Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

dot1q-tunneling and native frames ( untagged )

hi all I have the following setup:

tunnel Port:

interface GigabitEthernet1/0/2

switchport access vlan 784

switchport mode dot1q-tunnel

switchport nonegotiate

l2protocol-tunnel cdp

l2protocol-tunnel stp

l2protocol-tunnel vtp

no cdp enable

spanning-tree portfast


Trunk Port - Into Carrier Network

interface GigabitEthernet1/0/25

switchport trunk encapsulation dot1q

switchport trunk native vlan 4094

switchport mode trunk

switchport nonegotiate

load-interval 30

speed nonegotiate

spanning-tree bpdufilter enable


the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.

what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?

are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?

I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.



Re: dot1q-tunneling and native frames ( untagged )

You can not get the switch port UP if the other end of the link is not compatible with the config for this port. So, if one side is trunk and the other is not then the port will not come UP. On a trunk line only the frames of native VLAN are sent without any tagging and all other VLAN frames are tagged according to their VLAN numbers.


Re: dot1q-tunneling and native frames ( untagged )

Normally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.

Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.

You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.

If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected.


Re: dot1q-tunneling and native frames ( untagged )

Trunk port should have non-default native VLAN on customer side.

CreatePlease to create content