Re: 3550 and Native Vlan configuration

Alexander Proskurnin · ‎08-27-2010

Hello everybody!

Here it is my setup:

2 x 3550 with c3550-ipservicesk9-mz.122-44.SE6.bin

SW1:

interface FastEthernet0/1

description Connected to notebook
switchport trunk encapsulation dot1q
switchport mode trunk

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport mode trunk
no cdp enable

interface Vlan5

ip address 5.5.5.1 255.255.255.0

interface Vlan6
ip address 6.6.6.1 255.255.255.0

monitor session 1 source interface Gi0/1
monitor session 1 destination interface Fa0/1 encapsulation dot1q

SW2:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport mode trunk
no cdp enable

interface Vlan5

ip address 5.5.5.2 255.255.255.0

interface Vlan6
ip address 6.6.6.2 255.255.255.0

When I start wireshark on the notebook I get this:

Frame 794 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: Cisco_8b:b4:80 (00:16:c8:8b:b4:80), Dst: Cisco_f1:cc:00 (00:15:63:f1:cc:00)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
Internet Protocol, Src: 6.6.6.2 (6.6.6.2), Dst: 6.6.6.1 (6.6.6.1)
Internet Control Message Protocol

Frame 795 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: Cisco_f1:cc:00 (00:15:63:f1:cc:00), Dst: Cisco_8b:b4:80 (00:16:c8:8b:b4:80)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
Internet Protocol, Src: 6.6.6.1 (6.6.6.1), Dst: 6.6.6.2 (6.6.6.2)
Internet Control Message Protocol

Frame 796 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: Cisco_8b:b4:80 (00:16:c8:8b:b4:80), Dst: Cisco_f1:cc:00 (00:15:63:f1:cc:00)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
Internet Protocol, Src: 6.6.6.2 (6.6.6.2), Dst: 6.6.6.1 (6.6.6.1)
Internet Control Message Protocol

Frame 797 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: Cisco_f1:cc:00 (00:15:63:f1:cc:00), Dst: Cisco_8b:b4:80 (00:16:c8:8b:b4:80)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
Internet Protocol, Src: 6.6.6.1 (6.6.6.1), Dst: 6.6.6.2 (6.6.6.2)
Internet Control Message Protocol

So I wonder why I see 802.1q tag for vlan 6 if I configured native vlan 6 and "show vlan dot1q tag native" command says that -
dot1q native vlan tagging is disabled.

Nagaraja Thanthry · ‎08-27-2010

Hello,

The reason you are seeing the tag is due to the configuration you made with

the monitor session. When you configure "encap dot1q", the switch will

preserve the tag. This is to ensure that at the monitoring system, you can

identify traffic belonging to different vlans easily. Also, if you notice,

the port where you have connected to notebook, you have configured it as

trunk port with native vlan of 1. So, when you are sending data over that

trunk, VLAN 6 packet need to be tagged.

Regards,

NT

Alexander Proskurnin · ‎08-27-2010

Nagaraja Thanthry, thanks for reply, but I tested your answer immediately and got no good news.

Here it is new configs:

SW1:

monitor session 1 source interface Gi0/1
monitor session 1 destination interface Fa0/1

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 6
switchport mode trunk

(I throught configuration of the monitor destination port have no impact on the actual result. )

g0/1 and SW2 configurations are unchanged.

Now in wireshark i have no tags at all (neither vlan 5 nor vlan 6).

Alexander Proskurnin · ‎08-30-2010

Still got no good news.

I changed the configs to the following:

SW1:

interface FastEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
no cdp enable

monitor session 1 source interface Gi0/1
monitor session 1 destination interface Fa0/1 encapsulation dot1Q

SW2:

interface GigabitEthernet0/1
switchport trunk encapsulation dot1q
switchport trunk native vlan 5
switchport mode trunk
no cdp enable

Now, when I try to sniff packets with vlan dot1q tag native option enabled or disabled, I have the same result:

Frame 13451 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:0d:65:33:f7:80 (00:0d:65:33:f7:80), Dst: 00:13:60:50:50:40 (00:13:60:50:50:40)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
Internet Protocol, Src: 6.6.6.2 (6.6.6.2), Dst: 6.6.6.1 (6.6.6.1)
Internet Control Message Protocol

Frame 13452 (118 bytes on wire, 118 bytes captured)
Ethernet II, Src: 00:13:60:50:50:40 (00:13:60:50:50:40), Dst: 00:0d:65:33:f7:80 (00:0d:65:33:f7:80)
802.1Q Virtual LAN, PRI: 0, CFI: 0, ID: 6
Internet Protocol, Src: 6.6.6.1 (6.6.6.1), Dst: 6.6.6.2 (6.6.6.2)
Internet Control Message Protocol

Frame 13491 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: 00:0d:65:33:f7:80 (00:0d:65:33:f7:80), Dst: 00:13:60:50:50:40 (00:13:60:50:50:40)
Internet Protocol, Src: 5.5.5.2 (5.5.5.2), Dst: 5.5.5.1 (5.5.5.1)
Internet Control Message Protocol

Frame 13492 (114 bytes on wire, 114 bytes captured)
Ethernet II, Src: 00:13:60:50:50:40 (00:13:60:50:50:40), Dst: 00:0d:65:33:f7:80 (00:0d:65:33:f7:80)
Internet Protocol, Src: 5.5.5.1 (5.5.5.1), Dst: 5.5.5.2 (5.5.5.2)
Internet Control Message Protocol

Why vlan 5 packets are untagged?

farasidd · ‎08-31-2010

Can you try configuring native vlan 6 on the port connected to PC because "If a packet has a VLAN ID that is the same as the outgoing port native VLAN ID, the packet is sent untagged; otherwise, the switch sends the packet with a tag " .

Alexander Proskurnin · ‎08-31-2010

If I do "switchport trunk native vlan 6" on the interface connected to PC now I can see tags for vlan 5, but don't see tags for vlan 6. It's ok, but I must see tags for all vlans with "dot1q native vlan tagging is enabled".

farasidd · ‎09-01-2010

Dot1q native VLAN tagging is whole new concept , it enables service providers to use a single VLAN to support customers who have multiple VLANs, while preserving customer VLAN IDs and keeping traffic in different customer VLANs segregated.I am not sure why are you using dot1q native vlan tagging to span a traffic . ? Can you explain your requirement a little ?

Alexander Proskurnin · ‎09-01-2010

No specific requirements. Just do some researching for myself and turned span on to correlate what is written in the books with actual packet flows in hardware. Started with basics - trunk and flowing pings and stp bpdus through it. Then I tried to add "dot1q native vlan tagging" to see that all my packets are flowing with the tags, but no success.

So are you saying that "dot1q native vlan tagging" is only related to QinQ tunneling?

greg.cowell · ‎10-26-2010

I have observed the exact same issue when monitoring 802.1q trunk ports. It seems that the native VLAN of the destination port affects the 802.1q tags that you see. Packets on the source port that are from the same VLAN as the native VLAN of the destination port appear as untagged on the destination monitor port. Packets from all other VLANs are tagged with the corresponding 802.1q tags. The traffic you observe on the destination port does not appear to be a true representation of what is being tagged.

I found that if I set the native VLAN on the destination port to be a VLAN that is not used on the source port, then all the destination port packets get 802.1q tags - even the native VLAN of the source port. Setting the native VLAN to be tagged globally (vlan dot1q tag native) seems to have no effect on SPAN port behaviour. I assume that the native VLAN on the source port really is being tagged as it should. However it appears to be impossible to confirm this using a SPAN port. Perhaps someone else knows a work around for this.

An ethernet tap or similar on the trunk may be the best way to physically observe the effect of the "vlan dot1q tag native" command.

greg.cowell · ‎10-27-2010

Looks like this issue applies to the Catalyst 3550 but not the Catalyst 3560.

On a 3560 you can use:

monitor session 1 destination interface Fa0/1 encapsulation replicate

instead of:

monitor session 1 destination interface Fa0/1 encapsulation dot1q

There doesn't seem to be a workaround for the 3550.