dot1q-tunneling and native frames ( untagged )

Unanswered Question

hi all I have the following setup:

tunnel Port:

interface GigabitEthernet1/0/2

switchport access vlan 784

switchport mode dot1q-tunnel

switchport nonegotiate

l2protocol-tunnel cdp

l2protocol-tunnel stp

l2protocol-tunnel vtp

no cdp enable

spanning-tree portfast


Trunk Port - Into Carrier Network

interface GigabitEthernet1/0/25

switchport trunk encapsulation dot1q

switchport trunk native vlan 4094

switchport mode trunk

switchport nonegotiate

load-interval 30

speed nonegotiate

spanning-tree bpdufilter enable


the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.

what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?

are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?

I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Tue, 02/12/2008 - 14:24
User Badges:
  • Silver, 250 points or more

You can not get the switch port UP if the other end of the link is not compatible with the config for this port. So, if one side is trunk and the other is not then the port will not come UP. On a trunk line only the frames of native VLAN are sent without any tagging and all other VLAN frames are tagged according to their VLAN numbers.

Pavel Bykov Thu, 05/29/2008 - 06:04
User Badges:
  • Silver, 250 points or more

Normally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.

Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.

You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.

If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected.

Pavel Bykov Thu, 05/29/2008 - 06:05
User Badges:
  • Silver, 250 points or more

Trunk port should have non-default native VLAN on customer side.


This Discussion