Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
303
Views
1
Helpful
6
Replies

Using "vlan dot1q tag native" and Meraki gateways

danielddddddddd
Level 1
Level 1

‎07-14-2025 01:39 PM

Hi,

I have a client who is using the command "vlan dot1q tag native" on their Catalyst switches (causing all packets even on the default VLAN to be tagged and require tags), and Meraki MX105 firewalls.

Packets leaving the MX105s are tagged on all VLANs except the default VLAN 1. When packets hit the C9300s they are discarded, as per the command's request.

I've changed the Meraki ports to drop untagged traffic like so:

danielddddddddd_0-1752525187210.png

This has not fixed the problem.

If I change the Meraki configuration so that a dummy VLAN (not required on that port) is the native port and the rest is tagged, that works but is inelegant.

Is there a correct Catalyst solution here please? Can I permit non-tagged traffic on just the trunk ports I need to? I don't see an interface-level command for this.

Thanks all

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎07-14-2025 01:42 PM

vlan dot1q tag native <<- this command per interface' remove it and hence SW will untag traffic of native vlan 

MHM

0 Helpful

danielddddddddd
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2025 01:44 PM

Reconfiguring my entire network is not possible.

0 Helpful

MHM Cisco World
VIP
VIP
In response to danielddddddddd

‎07-14-2025 01:48 PM - edited ‎07-14-2025 01:52 PM

That why I mention this command per interface

Only make SW untag native vlan in trunk toward FW

Note:- not all SW support command per interface but in global mode 

MHM

0 Helpful

danielddddddddd
Level 1
Level 1
In response to MHM Cisco World

‎07-14-2025 01:56 PM

Thank you for your suggestion - my original post was asking how to do this, not what to do. I realise that permitting and sending untagged traffic on just these trunk ports is what is required, but I don't know how to do this.

The C9300 with software v17.16.01 does not have a 'vlan' or 'dot1q' at interface level and I do not know if there is another command I should issue.

paul driver
VIP
VIP

‎07-15-2025 01:26 AM - edited ‎07-15-2025 01:26 AM

Hello
as the native vlan is not per switch but per interface - I would say using an unused vlan as the native and pruning it off all trunks is the most viable option - infact it recommended as a best practice  - as removing the native vlan as being tagged is also recommended but you state this cannot be done.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP

‎07-15-2025 01:32 AM

I check yesterday 

C9k not support per interface native vlan untag command so you can disbale it 

Meraki FW not support native vlan tag 

So you workaround is only way to solve issue.

Thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents