Dot1q-tunneling and native frames ( untagged )

Similar Messages

• Dot1q tunneling and security

  Hi,
  I don't understand how to make to improve the security of dot1q tunneling. If the client makes some errors by example by disabling the spanning-tree on a vlan and he creates a loop between differents sites (L2VPN). What are the safety standards for Q-in-Q to protect the provider ?
  Thank you for your help.
  Regards.
  David

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• Dot1Q tunneling and routing

  I am in the process of designing a dot1q-tunnel-based service backbone. Basically client switches will uplink with tunnelled ports on the provider backbone.
  Cl-SW1 |----|P-SW1|----|P-SW2|-----|Cl-SW2|
  Assume that the CL-SW1 is at the headquarters of the client and some traffic from the client should be sent off-premisess (Internet for example) using the same link (Gig Ethernet).
  What are my options?
  P-SW1 and P-SW2 will not be able to see layer 3 information from the client switches since traffic is layer2-tunnelled. How can I route traffic off the backbone?
  I thought about trunking a single port on P-SW1 and connecting it to a router. On the router sub-interfaces will do the job. But the problem is that trunked traffic will reach the router encapsulated with dot1q tunneling? Does a 7600 series router do the job, since it understands tunneling?
  Any ideas will be appreciated.

  It depends upon which switch you are using , If you are using a L3 capable switch , routing can be done on the switch it self , or if its a pure L2 switch you may have to create VLANs and route using sub-interfaces in the routers.Use these links for more details.
  http://cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a00801cdf50.html#1008908
  http://cisco.com/en/US/products/hw/routers/ps368/products_configuration_guide_chapter09186a0080161137.html

• WLSM, mGRE tunnels and Native VLAN

  I understand that to be able to use mGRE tunnels, all that is needed from the AP is to have IP connectivity. If the AP connects to a port on a switch, and that port is on VLAN 196, for instance, will the following setup allow me to connect to that VLAN over wireless, and at the same time allow other users (through the use of the other SSID) to connect to a network that's on a mobility group?
  I've tested it already and it works. I just want to know if there are any drawbacks, or if it's not recommended. etc...
  interface Dot11Radio0
  encryption mode wep mandatory
  ssid vlan196
  authentication open eap eap_methods
  authentication network-eap eap_methods
  ssid public
  authentication open eap eap_methods
  authentication network-eap eap_methods
  mobility network-id 100

  I had a look at your configuration and it looks good. I think this is the best way of doing this and will work without any issues. You can goahead and implement this setup.

• Dot1q-tunnel rejection

  Hello,
  I am trying to setup a dot1q-tunnel on a Catalyst 6506 running IOS 12.2 and am running into trouble. I have followed everything in the manual and from other's examples, but I continually get the error:
  Command rejected: Gi1/1 doesn't support 802.1q tunneling.
  To get there I have done:
  Router(config)#vlan dot1q tag native
  Router(config)#interface range gig 1/1-48
  Router(config-if-range)#spanning-tree bpdufilter enable
  Router(config-if-range)#spanning-tree portfast
  Router(config-if-range)#switchport mode dot1q-tunnel
  and it says command rejected for all 48 ports.
  If anyone has any insight it would be greatly appreciated. Thank you for your time

  if you can't make tunnel with dot1q, check the capability of the module using follow command..
  [example]
  Swith#show interfaces gigabitEthernet 0/1 capabilities
  GigabitEthernet0/1
  Model: WS-C3550-24
  Type: unknown
  Speed: 1000
  Duplex: full
  Trunk encap. type: 802.1Q,ISL <<<--- capability
  Trunk mode: on,off,desirable,nonegotiate
  Channel: yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol: rx-(off,on,desired),tx-(off,on,desired)
  Fast Start: yes
  QOS scheduling: rx-(1q0t),tx-(4q2t),tx-(1p3q2t)
  CoS rewrite: yes
  ToS rewrite: yes
  UDLD: yes
  Inline power: no
  SPAN: source/destination
  PortSecure: yes
  Dot1x: yes

• VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

  Hi All,
  L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
  Thanks,
  HC

  Hi HC,
  the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
  Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
  If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
  Simon

• 6500 xconnect and QinQ frames

  Hi, I want to pass all vlanes from a client. I have a tunnel-port in both 3560 and then I have an mpls xconnect between 6500. The 6500's are connected with a pvc with encapsulation aal5snap. This is the schema:
  3560 --Gb -- 6500 -- ATM PVC -- 6500 -- Gb 3560
  The problem is that the xconnect does not carry QinQ frames, it only sends the frames from the client that are untagged.
  How can I pass the QinQ frames between the 6500's?
  Thanks

  This is the current 6500 configuration, I have tried with the same result this configuration and other using subinterfaces. The xconnect works because I could see the untagged frame int both sites. The interface Gig1/9 from the 6500 is connected with the interface Fa0/1 from the 3560.
  interface GigabitEthernet1/9
  switchport
  switchport trunk encapsulation dot1q
  switchport mode trunk
  mtu 9216
  no ip address
  interface Vlan3003
  description VLL_CLIENT1
  no ip address
  xconnect 10.0.0.3 3003 encapsulation mpls
  show modules:
  #sh mod
  Mod Ports Card Type                              Model              Serial No.
    1    9  Supervisor Engine 32 8GE (Active)      WS-SUP32-GE-3B     SAL12426MVE
    2    0  4-subslot SPA Interface Processor-200  7600-SIP-200       JAE1244Z5PF
  Mod MAC addresses                       Hw    Fw           Sw           Status
    1  0021.d89e.c846 to 0021.d89e.c851   4.6   12.2(18r)SX2 12.2(18)SXF1 Ok
    2  0021.a06d.fdc0 to 0021.a06d.fdff   2.303 12.2(18)SXF1 12.2(18)SXF1 Ok
  Mod  Sub-Module                  Model              Serial       Hw     Status
    1  Policy Feature Card 3       WS-F6K-PFC3B       SAL12405HZN  2.4    Ok
    1  Cat6k MSFC 2A daughterboard WS-F6K-MSFC2A      SAL12426HJD  4.0    Ok
  2/0 2xOC3 ATM SPA               SPA-2XOC3-ATM      JAE1244Z6G2  1.1    Ok
  Mod  Online Diag Status
    1  Pass
    2  Pass
  2/0 Not Applicable
  The 3560 configuration is this:
  interface FastEthernet0/1
  description 6500_Uplink
  switchport trunk encapsulation dot1q
  switchport mode trunk
  interface FastEthernet0/8
  description CLIENT1
  switchport access vlan 3003
  switchport mode dot1q-tunnel
  l2protocol-tunnel cdp
  l2protocol-tunnel lldp
  l2protocol-tunnel stp
  l2protocol-tunnel vtp
  no cdp enable
  Thanks in advance

• MVR over DOT1Q-TUNNEL

  Is it possible to use MVR for delivering multicast to customers over dot1q-tunnel interface ?
  Can QinQ and MVR work together ?

  I think the muticast vlan registration shortly termed MVR is not supported in dot1Q tunnelling interface.Because, there is a criteria for configuring MVR.That is, while configuring MVR, receiver ports cannot be trunk ports. Since, do11q is a trunking protocol,I believe MVR can't be transmitted over trunk port, and hence over dot1q tunnel interface.For detailed info on this mvr,
  refer to the configuration guidelines sections of mvr at:
  http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008007e8d9.html#xtocid14

• Me3400 mep on dot1q-tunnel interface

  Hi
  Just wanted to get someone to give me some quick pointers on the following task:
  I have an me3400 with fa0/1 as a UNI.
  also I have Gig0/1 as NNI.
  I have set the commands on the switch as
  ethernet cfm ieee
  ethernet cfm global
  ethernet cfm domain testnet level 4
  ethernet evc cust1
     oam protocol cfm svlan 10 domain testnet
  interface FastEthernet0/1
    switchport access vlan 10
    switchport mode dot1q-tunnel
    speed 100
    duplex full
    l2protocol-tunnel cdp
    l2protocol-tunnel lldp
    l2protocol-tunnel stp
    l2protocol-tunnel vtp
  interface GigabitEthernet0/1
    port-type nni
    switchport mode trunk
    ethernet cfm mip level 4 vlan 10
  so this is the minimal functionality that I am after.
  What else do I need to do to link the fa0/1 port to the EVC and enable an UP MEP and CC on it?
  the end goal initially is to propagate link loss when the UNI is disconnected so that the remote me3400 brings down its UNI.
  any help please.

  It's difficult for Cisco Cat 6500.Why don't you consider products from other vendors?

• Dot1q-tunnel cos mapping

  Is it possible to map the cos from a tagged frame into the metro tag cos field when it enters a dot1q-tunnel port?
  The only option I see to set cos on a dot1q-tunnel port is to statically configure a value using the <mls qos cos <value> > commmand, this is with the 3750.
  Thanks

  It all depends on the hardware.
  For example 3750 Metro support copying inner CoS value to the outer tag. It is also supported by 4500s with SUPV-10GE.
  Also this functionality is possible with ES20 cards in 7600.
  Overall there is not much hardware that support it. The functionality you are looking for is called "ntelligent IEEE 802.1Q tunneling QoS"
  http://www.cisco.com/en/US/docs/switches/metro/catalyst3750m/software/release/12.2_25_seg_seg1/configuration/guide/swtunnel.html#wp1010491

• Dot1q tunnel

  Hi guys.
  I'm trying to setup a dot1q tunnel on a 3560X, but the option does not seem available.
  SW02#conf t
  Enter configuration commands, one per line.  End with CNTL/Z.
  SW02(config)#int gig 0/1
  SW02(config-if)#sw mode ?
    access   Set trunking mode to ACCESS unconditionally
    dynamic  Set trunking mode to dynamically negotiate access or trunk mode
    trunk    Set trunking mode to TRUNK unconditionally
  SW02(config-if)#sw mode
  I'm sure I have seen this command visible previously so it could be configuration or VTP related, but obviously am now doubting myself.
  For reference the IOS version is;
  c3560e-universalk9-mz.122-55.SE5/c3560e-universalk9-mz.122-55.SE5.bin
  Its not an advipservices feature is it?
  Thanks for your help.
  Mike

  Hi Mike,
  according to the Configuration Guide, 802.1Q protocol tunneling is not supported on switches running the LAN base feature set.
  Do you have at least an IP Base license activated (show license detail)?
  Cisco Catalyst 3560-X Series Switches - Cisco IOS Software Packaging and Licensing White Paper
  HTH
  Rolf

• Management and native Vlan in different subnet??

  Can i have a management ip and native vlan in different subnet on a AIR-1242 and 2960 switch?
  Native on Switch = 1.
  Interface vlan 100 = 10.10.1.25X /24
  BVI ip in vlan 100 = 10.10.1.25X /24
  -HM-

  Hi,
  Thanks for the update..
  Ok in short YES this can be done.. here is the AP configuration..
  Step 1>> Configure the SSID and map it with respective Vlans..
  Step 2>> Create the sub interafce int dot11 0.5 / int fa 0.5 (encapsulation dot1q 5 , bridge-group 5)and int dot11 0.6 / int fa 0.6(encapsulation dot1q 6 , bridge-group 6)
  Step 3>> Create the sub interface 0.100 for both Radio and Fa and under this (encapsulation dot1q 100 native , bridge-group 1)
  Step 4>> Make sure all the interafces are up and running and Try to ping the VLAN 100 interafce ip addr from the AP to verify.
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• Eliminating duplicating and blended frames???

  A major problem with creating content for digital platforms is the old duplicating or blended frames, which are present on broadcast TV master tapes.
  NTSC to PAL conversions almost seem impossible to fix when a blended frame is present or is it?
  Another ongoing headache is the fact an NTSC master from a TV show shot on HD, has dulpicating frames...
  I did an inverse telecine to 24p, which did get rid of the dup frame, however when a disslove was used there would be field issues with one frame, no doubt a dissolve in another framerate from the native frame it was shot on...is there anyway to fix this???
  I truly dislike the fact that NTSC isn't a complete number of frames, i understand it was done to be back compatible with black and white back in the day, but it be truly painfull in this day and age...
  eample of dissolve.

  Automatically tracking the animation in the master layer would be accomplished by an expression. For example, to tie the Drop Shadow distance to the master delete the keyframes on the copy then add an expression to Drop Shadow Distance by simply dragging the pickwhip to the same effect parameter in the master. Adjusting the timing so that it's relative to the in-point is a little more difficult. I'll have to think about that for a while. I can't give you the answer without a little experimentation.
  The second part of your question is much easier. Manual adjustment of a range of keyframes is as simple as selecting the keyframes that you want to modify and holding down the Alt/Option (pc/mac) key while dragging the last keyframe.
  You could also use an expression. You will only set 2 or 3 keyframes for a property you want to repeat and then use loopOut expression. For 2 keyframes, say 20% opacity to 100% opacity use:  loopOut("pingpong"), for three keyframes, say 20% to 100% to 20% use loopOut("cycle"). You then adjust the timing by moving the keyframes.
  Hope this helps.

• Reporting Services in both SharePoint 2013 connected and native mode?

  Is it possible to configure Reporting Services (SQL Server 2014) to support both SharePoint 2013 connected mode and local Report Server in native mode on the same server using multiple instances of RS? The reason for this setup is to avoid having to purchase
  SharePoint Enterprise CALs for other users than analysts and still be able to publish standard reports to all employees.
  Management and analysts -> Custom reports published through SharePoint 2013 Enterprise (SP2013 ECALs and SQL Server 2014 core license). Data alerts and Power View enabled if possible.
  All employees -> Standard reports published through Native Mode Report Server (SQL Server 2014 core license). Possible subscriptions.
  I find the official documentation a bit lacking in this area but can't find anything stating against the above. It would be greatly appreciated if someone could confirm before planning the installs.
  What I'm aiming for is somewhat similar to the "2 Tier Topology" described at: Example
  License Topologies and Costs for SQL Server 2014 Self-Service Business Intelligence
  With the difference that there is a separate SQL Server 2014 server used both by SharePoint and as a standalone BI-server.
  SharePoint EE + SQL Server 2014 EE
  Excel Services
  SSRS Add-in (Reporting Services, Power View)
  SQL Server DB for SP Content, Configuration and Service Application DB:s
  SQL Server 2014 EE - SharePoint + Standalone for BI
  SSRS SharePoint Mode
  SSRS Native Mode
  SSAS (Not in SharePoint mode, skipping PowerPivot for now. Would Power View still work?)
  SQL Server DB for Data Warehouse
  = 1 x SharePoint EE Server Licence, 2 x SQL Server 2014 EE Server Licenses?
  Deployment
  Topologies for SQL Server BI Features in SharePoint - Actually gives a good overview in the section "PowerPivot for SharePoint
  2013 and Reporting Services Three Server Deployment". Just remove PowerPivot Service from Server 1 and change the Analysis Services in Server 2 to a regular native multidimensional mode. Server 2 would also be used for native Reporting Services.
  Fallback or even beneficial option to install SSRS in SharePoint mode on the SQL Server instance used for content and configuration?

  Hi Daniel Wikar,
  As per my understanding, you want to install two SQL Server instances on the same server, and configure one of the Reporting Services to SharePoint integrated mode, another to native mode.
  According to my knowledge, multiple instances of Reporting Services on the same computer, where one instance runs in SharePoint integrated mode and the other instance runs in native mode is supported. But we must run all report server instances at the same
  level. For example, if we are using SQL Server 2014, all report server instances must be SQL Server 2014.
  Besides, Analysis Services and Reporting Services can be installed as standalone servers, in scale-out configurations, or as shared service applications in a SharePoint farm. Installing the services in a farm enables BI features that are only available in
  SharePoint, including PowerPivot for SharePoint and Power View.
  For more information about Feature Comparison of SharePoint and Native Mode and Supported and Unsupported Configurations, please refer to the following documents:
  http://msdn.microsoft.com/en-us/library/ms157231.aspx
  http://technet.microsoft.com/en-US/library/bb510781(v=SQL.105).aspx
  For detailed information regarding to the license issue, please call
  1-800-426-9400,
  Monday through Friday, 6:00 A.M. to 6:00 P.M. (Pacific Time) to speak directly to a Microsoft licensing specialist. For international customers, please use the Guide to Worldwide Microsoft Licensing Sites to find contact information in your locations.
  You can also visit the following site for more information and support on licensing issues:
  http://www.microsoft.com/licensing/mla/default.aspx
  If you have any more questions, please feel free to ask.
  Thanks,
  Wendy Fu
  If you have any feedback on our support, please click
  here.

• ASA 5505 site-to-site VPN tunnel and client VPN sessions

  Hello all
  I have several years of general networking experience, but I have not yet had to set up an ASA from the ground up, so please bear with me.
  I have a client who needs to establish a VPN tunnel from his satellite office (Site A) to his corporate office (Site Z).  His satellite office will have a single PC sitting behind the ASA.  In addition, he needs to be able to VPN from his home (Site H) to Site A to access his PC.
  The first question I have is about the ASA 5505 and the various licensing options.  I want to ensure that an ASA5505-BUN-K9 will be able to establish the site-to-site tunnel as well as allow him to use either the IPsec or SSL VPN client to connect from Site H to Site A.  Would someone please confirm or deny that for me?
  Secondly, I would like to verify that no special routing or configuration would need to take place in order to allow traffic not destined for Site Z (i.e., general web browsing or other traffic to any resource that is not part of the Site Z network) to go out his outside interface without specifically traversing the VPN tunnel (split tunneling?)
  Finally, if the client were to establish a VPN session from Site H to Site A, would that allow for him to connect directly into resources at Site Z without any special firewall security rules?  Since the VPN session would come in on the outside interface, and the tunnel back to Site Z goes out on the same interface, would this constitute a split horizon scenario that would call for a more complex config, or will the ASA handle that automatically without issue?
  I don't yet have the equipment in-hand, so I can't provide any sample configs for you to look over, but I will certainly do so once I've got it.
  Thanks in advance for any assistance provided!

  First question:
  Yes, 5505 will be able to establish site-to-site tunnel, and he can use IPSec vpn client, and SSL VPN (it comes with 2 default SSL VPN license).
  Second question:
  Yes, you are right. No special routing is required. All you need to configure is site-to-site VPN between Site A and Site Z LAN, and the internet traffic will be routed via Site A internet. Assuming you have all the NAT statement configured for that.
  Last question:
  This needs to be configured, it wouldn't automatically allow access to Site Z when he VPNs in to Site A.
  Here is what needs to be configured:
  1) Split tunnel ACL for VPN Client should include both Site Z and Site A LAN subnets.
  2) On site A configures: same-security-traffic permit intra-interface
  3) Crypto ACL for the site-to-site tunnel between Site Z and Site A needs to include the VPN Client pool subnet as follows:
  On Site Z:
  access-list permit ip
  On Site A:
  access-list permit ip
  4) NAT exemption on site Z needs to include vpn client pool subnet as well.
  Hope that helps.
  Message was edited by: Jennifer Halim