I have a question regarding the behavior of 802.1Q tunneling on Cisco 3560 when the customer switch is using an access port towards the ISP PE instead of a trunk port. Please see the diagram below:
So when ther server with IP 10.10.10.10 is pinging the other server 10.10.10.20 how will SW1 process this traffic as this traffic is send untagged from SW3 to SW1 and the native VLAN is 1 everywhere?
Will the frame send from SW1 to SW2 looks like this: |MAC-DA | MAC-SA |Etype |TAG VLAN 1000 | Etype | VLAN 1 | Len/Etype | DATA | FCS | ?
The question is will this traffic be double tagged when using the native VLAN as illustraded in the diagram?
Thanks for taking time to explain;-)
Your question is a bit weird to me as I don't understand why the client is not in trunk mode, I would be curious to know why you would do a setup like this?
Unless you use the "vlan dot1q tag native" command on switches the native VLANs are sent untagged over a trunk so I really doubt that you will have a double tagged frame in your case.
I know that this setup is not best practice;-.)
But even if running a trunk between the ISP and the customer what will happen to the untagged traffic sent by the customer?
I did lab this setup and I can ping between the 2 hosts shown in the diagram. So if the traffic wasn´t double tag I couldn´t be able to ping right?
I will assume that the untagged frame received by the provider switch will be treated as native VLAN ==> VLAN1 (since untagged). Since you didn't configure tag native VLAN1 will still flow untagged through the network.
I still can't see how you would get double tagging on this setup, only tag for VLAN1000 should be present in your ISP network.
Since you have setup this in a LAB I would suggest that you configure a SPAN session and use wireshark to see what's hapening.
You didn't mentioned anything about MTU size I assume that you have it under control.
The traffic is not getting double tagged. Put it this way. The port on SW1 (dot1q tunnel port) is an access port i.e it has an access vlan which in your case is 1000. So your untagged traffic from SW3 will go into vlan 1000 which will be transported across the ISP as a single tagged packet and it gets stripped off at the other end on SW2. Now SW2 will send that untagged traffic out to SW4.and then SW4 puts it in the right vlan 48 and then it goes down to location 2.
So in the ISP its just a single tagged vlan between SW1 and SW2. Native vlan concept comes only on trunk ports and not access ports
Hi Kishore and Fabrice
Now I got it! Was also stupid what I wrote in my first post regarding the frame format:
|MAC-DA | MAC-SA |Etype |TAG VLAN 1000 | Etype | VLAN 1 | Len/Etype | DATA
That is wrong has VLAN 1 is untagged.
What will happen if the ISP want to provide some Internet service to the customer? How will you do that with 802.1Q tunneling?
dot1q tunneling is very helpful in a way that customers can use the same vlan numbers and still they will be able to get the services like internet , IPVPN etc.because the ISP vlans encapsulate these and pass them around.
Now in regards to your question for internet, it depends, if you already are sending a tagged frame(C-TAG) into the ISP into vlan 1000 for eg: then that 1000(S-TAG) will terminate on an aggregate switch where it will strip of the outer vlan and then your vlan is sent into a subinterface or something on a edge router which will have VRF's configured etc or it might end up on a customer GW router whereby the customer GW router directly talks to the border router in the ISP which then talks to upstream routers in the public space.
Does this help?
Please rate helpful posts
Thanks a lot for your explanation! Now I am not confused anymore.
A last question. I guess that tagging all VLANs in my example (with "vlan dot1q tag native") would have double tag the customer traffic in the ISP core when sending traffic from customer as untagged. It is correct?
> What will happen if the ISP want to provide some Internet service to the customer? How will you do that with 802.1Q tunneling?
Laurent, you might find this blog post I wrote helpful regarding internet access with 802.1Q tunnels: http://kemot-net.com/blog/intenet-access-with-dot1q-tunnel/
Basically any untagged traffic can be routed by the provider's switch, as long as you have the correct vlan interfaces. Please read the post for an example and better details.