cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3381
Views
0
Helpful
8
Replies

802.1Q tunneling native VLAN question

lap
Level 2
Level 2

Hi all,

I have a question regarding the behavior of 802.1Q tunneling on Cisco 3560 when the customer switch is using an access port towards the ISP PE instead of a trunk port. Please see the diagram below:

QinQ.jpg

So when ther server with IP 10.10.10.10 is pinging  the other server 10.10.10.20 how will SW1 process this traffic as this traffic is send untagged from SW3 to SW1 and the native VLAN is 1 everywhere?

Will the frame send from SW1 to SW2 looks like this: |MAC-DA | MAC-SA |Etype |TAG VLAN 1000 | Etype | VLAN 1 | Len/Etype | DATA | FCS | ?

The question is will this traffic be double tagged when using the native VLAN as illustraded in the diagram?

Thanks for taking time to explain;-)

Regards,

Laurent

8 Replies 8

fabrice75
Level 1
Level 1

Bonjour Laurent,

Your question is a bit weird to me as I don't understand why the client is not in trunk mode, I would be curious to know why you would do a setup like this?

Unless you use the "vlan dot1q tag native" command on switches the native VLANs are sent untagged over a trunk so I really doubt that you will have a double tagged frame in your case.

Rgds,

Fab

Hi Fabrice,

I know that this setup is not best practice;-.)

But even if running a trunk between the ISP and the customer what will happen to the untagged traffic sent by the customer?

I did lab this setup and I can ping between the 2 hosts shown in the diagram. So if the traffic wasn´t double tag I couldn´t be able to ping right?

Regards,

Laurent

Hi Laurent,

I will assume that the untagged frame received by the provider switch will be treated as native VLAN ==> VLAN1 (since untagged). Since you didn't configure tag native VLAN1 will still flow untagged through the network. 

I still can't see how you would get double tagging on this setup, only tag for VLAN1000 should be present in your ISP network.

Since you have setup this in a LAB I would suggest that you configure a SPAN session and use wireshark to see what's hapening.

  • make sure tha you use replicate option if configuring SPAN session on lower end switch (3700 etc...) and/or that the port is configured as trunk for other device type (6500 etc...)
  • Make sure that the driver on your wireshark PC don't strip off VLAN tags

You didn't mentioned anything about MTU size I assume that you have it under control.

Cheers,

Fab

Hi Laurent,

The traffic is not getting double tagged. Put it this way. The port on SW1 (dot1q tunnel port) is an access port i.e it has an access vlan which in your case is 1000. So your untagged traffic from SW3 will go into vlan 1000 which will be transported across the ISP as a single tagged packet and it gets stripped off at the other end on SW2. Now SW2 will send that untagged traffic out to SW4.and then SW4 puts it in the right vlan 48 and then it goes down to location 2.

So in the ISP its just a single tagged vlan between SW1 and SW2. Native vlan concept comes only on trunk ports and not access ports

HTH

Kishore

Hi Kishore and Fabrice

Now I got it! Was also stupid what I wrote in my first post regarding the frame format:

|MAC-DA | MAC-SA |Etype |TAG VLAN 1000 | Etype | VLAN 1 | Len/Etype | DATA

That is wrong has VLAN 1 is untagged.

What will happen if the ISP want to provide some Internet service to the customer? How will you do that with 802.1Q tunneling?

Regards,

Laurent

Hi Laurent,

dot1q tunneling is very helpful in a way that customers can use the same vlan numbers and still they will be able to get the services like internet , IPVPN etc.because the ISP vlans encapsulate these and pass them around.

Now in regards to your question for internet, it depends, if you already are sending a tagged frame(C-TAG) into the ISP into vlan 1000 for eg: then that 1000(S-TAG) will terminate on an aggregate switch where it will strip of the outer vlan and then your vlan is sent into a subinterface or something on a edge router which will have VRF's configured etc or it might end up on a customer GW router whereby the customer GW router directly talks to the border router in the ISP which then talks to upstream routers in the public space.

Does this help?

HTH

Kishore

Please rate helpful posts

Hi Kishore,

Thanks a lot for your explanation! Now I am not confused anymore.

A last question. I guess that tagging all VLANs in my example (with  "vlan dot1q tag native") would have double tag the customer traffic in the ISP core when sending traffic from customer as untagged. It is correct?

Regards,

Laurent

> What will happen if the ISP want to provide some Internet service to the customer? How will you do that with 802.1Q tunneling?

Laurent, you might find this blog post I wrote helpful regarding internet access with 802.1Q tunnels: http://kemot-net.com/blog/intenet-access-with-dot1q-tunnel/

Basically any untagged traffic can be routed by the provider's switch, as long as you have the correct vlan interfaces. Please read the post for an example and better details.

Thanks

Tom Kacprzynski

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco