Cisco Support Community
Community Member

VLANs, sub-interfaces, and Dot1Q tagging...

The scenario is this:

Two sites are connected via a point-to-point T1 using 1721 routers. Both sites have Cisco 3560 switches and the ports are configured to support two VLANs (1 and 20), with VLAN1 being native (untagged).

I want the VLAN1 traffic to remain separate from the VLAN 20 traffic. On a given port on one of the 3560 swtiches, I have two devices, one device tags its traffic with VLAN 20 while the other device does not tag its traffic, so it gets tagged on ingress to the 3560 with VLAN1. Now, leaving the 3560 at site A, I exit the switch on port 48, which does not have a native VLAN defined (just a standard 802.1q trunk port), and enters the router. The router (running IOS 12.1(27b), is configured with two sub-interfaces, 0/0.1 and 0/0.20, with IP addresses, and respectively, with dot1q encapsulation. If the remote network is configured similarly, when the packet arrives at the remote site and exits the router, I assume that traffic from destined for network (site B) will exit the router on sub-interface 0/0.20.

Now for the question...when the packet exits the router, will it be tagged with a VLAN20 ID so that the switch will place it in VLAN 20 when it receives it over the 802.1q trunk port that is connected to the router? If not, how is the switch to determine which VLAN the packet should be in?

Also, on ingress to the router, as long as all packets have a vlan tag, will they enter the associated sub-interface? What if a packet arrives without a tag?

I hope that is clear. Please ask questions if something needs to be clarified.


Re: VLANs, sub-interfaces, and Dot1Q tagging...

First off, the switch does not tag the packets at ingress port, but only tags it with the assigned vlan on the ingress port when the packet exits the trunk port. A trunk will carry all vlans, by default & by default vlan 1 is the native vlan of a dot1q trunk, unless u configure it otherwise.

Coming back to ur question, yes, when the packet exits the router at remote-end, it will be tagged with a VLAN20 ID (remember? it's a trunk, connecting to ur switch). So the switch at remote-end will know that it is destined for VLAN20.

Bringing u back a step earlier, when the local-end router receives the tagged packet on it's subinterface, it checks the destination mac & vlan id of the frame (which is destined to the local-end router's subinterface mac & vlan id). If it is valid (destined to it's sub-if) it then, further strips the L2 frame n checks the L3 packet for destination IP, then checks the routing table for a valid entry. Finding a valid entry, it will then check to which interface it should be sent out to reach remote-end, thus encapsulating it with the L2 type frame of the outgoing interface.

Therefore, pls bear in mind, the local-end vlan 20 & remote-end vlan 20 has no relation at all. They're totally independent, they're separated by L3. By way of the Local-end knowing how to get to the remote-end subnet is being done so by routing on ur router. So assuming both ur routers already have routes to each others' subnets. Both are totally different broadcast domain, though sharing the same vlan id, but in this case, the vlan id is only locally significant.

Also, on ingress to the router, as long as all packets have a vlan tag, will they enter the associated sub-interface? What if a packet arrives without a tag?

Again, a packet without a tag is assumed to be from the native vlan, and on the router's subinterface for this vlan, add in the command "native".


CreatePlease to create content