Dot1q-tunnel rejection
Hello,
I am trying to setup a dot1q-tunnel on a Catalyst 6506 running IOS 12.2 and am running into trouble. I have followed everything in the manual and from other's examples, but I continually get the error:
Command rejected: Gi1/1 doesn't support 802.1q tunneling.
To get there I have done:
Router(config)#vlan dot1q tag native
Router(config)#interface range gig 1/1-48
Router(config-if-range)#spanning-tree bpdufilter enable
Router(config-if-range)#spanning-tree portfast
Router(config-if-range)#switchport mode dot1q-tunnel
and it says command rejected for all 48 ports.
If anyone has any insight it would be greatly appreciated. Thank you for your time
if you can't make tunnel with dot1q, check the capability of the module using follow command..
[example]
Swith#show interfaces gigabitEthernet 0/1 capabilities
GigabitEthernet0/1
Model: WS-C3550-24
Type: unknown
Speed: 1000
Duplex: full
Trunk encap. type: 802.1Q,ISL <<<--- capability
Trunk mode: on,off,desirable,nonegotiate
Channel: yes
Broadcast suppression: percentage(0-100)
Flowcontrol: rx-(off,on,desired),tx-(off,on,desired)
Fast Start: yes
QOS scheduling: rx-(1q0t),tx-(4q2t),tx-(1p3q2t)
CoS rewrite: yes
ToS rewrite: yes
UDLD: yes
Inline power: no
SPAN: source/destination
PortSecure: yes
Dot1x: yes
Similar Messages
-
Hello Guys,
I am configuring a dot1q tunnel VPLS since it suited our need for the client's requirements. To my surprise the 48 port tx we are using on our 7600 doesn't support this
7609-PPE1(config-if)#switchport mode dot1q-tunnel
Command rejected: Gi2/4 doesn't support 802.1q tunneling.
IOS is s72033-pk9sv-mz.122-18.SXD5.bin
Hardware is 48 SFM-capable 48 port 10/100/1000mb RJ45 WS-X6548-GE-TX
For me to establish a good VPLS in dot1q (dot1q in dot1q) multipoint connection, what hardware with port density is available for this one?
I didn't have any problem with OSM modules, but we have to be practical with the port density.
Your insights will be greatly appreciated.
Thanks.For vpls to work the core facing should be a osm module.Configure IP routing in the core so that the PE routers can reach each other via IP. Configure MPLS in the core so that a label switched path (LSP) exists between the PE routers.For more info refer
http://www.cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a00801e5c06.html#wp1338115. -
Hi,
I don't understand how to make to improve the security of dot1q tunneling. If the client makes some errors by example by disabling the spanning-tree on a vlan and he creates a loop between differents sites (L2VPN). What are the safety standards for Q-in-Q to protect the provider ?
Thank you for your help.
Regards.
DavidIt depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html -
Dot1q-tunneling and native frames ( untagged )
hi all I have the following setup:
tunnel Port:
interface GigabitEthernet1/0/2
switchport access vlan 784
switchport mode dot1q-tunnel
switchport nonegotiate
l2protocol-tunnel cdp
l2protocol-tunnel stp
l2protocol-tunnel vtp
no cdp enable
spanning-tree portfast
Trunk Port - Into Carrier Network
interface GigabitEthernet1/0/25
switchport trunk encapsulation dot1q
switchport trunk native vlan 4094
switchport mode trunk
switchport nonegotiate
load-interval 30
speed nonegotiate
spanning-tree bpdufilter enable
the Native Port on the tunnel interface = 1 and native vlan tagging is enabled on the switch.
what happens to untagged frames that hit the tunnel port from the customer? Imagine that they dont have their port as a trunk and are instead emitting untagged frames?
are these dropped or simply have a single Q-tag pushed and are then tunnelled through the carrier network?
I have followed the recommendation of making the trunk port have a native vlan that is not the native vlan of any of the tunnel ports.
thanksNormally double-tag traffic is seen as NON-IP traffic by metro devices, since they cannot see beyond first tag.
Untagged customer traffic will behave like IP traffic in metro network, since it will have only one tag.
You can use a trick - create an IP access list on trunk port with "deny ip any any" - basically denying all IP traffic. That should stop all traffic that was not tagged by the customer. Ofcourse that will disable your management - so you need to plan this.
If more than one customer is using same S-VLAN, and one customer has e.g. VLAN 3 untagged, and other one has VLAN 5 untagged, their VLANs will be interconnected. -
Hi,
I just configure VPN for end users in PIX515e with IOS 8 and get stuck with "Tunnel Rejected: User (msveden) not member of group (VPN-shared), group-lock check failed.". Can someone please help me and tell me how I add user to my VPN group?
Regards
MikaelMay be you are looking for this-
ASA1(config)# username msveden attributes
ASA1(config-username)# group-lock value mygroup
Thanks
Ajay -
I am in the process of designing a dot1q-tunnel-based service backbone. Basically client switches will uplink with tunnelled ports on the provider backbone.
Cl-SW1 |----|P-SW1|----|P-SW2|-----|Cl-SW2|
Assume that the CL-SW1 is at the headquarters of the client and some traffic from the client should be sent off-premisess (Internet for example) using the same link (Gig Ethernet).
What are my options?
P-SW1 and P-SW2 will not be able to see layer 3 information from the client switches since traffic is layer2-tunnelled. How can I route traffic off the backbone?
I thought about trunking a single port on P-SW1 and connecting it to a router. On the router sub-interfaces will do the job. But the problem is that trunked traffic will reach the router encapsulated with dot1q tunneling? Does a 7600 series router do the job, since it understands tunneling?
Any ideas will be appreciated.It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html -
Is it possible to use MVR for delivering multicast to customers over dot1q-tunnel interface ?
Can QinQ and MVR work together ?I think the muticast vlan registration shortly termed MVR is not supported in dot1Q tunnelling interface.Because, there is a criteria for configuring MVR.That is, while configuring MVR, receiver ports cannot be trunk ports. Since, do11q is a trunking protocol,I believe MVR can't be transmitted over trunk port, and hence over dot1q tunnel interface.For detailed info on this mvr,
refer to the configuration guidelines sections of mvr at:
http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8d9.html#xtocid14 -
Me3400 mep on dot1q-tunnel interface
Hi
Just wanted to get someone to give me some quick pointers on the following task:
I have an me3400 with fa0/1 as a UNI.
also I have Gig0/1 as NNI.
I have set the commands on the switch as
ethernet cfm ieee
ethernet cfm global
ethernet cfm domain testnet level 4
ethernet evc cust1
oam protocol cfm svlan 10 domain testnet
interface FastEthernet0/1
switchport access vlan 10
switchport mode dot1q-tunnel
speed 100
duplex full
l2protocol-tunnel cdp
l2protocol-tunnel lldp
l2protocol-tunnel stp
l2protocol-tunnel vtp
interface GigabitEthernet0/1
port-type nni
switchport mode trunk
ethernet cfm mip level 4 vlan 10
so this is the minimal functionality that I am after.
What else do I need to do to link the fa0/1 port to the EVC and enable an UP MEP and CC on it?
the end goal initially is to propagate link loss when the UNI is disconnected so that the remote me3400 brings down its UNI.
any help please.It's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?
-
Is it possible to map the cos from a tagged frame into the metro tag cos field when it enters a dot1q-tunnel port?
The only option I see to set cos on a dot1q-tunnel port is to statically configure a value using the <mls qos cos <value> > commmand, this is with the 3750.
ThanksIt all depends on the hardware.
For example 3750 Metro support copying inner CoS value to the outer tag. It is also supported by 4500s with SUPV-10GE.
Also this functionality is possible with ES20 cards in 7600.
Overall there is not much hardware that support it. The functionality you are looking for is called "ntelligent IEEE 802.1Q tunneling QoS"
http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_25_seg_seg1/configuration/guide/swtunnel.html#wp1010491 -
Hi guys.
I'm trying to setup a dot1q tunnel on a 3560X, but the option does not seem available.
SW02#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW02(config)#int gig 0/1
SW02(config-if)#sw mode ?
access Set trunking mode to ACCESS unconditionally
dynamic Set trunking mode to dynamically negotiate access or trunk mode
trunk Set trunking mode to TRUNK unconditionally
SW02(config-if)#sw mode
I'm sure I have seen this command visible previously so it could be configuration or VTP related, but obviously am now doubting myself.
For reference the IOS version is;
c3560e-universalk9-mz.122-55.SE5/c3560e-universalk9-mz.122-55.SE5.bin
Its not an advipservices feature is it?
Thanks for your help.
MikeHi Mike,
according to the Configuration Guide, 802.1Q protocol tunneling is not supported on switches running the LAN base feature set.
Do you have at least an IP Base license activated (show license detail)?
Cisco Catalyst 3560-X Series Switches - Cisco IOS Software Packaging and Licensing White Paper
HTH
Rolf -
ASR 9010 switchport mode dot1q-tunnel QinQ Access
Is there an IOS-XR ASR equivalent for a QinQ edge access port? On IOS the interface config would be:
int fa 1/1
switchport
switchport mode dot1q-tunnel
switchport access vlan 100Do you have ASR on both sides? If you do, VFI will work for you, lets say:
CE------G1/1/1/1(1.1.1.1- PE1)---------------------(PE - 2.2.2.2) G2/2/2/2--------- CE
On PE1:
interface g1/1/1/1
l2transport
no shut
l2vpn
bridge group PE1
bridge-domain CE1
interface g1/1/1/1
vfi CE1
neighbor 2.2.2.2 pw-id 100
On PE2:
interface g2/2/2/2
l2transport
no shut
l2vpn
bridge group PE2
bridge-domain CE2
interface g2/2/2/2
vfi CE2
neighbor 1.1.1.1 pw-id 100 -
Native VLAN problem when using dot1q tunnel on ME3600
We have problems with a VPLS service for a Customer. The edge devices are Cat3560 and ME3600 (where the Customers sites are connected).
When the edge device are ME3600 we have problems getting the traffic on the Native VLAN from the Customer out in the VPLS cloud.
No problems using Cat3560
No problems using ME3600 and tagged VLAN
Config on ME3600
interface GigabitEthernet0/2
description VPLS_CustomerA
switchport access vlan 888
switchport trunk allowed vlan none
switchport mode trunk
mtu 9800
storm-control broadcast level 0.10 0.05
storm-control action trap
no cdp enable
spanning-tree bpdufilter enable
service instance 64 ethernet
encapsulation untagged , dot1q 1-4094
bridge-domain 64
Any ideas?
/JorgenCan you remove this line from your configuration "
switchport access vlan 888" since it is an invalid configuration for EVC.
Reconfigure the port after making the above change. What kind of traffic you are expecting on the native vlan?
L2 protocol is dsable by default so STP, CDP and other control protocols will not work unless you enable L2PT forward or tunnel. -
"trust cos" on dot1q-tunnel interface
Hello,
we've MAN based on Cat 6500 and Cat 3750, we're using QinQ as one of our backbone technologies.
We need to implement "trust cos" on QinQ port for one of our customers (= rewrite CoS bits from the internal 802.1q header (coming from customer) to the external 802.1q header). Do you have some idea how to deal with it ?
We've done several experiments, but we haven't found any solution except CoS-to-CoS map, which is "Cat 6500 only" and "per-group-of-ports" feature. We need to implement it per port (only for this cusomer).
We're looking for this because customer is using MPLS and we need to "trust QoS" as it is set by the customer. Customer is able to set
- DSCP in IP header
- MPLS exp. bits
- CoS in dot1q header.
Have you ever come accross something like this?
Have you found any solution?
Thanks
Jan Klicka, SITMPIt's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?
-
QoS (CoS) and Q-in-Q (dot1q-tunnel)
Hi,
I am looking for a document which describes the procedures and connections between QoS and Q-in-Q. Something like "NAT order of operation".
Points I am interested in are for example:
- Which CoS value is set in the outer VLAN tag?
- Which VLAN tag does 'mls qos trust cos' trust?
- Would the CoS value of the inner VLAN tag be inherited/passed to the outer VLAN tag?
I am mainly using Cat3560 and Cat3750 with IOS 12.2(25)SED1 IP-Base.
kind regards
MarkPolicing function determines if the traffic level is within the specified profile (contract). Policing function allows either dropping out-of-profile traffic or marking the traffic down to a different Differential Services Code Point (DSCP) value to enforce contracted service level. DSCP is a measure of the Quality of Service (QoS) level of the packet. Along with DSCP, IP precedence and Class of Service (CoS) are also used to convey the QoS level of the packet
http://www.cisco.com/warp/public/473/134.html -
IPSec LAN-to-LAN from PIX 501(6.3.5) to VPNC 3000 rejects tunnel.
I will post more data once back in the office but this is the error my VPNC3000 is showing when the IPSec tunnel tries to establish:
I've replaced the PIX 501 outside IP with 10.0.0.1, and the concentrator subnet with 10.1.0.0
18890 04/04/2007 15:09:33.190 SEV=6 IKE/201 RPT=2 10.0.0.2
Group [10.0.0.2]
Duplicate Phase 1 packet detected. Retransmitting last packet.
18892 04/04/2007 15:09:33.190 SEV=6 IKE/0 RPT=820 10.0.0.2
Group [10.0.0.2]
Responder resending last msg
18893 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45723 10.0.0.2
RECEIVED Message (msgid=b57613b7) with payloads :
HDR + HASH (8) + NOTIFY (11) + NONE (0)
total length : 76
18895 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45724 10.0.0.2
Group [10.0.0.2]
processing hash
18896 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45725 10.0.0.2
Group [10.0.0.2]
Processing Notify payload
18897 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=821
Received unexpected event EV_ACTIVATE_NEW_SA in state MM_ACTIVE
18898 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45726 10.0.0.2
RECEIVED Message (msgid=83ab1615) with payloads :
HDR + HASH (8) + SA (1) + NONCE (10) + ID (5) + ID (5) + NONE (0)
total length : 164
18901 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45727 10.0.0.2
Group [10.0.0.2]
processing hash
18902 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45728 10.0.0.2
Group [10.0.0.2]
processing SA payload
18903 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5364 10.0.0.2
Group [10.0.0.2]
processing nonce payload
18904 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5365 10.0.0.2
Group [10.0.0.2]
Processing ID
18905 04/04/2007 15:09:33.310 SEV=5 IKE/35 RPT=133 10.0.0.2
Group [10.0.0.2]
Received remote IP Proxy Subnet data in ID Payload:
Address 0.0.0.0, Mask 0.0.0.0, Protocol 0, Port 0
18908 04/04/2007 15:09:33.310 SEV=9 IKEDBG/1 RPT=5366 10.0.0.2
Group [10.0.0.2]
Processing ID
18909 04/04/2007 15:09:33.310 SEV=5 IKE/34 RPT=233 10.0.0.2
Group [10.0.0.2]
Received local IP Proxy Subnet data in ID Payload:
Address 10.1.0.0, Mask 255.255.255.0, Protocol 0, Port 0
18912 04/04/2007 15:09:33.310 SEV=8 IKEDBG/0 RPT=45729
QM IsRekeyed old sa not found by addr
18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
Group [10.0.0.2]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
18915 04/04/2007 15:09:33.310 SEV=4 IKEDBG/0 RPT=45730
QM FSM error (P2 struct &0x1e75390, mess id 0x83ab1615)!
18916 04/04/2007 15:09:33.310 SEV=7 IKEDBG/65 RPT=730 10.0.0.2
Group [10.0.0.2]
IKE QM Responder FSM error history (struct &0x1e75390)
<state>, <event>:
QM_DONE, EV_ERROR
QM_BLD_MSG2, EV_NEGO_SA
QM_BLD_MSG2, EV_IS_REKEY
QM_BLD_MSG2, EV_CONFIRM_SA
18921 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45731
sending delete/delete with reason message
18922 04/04/2007 15:09:33.310 SEV=6 IKE/0 RPT=822 10.0.0.2
Group [10.0.0.2]
Removing peer from correlator table failed, no match!
18923 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45732 10.0.0.2
Group [10.0.0.2]
IKE SA MM:5b0e34cb rcv'd Terminate: state MM_ACTIVE
flags 0x0001c042, refcnt 1, tuncnt 0
18926 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45733 10.0.0.2
Group [10.0.0.2]
IKE SA MM:5b0e34cb terminating:
flags 0x0101c002, refcnt 0, tuncnt 0
18928 04/04/2007 15:09:33.310 SEV=9 IKEDBG/0 RPT=45734
sending delete/delete with reason message
18929 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45735 10.0.0.2
Group [10.0.0.2]
constructing blank hash
18930 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45736
constructing IKE delete payload
18931 04/04/2007 15:09:33.320 SEV=9 IKEDBG/0 RPT=45737 10.0.0.2
Group [10.0.0.2]
constructing qm hash
18932 04/04/2007 15:09:33.320 SEV=8 IKEDBG/0 RPT=45738 10.0.0.2
SENDING Message (msgid=1d5c1587) with payloads :
HDR + HASH (8) + DELETE (12)
total length : 76
18934 04/04/2007 15:09:33.320 SEV=4 AUTH/23 RPT=176 10.0.0.2
User [10.0.0.2], Group [10.0.0.2] disconnected: duration: 0:00:00The error that sticks out to me is:
18913 04/04/2007 15:09:33.310 SEV=4 IKE/61 RPT=2 10.0.0.2
Group [10.0.0.2]
Tunnel rejected: Policy not found for Src:0.0.0.0, Dst: 10.1.0.0!
I do not know if this means policy on the Concentrator or the PIX, but I believe this is the cause. Below is my PIX 501 config:
nameif ethernet0 outside security0
nameif ethernet1 inside security100
hostname pix3
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
fixup protocol h323 1718-1719
names
access-list 102 permit ip 192.168.15.0 255.255.255.0 172.16.0.0 255.255.0.0
access-list 102 permit ip 192.168.15.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list 102 permit icmp 192.168.15.0 255.255.255.0 192.168.15.0 255.255.255.0
no pager
logging on
logging timestamp
logging monitor debugging
interface ethernet0 10baset
interface ethernet1 10full
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
ip address outside 10.0.0.2 255.255.255.240
ip address inside 192.168.15.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 102
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
route outside 0.0.0.0 0.0.0.0 10.0.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 192.168.15.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map newmap 10 ipsec-isakmp
crypto map newmap 10 match address 102
crypto map newmap 10 set peer 10.1.0.1
crypto map newmap 10 set transform-set myset
crypto map newmap interface outside
isakmp enable outside
isakmp key myPSK address 10.1.0.1 netmask 255.255.255.255
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
ssh 172.16.0.0 255.255.255.224 inside
ssh 192.168.0.0 255.255.0.0 inside
ssh timeout 60
dhcpd address 192.168.15.10-192.168.15.20 inside
dhcpd dns 172.16.1.27 172.16.1.19
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
terminal width 80
Maybe you are looking for
-
How to synchronize iPad with an existing iTunes Library
Hye to all, I've got the following issue (strage to a new Apple user having Windows backgroud): after reinstallation my Win7 PC (only System Partition updated) the old iTunes Library (stored on my Data Partition) and automatically created by previous
-
How make adobe edge animate file full screen in adobe muse?
I have created a responsive webstie so far and i want the edge animation i created in edge to be fullscreen in muse... I made it to resize in edge but in muse i scalled it to the whole size of my website and in preview it looks off and in browser it
-
Upload text in SAP Routings CA01 Transaction
I tried to upload Long Text in CA02 Transaction in the Opertions Tab using SAVE_TEXT. Sy-subrc return 0. when I check in transaction, it is not showing text. If I use read_text , then it returning the text that i have upload. Surprised by the way it
-
MacBook Pro lid won't close and lock
Is anyone having problems with the MacBook Pro along these lines? The two small hooks in the lid do not catch, and so the lid will not lock in the down position. I've only had this machine for two weeks.
-
Need Material on Seeburger Adapters.
Hi I needed some material Seeburger Adapters (EDI X12) that can give me head start on sample scenarios etc. icluding Designtime and configuration time steps. Thanks. -Adrean Hart.