Thanks for interest!

1.
l3 agent mode on controllers
agent_mode = dvr_snat
on compute hosts
agent_mode = dvr

2. tenant network type = vxlan

3. external network type = vlan

4. not sure that i understand question
but i have physical NIC 'itrunk' which connected to br-ex in OVS
this NIC configured to pass any VLAN traffic like trunk port
--
    Bridge br-ex
        Controller "tcp:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        datapath_type: system
        Port phy-br-ex
            Interface phy-br-ex
                type: patch
                options: {peer=int-br-ex}
        Port itrunk
            Interface itrunk
--


My configs:

l3_agent.ini (for comp node, on controller only diff agent_mode is dvr_snat) --
[DEFAULT]
agent_mode = dvr
ha_vrrp_health_check_interval = 5

[agent]

[ovs]
ovsdb_connection = tcp:127.0.0.1:6640
--


ml2_conf.ini (same on comp an control nodes) --
[ml2]
type_drivers = vxlan,vlan,flat
tenant_network_types = vxlan,vlan,flat
mechanism_drivers = openvswitch,l2population
extension_drivers = qos,port_security,dns

[ml2_type_vlan]
network_vlan_ranges = vlans1:156:158,vlans1:163:165

[ml2_type_flat]
flat_networks = public1

[ml2_type_vxlan]
vni_ranges = 1:1000

[securitygroup]
firewall_driver = openvswitch

[agent]
tunnel_types = vxlan
l2_population = true
arp_responder = true
enable_distributed_routing = True
extensions = qos

[ovs]
bridge_mappings = public1:br-pub,vlans1:br-ex
datapath_type = system
ovsdb_connection = tcp:127.0.0.1:6640
local_ip = [...]
of_connect_timeout = 300
of_request_timeout = 300
of_inactivity_probe = 60
--

neutron.conf --
[DEFAULT]
debug = False
log_dir = /var/log/kolla/neutron
use_stderr = False
bind_host = [...]
bind_port = 9696
api_paste_config = /usr/share/neutron/api-paste.ini
endpoint_type = internalURL
api_workers = 5
metadata_workers = 5
rpc_workers = 3
rpc_state_report_workers = 3
metadata_proxy_socket = /var/lib/neutron/kolla/metadata_proxy
interface_driver = openvswitch
allow_overlapping_ips = true
core_plugin = ml2
service_plugins = qos,router
dhcp_agents_per_network = 2
l3_ha = true
max_l3_agents_per_router = 3
transport_url = rabbit://[...]
router_distributed = True
dns_domain = os.loc.
external_dns_driver = designate
ipam_driver = internal
rpc_response_timeout = 180

[nova]
auth_url = http://[...]:35357
auth_type = password
project_domain_id = default
user_domain_id = default
region_name = RegionOne
project_name = service
username = nova
password = [...]
endpoint_type = internal

[oslo_middleware]
enable_proxy_headers_parsing = True

[oslo_concurrency]
lock_path = /var/lib/neutron/tmp

[agent]
root_helper = sudo neutron-rootwrap /etc/neutron/rootwrap.conf

[database]
connection = mysql+pymysql://[...]/neutron
max_retries = -1

[keystone_authtoken]
www_authenticate_uri = http://[...]:5000
auth_url = http://[...]:35357
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = neutron
password = [...]
memcache_security_strategy = ENCRYPT
memcache_secret_key = [...]
memcached_servers = [...]

[oslo_messaging_notifications]
transport_url = rabbit://[...]
driver = messagingv2
topics = notifications,notifications_designate

[octavia]
base_url = http://[...]:9876

[designate]
url = http://[...]:9001/v2
auth_uri = http://[...]:5000
auth_url = http://[...]:35357
auth_type = password
project_domain_id = default
user_domain_id = default
project_name = service
username = designate
password = [...]
allow_reverse_dns_lookup = True
ipv4_ptr_zone_prefix_size = 24
ipv6_ptr_zone_prefix_size = 116

[placement]
auth_type = password
auth_url = http://[...]:35357
username = placement
password = [...]
user_domain_name = Default
project_name = service
project_domain_name = Default
os_region_name = RegionOne
os_interface = internal

[privsep]
helper_command = sudo neutron-rootwrap /etc/neutron/rootwrap.conf privsep-helper
--

hope this helps