo inet loopback
 auto bond0
 iface bond0 inet manual
    use bond
    bond-slaves eth1 eth2
    bond-mode 802.3ad
    bond-miimon 100
    bond-lacp-rate fast
    up ip link set $IFACE up
 auto bond0.40
 iface bond0.40 inet static
    address 10.40.40.103
    netmask 255.255.255.0
    vlan-raw-device bond0
    up ip link set $IFACE up
--- a/hosts/host4_interfaces
+++ b/hosts/host4_interfaces
@@ -0,0 +1,19 @@
 auto lo
 iface lo inet loopback
 auto bond0
 iface bond0 inet manual
    use bond
    bond-slaves eth1 eth2
    bond-mode 802.3ad
    bond-miimon 100
    bond-lacp-rate fast
    up ip link set $IFACE up
 auto bond0.78
 iface bond0.78 inet static
    address 10.78.78.104
    netmask 255.255.255.0
    gateway 10.78.78.1
    vlan-raw-device bond0
    up ip link set $IFACE up