Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to q-in-q and span on 3560?


I need to simulate traffic with double tagged vlan on internal LAN. For better describe attaching picture.

I have 2 phones, which make internal call between them. Both are connected to different switches. I need to duplicate traffic between phones, but in addition before duplicating I need to double tag vlan with q-in-q and then send double tagged traffic to server which is monitoring that traffic. I need to simulate this to have same result as customer which don't want provide configurations and we need to fix our product based on that.

Is q-in-q supported on 3560? documentation didn't tell me a much.

Could somebody help me with some sample configuration?



Cisco Employee

How to q-in-q and span on 3560?

Hello Tibor,

The Catalyst 3560 does indeed support Q-in-Q. Regarding the configuration, ports between the Cat3560 switches will be configured as normal trunks using the switchport mode trunk command. Ports towards "clients" that send tagged frames themselves will be configured using the following commands:

switchport mode dot1q-tunnel

switchport access vlan S-VLAN

where the S-VLAN is the VLAN inside the service provider network used to encapsulate and carry all traffic of this customer.

It is also suggested to use the vlan dot1q tag native global configuration command to prevent Cat3560 from untagging any frames, possibly leading to VLAN leaking that can sometimes occur in Metro Ethernet environments under specific circumstances.

You may read more about the feature here:

Performing a local SPAN session on trunk ports carrying double-tagged traffic is no different from doing any other SPAN session, however, remember to use the encapsulation replicate command when configuring the SPAN session, i.e.:

monitor session 1 source interface Fa0/23 ! suppose that Fa0/23 is the trunk port

monitor session 1 destination interface Fa0/24 encapsulation replicate ! Fa0/24 is the monitoring port

Also, it has been my observation that Windows have troubles showing any VLAN tags in received frames - this is caused by the NIC drivers. Linux usually has no problems with this.

Of course, you are welcome to ask further!

Best regards,


New Member

How to q-in-q and span on 3560?

Thanks Peter,

i'm little bit confused from documentation - on every place is talking about service provider network. so if I understand correctly...?

Switch 1 with phone connected:

- phone port mode access with some vlan

- some port as mode trun and encapsulation dot1q

Swtich 2 with second phone connected:

- same as switch 1

Switch 3 - distribution:

- port for switch 1 mode dot1q-tunnel

- port for switch 2 mode dot1q-tunnel

but how to span... in between 3560 switches on 3750? span trunk ports as source?

how to double tag on dot1q-tunnel?

is for tagging enough just "mode dot1q-tunnel" and "switchport access vlan XY"?

Cisco Employee

How to q-in-q and span on 3560?

Hi Tibor,

Each your 3560 has two specific ports: one towards an IP phone, the other towards the 3750 distribution switch. I assume you want to see the voice traffic to be actually double-tagged on trunks between the 3560 and 3750. Am I correct here?

If yes then the port towards an IP phone shall be configured as follows:

switchport mode dot1q-tunnel

switchport voice vlan 7 ! the voice VLAN

switchport access vlan 77 ! the S-VLAN

cdp enable ! we need CDP for the voice VLAN autodiscovery

VLAN 77 here will be the S-VLAN.

Ports between the 3560 and 3750 switches shall be configured simply as:

switchport trunk encapsulation dot1q

switchport mode trunk

Monitoring will be performed using the monitor session commands I have indicated in my previous reply. You can monitor any trunk port, either on the 3560 or on the 3750. In any case, the monitoring PC must be connected to the switch where you perform the monitoring.

I do not understand, though, why do you need to perform the double tagging in the first place. What are you trying to accomplish here?

Best regards,


CreatePlease to create content