Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

native VLAN, VLAN 1, and loop issue between CPE and switches


we use to install 2 CPE on customer sites :

- CPE1 is attached to the primary WAN link (SDSL in most of our sites)

- CPE2 is attached to a backup WAN link (ADSL).

- Between CPE1 and CPE2 we use a back to back ethernet link (fe/0/0 to fe0/0, those ports are L3 "routed" ports).

Let say CPE1 and CPE2 are ISR with a additionnal HWIC-4ESW (4 FE switching module).

I've got questions regarding the LAN interface we provide to the customers, on sites where we have 2 different customers, each one with its own LAN switch, each one wanting a 802.1q connexion between its switch and the 2 CPE.


Customer A connect its switch - Switch A- to CPE1 fe1/2 and CPE2 fe1/2 (fe1/2 belongs to the HWIC-4ESW on the CPE) using one 802.1q trunk toward each CPE.

On switch A : VLAN 2,3,4 are tagged on this trunk, VLAN 1 is default native VLAN.

Customer B connect its switch - Switch B- to CPE1 fe1/3 and CPE2 fe1/3 (HWIC-4ESW again) using one 802.1q trunk toward each CPE.

On switch B : VLAN 5,6,7 are tagged on the trunk, VLAN 1 is default native VLAN.

There's no customer traffic on VLAN 1, but the VLAN is there "by default" and management traffic (that we don't use) may be sent on those VLANs (CDP, VTP, ...).


The problem :

If the trunks on the CPE are also configured with native VLAN = VLAN 1 on both trunks, a loop will be created in VLAN 1 (SW1->CPE1->SW2->CPE2->SW1...).

We do not want to use SPT on this connexions.



I planned to use different native VLAN on the CPE :

- in front of Switch A, use native VLAN=666 (switch A will still use native=1), and tagged VLAN = 2,3,4, on each CPE(fe1/2).

- in front of Switch B, use native VLAN=667, (switch B will still use native =1) and tagged VLAN=5,6,7, on each CPE(fe1/3).


I thought it should solve the loop issue but I was said that, on Cisco CPE, some management traffic (VTP, CDP, etc...) would still be considered as VLAN 1 traffic even if VLAN 1 wasn't configured anymore on the CPE interfaces, and that this traffic would still be forwarded through the native VLANs (666/667) by the CPE, even if those VLAN were configured with different VLANID per customers.  Thus the loop would still be there.

Is this exact ???? (seems weird to me).


Solution 2/

Another solution would be to drop any non tagged frame received by the CPE on the trunks. Again, VLAN 1 traffic is junk traffic we have no use for.

Is there a way to do that :

- specific command ?

- disabling native VLAN ( but if we disable native VLAN on these trunks, maybe the Cisco VTP/CDP/... messages will be accepted and forwarded anyway, with the loop issue still there ?) ?

- Is there a way to configure the HWIC-4ESW so that some ports behave as routed L3 ports, and not switched L2 ports?


- Solution 3/

Buy HWIC-2FE with L3 interfaces instead of HWIC4-ESW... last resort solution...(less interfaces :x).



- Any other solution ? (apart from spanning tree... that we don't want to use for simplicity reasons).



Thanks for any advices you could give me :)












How are you separating the

How are you separating the Customer 1 Traffic from Customer 2? Access Lists Presumably?

Are you using HSRP between the Routers?

It might be worth looking into VRF-lite to separate your customers into seperate virtual routing instances.

New Member

I didn't mention it, but we

I didn't mention it, but we are a large company with more than 10000 sites throughout the country.

Customer are different branches of our company that have their own LAN solutions, and are installed in the same building.

Let say that in the same building we have branch A with its own LAN solution, branch B with its own LAN infrastructure and so on...

We manage the WAN where all trafic share the same routing plan / address space. We don't use per branch VPN, and don't plan to define different VRF on CPE (except for very specific needs, but not in this case).

So, no, VRF-lite is not an option there.

Got your point anyway, my "customer" definition wasn't clear enough.


About HSRP : yes, we use HSRP, one of the CPE is the default gateway on each VLAN, the other one being in stand by mode.



CreatePlease to create content