Encapulation dot1q X native

Similar Messages

• 3750-x and vlan dot1q tag native command

  Hello,
  I have a 3750-X stack with the following HW & SW revisions:
  Cisco-3750-x-stack>show version
  Cisco IOS Software, C3750E Software (C3750E-UNIVERSALK9NPE-M), Version 15.0(2)SE4, RELEASE SOFTWARE (fc1)
  Technical Support: http://www.cisco.com/techsupport
  sCopyright (c) 1986-2013 by Cisco Systems, Inc.
  Compiled Wed 26-Jun-13 01:47 by prod_rel_team
  ROM: Bootstrap program is C3750E boot loader
  BOOTLDR: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  Cisco-3750-x-stack uptime is 1 day, 6 hours, 56 minutes
  System returned to ROM by power-on
  System restarted at 20:27:32 UTC Tue Mar 29 2011
  System image file is "flash:/c3750e-universalk9npe-mz.150-2.SE4/c3750e-universalk9npe-mz.150-2.SE4.bin"
  License Level: lanbase
  License Type: Permanent
  Next reload license Level: lanbase
  cisco WS-C3750X-48P (PowerPC405) processor (revision A0) with 262144K bytes of memory.
  Processor board ID FDO1524K1J2
  Last reset from power-on
  2 Virtual Ethernet interfaces
  1 FastEthernet interface
  104 Gigabit Ethernet interfaces
  4 Ten Gigabit Ethernet interfaces
  The password-recovery mechanism is enabled.
  512K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address       :
  Motherboard assembly number     : 73-12553-05
  Motherboard serial number       : 
  Model revision number           : A0
  Motherboard revision number     : C0
  Model number                    : WS-C3750X-48P-L
  Daughterboard assembly number   : 800-32727-01
  Daughterboard serial number     : 
  System serial number            : 
  Top Assembly Part Number        : 800-31324-02
  Top Assembly Revision Number    : C0
  Version ID                      : V02
  CLEI Code Number                : 
  Hardware Board Revision Number  : 0x03
  Switch Ports Model              SW Version            SW Image
  *    1 54    WS-C3750X-48P      15.0(2)SE4            C3750E-UNIVERSALK9NPE-M
       2 54    WS-C3750X-48P      15.0(2)SE4            C3750E-UNIVERSALK9NPE-M
  Switch 02
  Switch Uptime                   : 1 day, 6 hours, 56 minutes
  Base ethernet MAC Address       : 
  Motherboard assembly number     : 73-12553-06
  Motherboard serial number       : 
  Model revision number           : A0
  Motherboard revision number     : A0
  Model number                    : WS-C3750X-48P-L
  Daughterboard assembly number   : 800-32727-03
  Daughterboard serial number     : 
  System serial number            : 
  Top assembly part number        : 800-31324-03
  Top assembly revision number    : B0
  Version ID                      : V03
  CLEI Code Number                : 
  License Level                   : lanbase
  License Type                    : Permanent
  Next reboot licensing Level     : lanbase
  Configuration register is 0xF
  I am trying to setup native vlan tagging using the command "vlan dot1q tag native".   I am entering this when I am in privileged exec mode, and then config mode.   When enter vlan ? it does not show dot1q as an option.   Any thoughts on what I might be missing?   What I am trying to achieve is all ingress untagged traffic (from my Meru controller) will be tagged with VLAN tag 101 as it progresses through my network, and any tagged traffic on vlan 101 which is destined for the port where my Meru controller is located will be delivered to the Meru controller untagged.   I can set this up in this manner on a SG300 Cisco switch, and I believe this is what "vlan dot1q tag native" will achieve if I am understanding correctly.
  I welcome suggestions on both why the "vlan dot1q tag native" won't work, and on what I am trying to accomplish.
  Thx
  Bryan

  Hi Aaron,
  Thank you for the quick reply.  
  The Meru controller uses untagged traffic to talk between the controller and the APs.   It also uses tagged traffic to talk between the controller and the VLANs which I have associated with each of the SSIDs.   I am trying to find a way to do what is normally done with an access port, but do that with an LACP group (801.Q trunk).   Where the untagged traffic entering the network from the controller gets tagged as VLAN 101 as it transits the network, and then traffic which is delivered to that 801.Q trunk on VLAN 101 has the tag removed, but all other traffic entering that port will be appropriately tagged, and the tagged traffic along with the tags well egress from that port to the Meru controller.    I have done this before on a Cisco SG300 switch, but not on the 3750-X core in my home.   If I can't make this work I can front end the Meru controller with an SG300 but now I will be introducing another potential point of failure.
  Also, do you have any idea why the "vlan dot1q tag native" would not be accepted by the IOS version on this switch stack?
  Thx
  Bryan

• "vlan dot1q tag native" end-to-end QoS switched network

  Guys,
  Can I use this in my switched network design, (without using 802.1q tunneling as documentation always seems to mention this vlan in a vlan scenario???)
  I have native vlans and I want to act upon the 802.1p CoS field from end-to-end in my switched network. If the packet happens to be in a native vlan, I cannot do this.
  ie
  pc------accessswitch--------distswitch/rtr
  between access and distribution, there is a dot1q trunk, and the native vlan is the vlan what the pc is in
  Choices.
  run this comand vlan dot1q tag native
  dont have a native vlan, ie have vlan 1 (default as native) on the dot1q up to the dist
  or act only upon L3 dscp
  Can anyone help?
  Many thx,
  Ken

  Hi there,
  Many thx for that. This I understand and the question was really, if I wanted to use a dot1p tag in the dot1q header, but the vlan that the PC was on was the same vlan as the native vlan on the dot1q trunk, what is the best option to ensure I can action qos.
  Just trust dscp on the trunks always
  tag the native,
  or just dont run a native vlan
  I hope this makes sense. Sorry if I was a little confusing b4.
  Thx
  Ken

• VLAN DOT1Q, SWITCHPORT TRUNK NATIVE VLAN, and VLAN1

  Hi All,
  L2 security documents suggest to avoid using vlan1 and tagging all frames with vlan IDs using the global configuration of vlan dot1q. Other Cisco non-security documents suggest using the switchport trunk native vlan # which removes any vlan tagging. It seems to me that the global vlan dot1q command and the interface switchport trunk native vlan # are contradictory; therefore, both should not be used. Furthermore, my understanding is to avoid using vlan 1 to tighten L2 security. When vlan 1 is removed from all trunked uplinks, user access ports are other than vlan 1, and no spanning-tree vlan 1 operations exists, what is the native vlan 1 actually used for?. The output of show interface gi0/1 trunk shows the native vlan as 1.
  Thanks,
  HC

  Hi HC,
  the command "switchport trunk native vlan" is used to define the native (untagged vlan) on a dot1q link. The default is 1, but you can change it to anyting you like. But it does only change the native vlan, all the others vlan on the trunk are of course tagged (and it only applies to dot1q, as ISL "taggs/encapsulates" all the vlans). The command "vlan dot1q tag native" is mostly used in dot1qindot1q tunnels, where you tunnel a dot1q trunk within a dot1q trunk. Thats something mostly service Providers offer to there customers. There it is important that there is no untagged traffic, as that would not work with dot1qindot1q. This command tagges the native vlan traffic, and drops all traffic which is not tagged.
  Whatfor is the native VLAN? Switches send control PDU such as STP,CDP or VTP over the native VLAN.
  If you don't happen to be a service Provider for L2 metropolitan Ethernet, you wan't need the "vlan dot1q tag native" command. For my part I'm trying not to use vlan 1 everywhere in my campus, because it gives a huge spanningtree topology and if you ever get a switch to blow a heavy load of traffic into it, you have your whole campus network degradet. I try to keep Vlan's a small as possible and to have as much L3 separaton as possible, that's good for the stability!
  Simon

• The difference between IEEE802.1Q Native VLAN sub-interface and Physical interface?

  Hello
  I think the following topologies are supported for Cisco Routers
  And the Physical interface also can be using as Native VLAN interface right? 
  Topology 1.
   R1 Gi0.1 ------ IEEE802.1Q Tunneling  L2SW ------ Gi0 R2
  R1 - configuration
  interface GigabitEthernet0.1
   encapsulation dot1Q 1 native
   ip address 10.0.0.1 255.255.255.0
  Topology 2.
  R1 Gi0 ------ IEEE802.1Q Tunneling L2SW ------ Gi0 R2
  interface GigabitEthernet0
  ip address 10.0.0.1 255.255.255.0
   And is it ok to use the physical interface and sub-interface with dynamic routing such as EIGRP or OSPF etc?
  R1 Gi 0 ---- Point to Multipoint EIGRP or OSPF ---- Gi0 R2 / R3 
        Gi 0.20--- Point to Point EIGRP or OSPF --- Gi0.10 R4  (same VLAN-ID) 
  R1 - configuration
  interface GigabitEthernet0
   ip address 10.0.0.1 255.255.255.0
  interface GigabitEthernet8.20
   encapsulation dot1Q 20
   ip address 20.0.0.1 255.255.255.0
  Any information is very appreciated. but if there is any CCO document please let me know.
  Thank you very much and regards,
  Masanobu Hiyoshi

  Hello,
  The diagram is helpful.
  If I am getting you correctly, you have three routers interconnected by a switch, and you want them to operate in a hub-and-spoke fashion even though the switch is capable of allowing direct communication between any of these routers.
  Your first scenario is concerned with all three routers being in the same VLAN, and by using neighbor commands, you force these routers to establish targeted EIGRP adjacencies R1-R2 and R1-R3, with R1 being the hub.
  Your second scenario is concerned with creating one VLAN per spoke, having subinterfaces for each spoke VLAN created on R1 as the router, and putting each spoke just in its own VLAN.
  Your scenarios are not really concerned with the concept of native VLAN or the way it is configured, to be honest. Whether you use a native VLAN in either of your scenarios, or whether you configure the native VLAN on a subinterface or on the physical interface makes no difference. There is simply no difference to using or not using a native VLAN in any of your scenarios, and there is no difference to the native VLAN configuration being placed on a physical interface or a subinterface. It's as plain as that. Both your scenarios will work.
  My personal opinion, though, is that forcing routers on a broadcast multi-access segment such as Ethernet to operate in a hub-and-spoke fashion is somewhat artificial. Why would you want to do this? Both scenarios have drawbacks: in the first scenario, you need to add a neighbor statement for each spoke to the hub, limiting the scalability. In the second scenario, you waste VLANs and IP subnets if there are many spokes. The primary question is, though: why would you want an Ethernet segment to operate as a hub-and-spoke network? Sure, these things are done but they are motivated by specific needs so I would like to know if you have any.
  Even if you needed your network to operate in a hub-and-spoke mode, there are more efficient means of achieving that: Cisco switches support so-called protected ports that are prevented from talking to each other. By configuring the switch ports to spokes as protected, you will prevent the spokes from seeing each other. You would not need, then, to configure static neighbors in EIGRP, or to waste VLANs for individual spokes. What you would need to do would be deactivating the split horizon on R1's interface, and using the ip next-hop-self eigrp command on R1 to tweak the next hop information to point to R1 so that the spokes do not attempt to route packets to each other directly but rather route them over R1.
  I do not believe I have seen any special CCO documents regarding the use of physical interfaces or subinterfaces for native VLAN or for your scenarios.
  Best regards,
  Peter

• QoS / Native VLAN Issue - Please HELP! :)

  I've purchased 10 Cisco Aironet 2600 AP’s (AIR-SAP2602I-E-K9 standalone rather than controller based).
   I’ve configured the WAP’s (or the first WAP I’m going to configure and then pull the configuration from and push to the others) with 2 SSID’s. One providing access to our DATA VLAN (1000 – which I’ve set as native on the WAP) and one providing access to guest VLAN (1234). I’ve configured the connecting DELL switchport as a trunk and set the native VLAN to 1000 (DATA) and allowed trunk traffic for VLAN’s 1000 and 1234. Everything works fine, when connecting to the DATA SSID you get a DATA IP and when you connect to the GUEST SSID you lease a GUEST IP.
  The problem starts when I create a QoS policy on the WAP (for Lync traffic DSCP 40 / CS5) and try to attach it to my VLAN’s. It won’t let me attach the policy to VLAN 1000 as it’s the native VLAN. If I change VLAN 1000 on the WAP to NOT be the native VLAN I can attach the policies however wireless clients can no longer attach to either SSID properly as they fail to lease an IP address and instead get a 169.x.x.x address.
  I'm sure I'm missing something basic here so please forgive my ignorance.
  This is driving me insane!
  Thanks to anyone that provides assistance. Running config below and example of the error...
  User Access Verification
  Username: admin
  Password:
  LATHQWAP01#show run
  Building configuration...
  Current configuration : 3621 bytes
  ! Last configuration change at 02:37:59 UTC Mon Mar 1 1993 by admin
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname LATHQWAP01
  logging rate-limit console 9
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa session-id common
  no ip routing
  dot11 syslog
  dot11 vlan-name Data vlan 1000
  dot11 vlan-name Guest vlan 1234
  dot11 ssid LatitudeCorp
     vlan 1000
     authentication open
     authentication key-management wpa version 2
     wpa-psk ascii
  dot11 ssid LatitudeGuest
     vlan 1234
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii
  crypto pki token default removal timeout 0
  username admin privilege 15 password!
  class-map match-all _class_Lync0
  match ip dscp cs5
  policy-map Lync
  class _class_Lync0
    set cos 6
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption vlan 1234 mode ciphers aes-ccm
  encryption vlan 1000 mode ciphers aes-ccm
  ssid LatitudeCorp
  ssid LatitudeGuest
  antenna gain 0
  stbc
  station-role root
  interface Dot11Radio0.1000
  encapsulation dot1Q 1000 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio0.1234
  encapsulation dot1Q 1234
  no ip route-cache
  bridge-group 255
  bridge-group 255 subscriber-loop-control
  bridge-group 255 spanning-disabled
  bridge-group 255 block-unknown-source
  no bridge-group 255 source-learning
  no bridge-group 255 unicast-flooding
  service-policy input Lync
  service-policy output Lync
  interface Dot11Radio1
  no ip address
  no ip route-cache
  encryption vlan 1234 mode ciphers aes-ccm
  encryption vlan 1000 mode ciphers aes-ccm
  ssid LatitudeCorp
  ssid LatitudeGuest
  antenna gain 0
  no dfs band block
  stbc
  channel dfs
  station-role root
  interface Dot11Radio1.1000
  encapsulation dot1Q 1000 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio1.1234
  encapsulation dot1Q 1234
  no ip route-cache
  bridge-group 255
  bridge-group 255 subscriber-loop-control
  bridge-group 255 spanning-disabled
  bridge-group 255 block-unknown-source
  no bridge-group 255 source-learning
  no bridge-group 255 unicast-flooding
  service-policy input Lync
  service-policy output Lync
  interface GigabitEthernet0
  no ip address
  no ip route-cache
  duplex auto
  speed auto
  interface GigabitEthernet0.1000
  encapsulation dot1Q 1000 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
  interface GigabitEthernet0.1234
  encapsulation dot1Q 1234
  no ip route-cache
  bridge-group 255
  bridge-group 255 spanning-disabled
  no bridge-group 255 source-learning
  service-policy input Lync
  service-policy output Lync
  interface BVI1
  ip address 10.10.1.190 255.255.254.0
  no ip route-cache
  ip default-gateway 10.10.1.202
  ip http server
  ip http authentication aaa
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  transport input all
  end
  LATHQWAP01#conf
  Configuring from terminal, memory, or network [terminal]? t
  Enter configuration commands, one per line.  End with CNTL/Z.
  LATHQWAP01(config)#int dot11radio1.1000
  LATHQWAP01(config-subif)#ser
  LATHQWAP01(config-subif)#service-policy in
  LATHQWAP01(config-subif)#service-policy input Lync
  set cos is not supported on native vlan interface
  LATHQWAP01(config-subif)#

  Hey Scott,
  Thank you (again) for your assistance.
  So I' ve done as instructed and reconfigured the WAP. I've added an additional VLAN (1200 our VOIP VLAN) and made this the native VLAN - so 1000 and 1234 are now tagged. I've configure the BVI interface with a VOIP IP address for management and can connect quite happily. I've configured the connecting Dell switchport as a trunk and to allow trunk vlans 1000 (my DATA SSID), 1200(native) and 1234 (MY GUEST SSID). I'm now back to the issue where when a wireless client attempts to connect to either of my SSID's (Guest or DATA) they are not getting a IP address / cannot connect.
  Any ideas guys? Forgive my ignorance - this is a learning curve and one i'm enjoying.
  LATHQWAP01#show run
  Building configuration...
  Current configuration : 4426 bytes
  ! Last configuration change at 20:33:19 UTC Mon Mar 1 1993 by Cisco
  version 15.3
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname LATHQWAP01
  logging rate-limit console 9
  enable secret 5
  no aaa new-model
  no ip source-route
  no ip cef
  dot11 syslog
  dot11 vlan-name DATA vlan 1000
  dot11 vlan-name GUEST vlan 1234
  dot11 vlan-name VOICE vlan 1200
  dot11 ssid LatitudeCorp
     vlan 1000
     authentication open
     authentication key-management wpa version 2
     mobility network-id 1000
     wpa-psk ascii
  dot11 ssid LatitudeGuest
     vlan 1234
     authentication open
     authentication key-management wpa version 2
     mbssid guest-mode
     mobility network-id 1234
     wpa-psk ascii
     no ids mfp client
  dot11 phone
  username CISCO password
  class-map match-all _class_Lync0
   match ip dscp cs5
  policy-map Lync
   class _class_Lync0
    set cos 6
  bridge irb
  interface Dot11Radio0
   no ip address
   encryption vlan 1000 mode ciphers aes-ccm
   encryption vlan 1234 mode ciphers aes-ccm
   ssid LatitudeCorp
   ssid LatitudeGuest
   antenna gain 0
   stbc
   mbssid
   station-role root
  interface Dot11Radio0.1000
   encapsulation dot1Q 1000
   bridge-group 255
   bridge-group 255 subscriber-loop-control
   bridge-group 255 spanning-disabled
   bridge-group 255 block-unknown-source
   no bridge-group 255 source-learning
   no bridge-group 255 unicast-flooding
   service-policy input Lync
   service-policy output Lync
  interface Dot11Radio0.1200
   encapsulation dot1Q 1200 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio0.1234
   encapsulation dot1Q 1234
   bridge-group 254
   bridge-group 254 subscriber-loop-control
   bridge-group 254 spanning-disabled
   bridge-group 254 block-unknown-source
   no bridge-group 254 source-learning
   no bridge-group 254 unicast-flooding
   service-policy input Lync
   service-policy output Lync
  interface Dot11Radio1
   no ip address
   encryption vlan 1000 mode ciphers aes-ccm
   encryption vlan 1234 mode ciphers aes-ccm
   ssid LatitudeCorp
   ssid LatitudeGuest
   antenna gain 0
   peakdetect
   no dfs band block
   stbc
   mbssid
   channel dfs
   station-role root
  interface Dot11Radio1.1000
   encapsulation dot1Q 1000
   bridge-group 255
   bridge-group 255 subscriber-loop-control
   bridge-group 255 spanning-disabled
   bridge-group 255 block-unknown-source
   no bridge-group 255 source-learning
   no bridge-group 255 unicast-flooding
   service-policy input Lync
   service-policy output Lync
  interface Dot11Radio1.1200
   encapsulation dot1Q 1200 native
   bridge-group 1
   bridge-group 1 subscriber-loop-control
   bridge-group 1 spanning-disabled
   bridge-group 1 block-unknown-source
   no bridge-group 1 source-learning
   no bridge-group 1 unicast-flooding
  interface Dot11Radio1.1234
   encapsulation dot1Q 1234
   bridge-group 254
   bridge-group 254 subscriber-loop-control
   bridge-group 254 spanning-disabled
   bridge-group 254 block-unknown-source
   no bridge-group 254 source-learning
   no bridge-group 254 unicast-flooding
   service-policy input Lync
   service-policy output Lync
  interface GigabitEthernet0
   no ip address
   duplex full
   speed auto
  interface GigabitEthernet0.1000
   encapsulation dot1Q 1000
   bridge-group 255
   bridge-group 255 spanning-disabled
   no bridge-group 255 source-learning
   service-policy input Lync
   service-policy output Lync
  interface GigabitEthernet0.1200
   encapsulation dot1Q 1200 native
   bridge-group 1
   bridge-group 1 spanning-disabled
   no bridge-group 1 source-learning
  interface GigabitEthernet0.1234
   encapsulation dot1Q 1234
   bridge-group 254
   bridge-group 254 spanning-disabled
   no bridge-group 254 source-learning
   service-policy input Lync
   service-policy output Lync
  interface BVI1
   mac-address 881d.fc46.c865
   ip address 10.10. 255.255.254.0
  ip default-gateway 10.10.
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
   login local
   transport input all
  sntp server ntp2c.mcc.ac.uk
  sntp broadcast client
  end
  LATHQWAP01#

• Wireless AP native vlan and switch trunk

  Hi,
  I am unable to ping my ap, i think it is due to the multiple vlan issues, can provide some advise, my config for the ap and switch is as below
  AP Config
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  hostname hostname
  logging rate-limit console 9
  enable secret 5 $1$ZxN/$eYOf/ngj7vVixlj.wjG2G0
  no aaa new-model
  ip cef
  dot11 syslog
  dot11 ssid Personal
     vlan 2
     authentication open
     authentication key-management wpa version 2
     guest-mode
     wpa-psk ascii 7 070E26451F5A17113741595D
  crypto pki token default removal timeout 0
  username Cisco password 7 1531021F0725
  bridge irb
  interface Dot11Radio0
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  stbc
  beamform ofdm
  station-role root
  no dot11 extension aironet
  interface Dot11Radio0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Dot11Radio1
  no ip address
  encryption vlan 2 mode ciphers aes-ccm tkip
  ssid Personal
  antenna gain 0
  no dfs band block
  stbc
  beamform ofdm
  channel dfs
  station-role root
  interface Dot11Radio1.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 subscriber-loop-control
  bridge-group 2 spanning-disabled
  bridge-group 2 block-unknown-source
  no bridge-group 2 source-learning
  no bridge-group 2 unicast-flooding
  interface Dot11Radio1.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  interface GigabitEthernet0.2
  encapsulation dot1Q 2
  bridge-group 2
  bridge-group 2 spanning-disabled
  no bridge-group 2 source-learning
  interface GigabitEthernet0.100
  encapsulation dot1Q 100 native
  bridge-group 1
  bridge-group 1 spanning-disabled
  no bridge-group 1 source-learning
  interface BVI1
  ip address 192.168.1.100 255.255.255.0
  ip default-gateway 192.168.1.1
  ip forward-protocol nd
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  bridge 1 route ip
  line con 0
  line vty 0 4
  password 7 01181101521F
  login
  transport input all
  end
  Switch Port config
  interface FastEthernet1/0/10
  switchport trunk native vlan 100
  switchport mode trunk

  I will re-check the routing again but could it be some bridging issues ?
  interface GigabitEthernet0
  no ip address
  duplex auto
  speed auto
  **** unable to put up this command on the giga port
  bridge-group 1
  no bridge-group 1 source-learning
  bridge-group 1 spanning-disabled
  I try to put this command on the gigaethernet port but it does not allow me, could this be the bridging  issue ?

• WISM Native Vlan tagged

  Hello , We have 6513 Core Switch and WISM , If I ping from the access points subnet to the WISM IP address there is so many request time out and the number of Access Points registered is going up and down
  In the core switch we are tagging the native Vlan as you can see below
  CORE-SWITCH2#sh run | i tag
  vlan dot1q tag native
  and we don't have the command wism module 9 controller 1 native-vlan X because the native vlan is tagged
  could this be the reason ? that its mandatory that the native VLAN is not tagged for the Cisco WISM configuration
  your reply and feed back is highly appreciated
  many thanks

  Cisco recommends to TAG the management interface. Cisco use to state to configure the managment vlan as native. It makes it easier for QoS as well when all vlans are TAGGED.
  What is key is all your WISMs managment interfaces need to be TAGGED or UNTAGGED. You cant have a mix.
  How are yours set up ?

• Dot1q-tunnel rejection

  Hello,
  I am trying to setup a dot1q-tunnel on a Catalyst 6506 running IOS 12.2 and am running into trouble. I have followed everything in the manual and from other's examples, but I continually get the error:
  Command rejected: Gi1/1 doesn't support 802.1q tunneling.
  To get there I have done:
  Router(config)#vlan dot1q tag native
  Router(config)#interface range gig 1/1-48
  Router(config-if-range)#spanning-tree bpdufilter enable
  Router(config-if-range)#spanning-tree portfast
  Router(config-if-range)#switchport mode dot1q-tunnel
  and it says command rejected for all 48 ports.
  If anyone has any insight it would be greatly appreciated. Thank you for your time

  if you can't make tunnel with dot1q, check the capability of the module using follow command..
  [example]
  Swith#show interfaces gigabitEthernet 0/1 capabilities
  GigabitEthernet0/1
  Model: WS-C3550-24
  Type: unknown
  Speed: 1000
  Duplex: full
  Trunk encap. type: 802.1Q,ISL <<<--- capability
  Trunk mode: on,off,desirable,nonegotiate
  Channel: yes
  Broadcast suppression: percentage(0-100)
  Flowcontrol: rx-(off,on,desired),tx-(off,on,desired)
  Fast Start: yes
  QOS scheduling: rx-(1q0t),tx-(4q2t),tx-(1p3q2t)
  CoS rewrite: yes
  ToS rewrite: yes
  UDLD: yes
  Inline power: no
  SPAN: source/destination
  PortSecure: yes
  Dot1x: yes

• Changing the Native VLAN command?

  Can someone please refresh me as to what the command is to change the Native VLAN for the entire switch? (IE: not just on the trunk, I mean the default native for the entire switch). Thanks

  Hi
  While on this topic. I have been trying to trunk to 2960 switches and can't seem to get a proper connection. I am using packet tacer. The 1st switch already has a trunk port going to a router and the router has port is trunked and has sub ints for each of vlans 2 and 3 and each sub trunk has respective  native encap vlan configured. My management vlan is vlan 3. And I don't have an int vlan1 only int vlan 3. The router and the 1st siwtch work fine. But now I am trying to get another trunk port with second switch. I configured both ints for trunking using native vlan 1. Now the links are in up state but both ends are not leds green, one is orange. And I have only int vlan 3 as with other switch and ip in same subnet as managment ip but cannot ping. Strange thing vtp info can pass but no connection to other switch vlans and router etc, only local connectivity. Plz help, below is the configs of the rotuer and two switches. It is switch 1 that is giving me beans to connect to the rest.
  Router0
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  service password-encryption
  hostname RouterA
  enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  username admin secret 5 $1$mERr$vPOtdREpWgzFVVY37SB2h/
  ip name-server 0.0.0.0
  interface Loopback0
  description management
  ip address 192.168.1.1 255.255.255.0
  interface Loopback1
  ip address 192.168.2.1 255.255.255.224
  interface FastEthernet0/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet0/0.1
  encapsulation dot1Q 1 native
  ip address 192.168.3.1 255.255.255.0
  interface FastEthernet0/0.2
  encapsulation dot1Q 2
  ip address 10.5.0.1 255.255.255.0
  interface FastEthernet0/0.3
  encapsulation dot1Q 3
  ip address 192.168.4.1 255.255.255.0
  interface FastEthernet0/1
  description management
  no ip address
  duplex auto
  speed auto
  interface Serial0/0
  ip address 172.16.1.1 255.255.255.252
  interface Serial0/1
  no ip address
  interface FastEthernet1/0
  no ip address
  duplex auto
  speed auto
  interface FastEthernet1/1
  no ip address
  duplex auto
  speed auto
  router rip
  version 2
  network 172.16.0.0
  network 192.168.1.0
  network 192.168.2.0
  no auto-summary
  ip classless
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 1 permit host 192.168.4.2
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 08316C5D1A2E5505165A
  login
  end
  Switch 0 (connected to Router 0)
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  service password-encryption
  hostname SwitchA
  no logging console
  enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
  ip name-server 0.0.0.0
  username admin password 7 08651D0A043C3705561E0B54322E2B3C2B063137324232064274
  spanning-tree portfast default
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  switchport access vlan 3
  interface FastEthernet0/6
  switchport access vlan 3
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  switchport access vlan 2
  interface FastEthernet0/14
  switchport access vlan 2
  interface FastEthernet0/15
  switchport access vlan 2
  interface FastEthernet0/16
  switchport access vlan 2
  interface FastEthernet0/17
  switchport access vlan 2
  interface FastEthernet0/18
  switchport mode trunk
  interface FastEthernet0/19
  switchport access vlan 2
  switchport mode access
  interface FastEthernet0/20
  switchport access vlan 2
  interface FastEthernet0/21
  switchport access vlan 2
  interface FastEthernet0/22
  switchport mode access
  interface FastEthernet0/23
  switchport access vlan 2
  interface FastEthernet0/24
  switchport mode trunk
  interface GigabitEthernet1/1
  interface GigabitEthernet1/2
  interface Vlan1
  no ip address
  interface Vlan3
  ip address 192.168.4.10 255.255.255.0
  ip default-gateway 192.168.4.1
  access-list 1 permit 192.168.4.0 0.0.0.255
  access-list 1 permit host 192.168.4.1
  line con 0
  line vty 0 4
  access-class 1 in
  password 7 08316C5D1A2E5505165A
  login
  line vty 5 15
  login
  end
  Switch 1 (connected to Switch0) (This is the second switch which I cannot get connected to rest of network properly)
  version 12.2
  no service timestamps log datetime msec
  no service timestamps debug datetime msec
  no service password-encryption
  hostname Switch
  interface FastEthernet0/1
  interface FastEthernet0/2
  interface FastEthernet0/3
  interface FastEthernet0/4
  interface FastEthernet0/5
  switchport access vlan 3
  interface FastEthernet0/6
  switchport access vlan 3
  interface FastEthernet0/7
  interface FastEthernet0/8
  interface FastEthernet0/9
  interface FastEthernet0/10
  interface FastEthernet0/11
  interface FastEthernet0/12
  interface FastEthernet0/13
  interface FastEthernet0/14
  interface FastEthernet0/15
  interface FastEthernet0/16
  interface FastEthernet0/17
  interface FastEthernet0/18
  switchport mode trunk
  interface FastEthernet0/19
  interface FastEthernet0/20
  interface FastEthernet0/21
  interface FastEthernet0/22
  interface FastEthernet0/23
  interface FastEthernet0/24
  interface GigabitEthernet1/1
  interface GigabitEthernet1/2
  interface Vlan1
  no ip address
  interface Vlan3
  ip address 192.168.4.20 255.255.255.0
  ip default-gateway 192.168.4.1
  line con 0
  line vty 0 4
  login
  line vty 5 15
  login
  end

• Management and native Vlan in different subnet??

  Can i have a management ip and native vlan in different subnet on a AIR-1242 and 2960 switch?
  Native on Switch = 1.
  Interface vlan 100 = 10.10.1.25X /24
  BVI ip in vlan 100 = 10.10.1.25X /24
  -HM-

  Hi,
  Thanks for the update..
  Ok in short YES this can be done.. here is the AP configuration..
  Step 1>> Configure the SSID and map it with respective Vlans..
  Step 2>> Create the sub interafce int dot11 0.5 / int fa 0.5 (encapsulation dot1q 5 , bridge-group 5)and int dot11 0.6 / int fa 0.6(encapsulation dot1q 6 , bridge-group 6)
  Step 3>> Create the sub interface 0.100 for both Radio and Fa and under this (encapsulation dot1q 100 native , bridge-group 1)
  Step 4>> Make sure all the interafces are up and running and Try to ping the VLAN 100 interafce ip addr from the AP to verify.
  lemme know if this answered your question..
  Regards
  Surendra
  ====
  Please dont forget to rate the posts which answered your question and mark it as answered or was helpfull

• AP point native vlan issue

  Hi Guys
  Lil help is appreciated as iam very new to wireles......we got ap that i configure and prob is on switch side i have native vlan as 12 which is managment vlan and BVI1 has ip from vlan 12 ....i have vlan 112 and has ssid for it and 103 and ssid which is for staff ....when i make radio 103 native and physical inetrface fa 0.1 native then staff can access internet and everything but when i make vlan 12 mangment one native it cant access anything...shouldnt native vlan has to be same....also vlan 112 host cannot connect at all.... vlan 103 radius server is 10.201.9.92 and configured correctly but staff in vlan 103 connect only when i make its radio interface to native  not physicall fa 0 and starnge things is once i make vlan 103 native it works but ip address is assigned from vlan 12 which is native on switch end....vlan 112 user are not getting ip address when i i do debug dhcp detail can see users from 112 try but dont get ip address...please see my configs. Pure switching enviroment so dont need ip helpeer address. many thanks

  Hi Mohammad,
  Try modifying the configuration as below.
  interface Dot11Radio0.12
  encapsulation dot1Q 12 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio0.103
  encapsulation dot1Q 103
  no ip route-cache
  bridge-group 103
  interface Dot11Radio0.112
  encapsulation dot1Q 112
  no ip route-cache
  bridge-group 112
  interface Dot11Radio0.204
  encapsulation dot1Q 204
  no ip route-cache
  bridge-group 204
  interface Dot11Radio1.12
  encapsulation dot1Q 12 native
  no ip route-cache
  bridge-group 1
  interface Dot11Radio1.103
  encapsulation dot1Q 103
  no ip route-cache
  bridge-group 103
  interface Dot11Radio1.112
  encapsulation dot1Q 112
  no ip route-cache
  bridge-group 112
  interface Dot11Radio1.204
  encapsulation dot1Q 204
  no ip route-cache
  bridge-group 204
  interface FastEthernet0.12
  encapsulation dot1Q 12 native
  bridge-group 1
  interface FastEthernet0.103
  encapsulation dot1Q 103
  bridge-group 103
  interface FastEthernet0.112
  encapsulation dot1Q 112
  bridge-group 112
  interface FastEthernet0.204
  encapsulation dot1Q 204
  bridge-group 204
  Regards
  Najaf
  Please rate when applicable or helpful !!!

• Native Vlan Effect on the Overall Network Performance

  Dear Experts,
  I would like to know that did Native Vlan affect the overall Network performance and make the whole network slow and can be cause for all Network devices to be failure or disconnect. I am facing this issue for the network that after apply Vlan dot1q tag native" in global Config the user disconnect from the network and also the devices.
  Kindly assist on this issue with the practical scenario and result oriented conclusion.
  Further I have following Devices in the Network Catalyst 4500, Nexus 5548, FIC 6248, UCS 5018 and Catalyst 3750.
  The issue is this the VLAN 50 which is for UCS is not able to access from the LAN network even we added the VLAN 50 on all the Switches and it propogated to whole network so we  make Vlan 50 as Native and added "switchport trunk native vlan 50 on trunks ports from Nexux 5548 to Fabric Interconnect and to Core Switch 4500. After added vlan 50 as native vlan we can access the UCS from LAN.
  But after adding native vlan 50 on all trunks the Network Administrator complaining that network is slow and few servers are disconnecting.
  here for the information that server vlan is 1.
  Waiting for the answer.
  Thanks,
  JH
  Thanks,
  JH

  Hello.
  1. Could you please draw interconnectivity diagram of all the devices?
  2. Could you chose any LAN device (on the same switch as UCS) and post here running config of the device that interconnects them?

• WS-C3750X-48T-L and tag native vlan

  Hi guys,
  I have recently bought a new cisco switch : WS-C3750X-48T-L
  Switch Ports Model              SW Version            SW Image                 
  *    1 54    WS-C3750X-48       12.2(55)SE5           C3750E-UNIVERSALK9-M
  with this licence :
  Index 1 Feature: ipservices     
      Period left: 8  weeks 4  days
      License Type: Evaluation
      License State: Active, Not in Use, EULA not accepted
      License Priority: None
      License Count: Non-Counted
  Index 2 Feature: ipbase         
      Period left: 0  minute  0  second  
  Index 3 Feature: lanbase        
      Period left: Life time
      License Type: Permanent
      License State: Active, In Use
      License Priority: Medium
      License Count: Non-Counted
  I want to tag all native vlan traffic from this switch with the command :
  vlan dot1q tag native.
  I can't see this command on the command line interface. How can I reach this option ?
  Have I to pay something ?
  Thanks for your answers.

  Probably is a license limitation: "Each Cisco Catalyst 3750-E/3560-E or 3750-X/3560-X system is loaded with a universal Cisco IOS® Software image. Universal Cisco IOS Software images contain all Cisco IOS Software features. The level of Cisco IOS Software functionality available is determined by the combination of one (or more) licenses installed on the device."
  More info here: http://www.cisco.com/c/en/us/products/collateral/switches/catalyst-3560-x-series-switches/white_paper_c11-579326.html
  You have a lan base license active and in use:
  Index 3 Feature: lanbase        
      Period left: Life time
      License Type: Permanent
      License State: Active, In Use
      License Priority: Medium
      License Count: Non-Counted
  You have an ip service test license but is not active:
  ndex 1 Feature: ipservices     
      Period left: 8  weeks 4  days
      License Type: Evaluation
      License State: Active, Not in Use, EULA not accepted
      License Priority: None
      License Count: Non-Counted
  For more informations about how activate a licence use this link:
  https://supportforums.cisco.com/document/69361/licensing-290035003700
  Regards.

• Changing native VLAN on non-root bridges

  I have quite a few 1310 Bridges setup in point to multipoint configuration with a root bridge with a sector antenna at the campus network and remote sites connecting in. I have multiple VLANs trunked onto one SSID, this allows for having multiple vlans in use at the remote site. The problem is I want to configure some remote site bridges with a different native vlan than the standard allowing me to plug the client directly into the injector and eliminate the need for a vlan aware switch. I have tried to configure the the "encapsulation dot1q VLAN# native" but this swaps the bridge group on the subinterface to a bridge-group 1 .
  ! Last configuration change at 01:23:08 UTC Tue Sep 15 2009 by Cisco
  ! NVRAM config last updated at 01:23:09 UTC Tue Sep 15 2009 by Cisco
  version 12.4
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  service password-encryption
  no aaa new-model
  dot11 ssid Cisco-24
  vlan 1
  authentication open
  authentication key-management wpa
  guest-mode
  infrastructure-ssid optional
  wpa-psk ascii test
  bridge irb
  interface Dot11Radio0
  no ip address
  no ip route-cache
  encryption mode ciphers aes-ccm tkip
  encryption vlan 1 mode ciphers aes-ccm tkip
  encryption vlan 901 mode ciphers aes-ccm tkip
  encryption vlan 902 mode ciphers aes-ccm tkip
  encryption vlan 904 mode ciphers aes-ccm tkip
  ssid Cisco-24
  speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0
  station-role non-root bridge
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface Dot11Radio0.901
  encapsulation dot1Q 901
  no ip route-cache
  bridge-group 255
  bridge-group 255 spanning-disabled
  interface Dot11Radio0.902
  encapsulation dot1Q 902
  no ip route-cache
  bridge-group 254
  bridge-group 254 spanning-disabled
  interface Dot11Radio0.904
  encapsulation dot1Q 904
  no ip route-cache
  bridge-group 253
  bridge-group 253 spanning-disabled
  interface FastEthernet0
  no ip address
  no ip route-cache
  hold-queue 80 in
  interface FastEthernet0.1
  encapsulation dot1Q 1 native
  no ip route-cache
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface FastEthernet0.901
  encapsulation dot1Q 901
  no ip route-cache
  bridge-group 255
  bridge-group 255 spanning-disabled
  interface FastEthernet0.902
  encapsulation dot1Q 902
  no ip route-cache
  bridge-group 254
  bridge-group 254 spanning-disabled
  interface FastEthernet0.904
  encapsulation dot1Q 904
  no ip route-cache
  bridge-group 253
  bridge-group 253 spanning-disabled
  interface BVI1
  ip address 10.0.0.100 255.255.255.0
  no ip route-cache
  ip default-gateway 10.0.0.1
  ip http server
  no ip http secure-server
  ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
  snmp-server community misdept RO
  bridge 1 route ip
  line con 0
  line vty 0 4
  login local
  end

  Correct. As soon as you change it to 100, you will lose access to the devices since vlan 1 is used for management.  To shorten the down time, you can create vlan 100 and all the SVIs on all switches ahead of time and than change it form 1 to 100 in a maintenance window.
  HTH