RE: 802.1Q Tunnel

From: James Matrisciano (jmatrisciano@kenttech.com)
Date: Tue Aug 09 2005 - 08:31:11 GMT-3

• Next message: James Matrisciano: "RE: IP phone 7960 unlock configuration"
• Previous message: Gustavo Novais: "RE: Some questions..."
• Maybe in reply to: gladston@br.ibm.com: "802.1Q Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Was working on this just yesterday as well. Netmasters DoIT lab 4 has a
good write up on this one. Simply explained, when the mode dot1q-tunnel
command is implimented on the cat switch, it is trunking at that point.
Any Vlan information that comes in will be encapsulated twice, first for
the vlan, secondly for the tunnel. To Not have a vlan encapsulated
twice, you would use the native command on the router sub interface.

Cat commands

Interface f0/1
Switchport access vlan 30
Switchport mode dot1q-tunnel
Spanning-tree bpdugaurd enable

Router

FastE 0/0.10
Encap dot1q 10
Ip add 10.10.10.1 255.255.255.0

(if vlan 30 is being used -this is not required if it is not)

Fastethernet 0/0.30
Encap dot1q 30 native
Ip add 30.30.30.1 255.255.255.0

The 10 vlan is encapsulated into the 30 vlan. The only other vlan 10's
that will be able to talk to this one have to have the tunnel command on
the associated cat interface (or be routed). If you have just access
vlan 10 it will never know it is there with out being routed.
Basically , the way I think of it is, it's a vlan (what ever number you
want) that resides within another vlan, in this instance it is vlan 10
residing inside vlan 30. So, for the tunneled vlan 10 to talk to other
vlan 10 residence, it must have the tunnel command to be un encapsulated
(sort of like multiplexing on an interface) and come out through the
vlan 30 (access vlan 30 command).

Now, I may be wrong in my last line of thinking, and please, someone
correct me if I am.

Also, remember, when meshing this into routing protocols, that there is
an additional 4 bytes that are added to the encapsulated vlan (vlan10),
so this is going to cause havoc on the MTU size. Make sure to use the
MTU size command on the vlan interface so it will be able to talk to
other networks that have not been tunneled.

Show dot1q-tunnel
F0/1

This show command will show what interfaces are tunneling. You can
verify by placing the mode dot1q-tun command on an interface, if it is
not actually tunneling anything, it will not show up in the show
command.

jm

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
gladston@br.ibm.com
Sent: Monday, August 08, 2005 7:47 PM
To: ccielab@groupstudy.com
Subject: 802.1Q Tunnel

Hi,

Trying to test 802.1Q and L2 protocol Tunneling using the example on the
book Practical Studies: Security by Dmitry Bokotey (Case Study 25-3),
but no success.

The book shows that interface status on CAT should be trunking, but when
I configure 'switchport mode dot1q-tunnel' it does not trunk.

Any help appreciated.

CDP goes through the tunnel between CAT1 and CAT2:
Rack2R5#sh cdp ne
Rack2R6 Fas 0/0.156 174 R 2621 Fas
0/1.105

But there is no IP connectivity:

Rack2R5#pi 148.5.205.6
.....

Monitor commands:

Rack2CAT1#sh int fa 0/4 trunk
Port Mode Encapsulation Status Native vlan
Fa0/4 off 802.1q not-trunking 1

Rack2CAT1#sh l2protocol-tunnel
Port Protocol Shutdown Drop Encapsulation Decapsulation Drop
                 Threshold Threshold Counter Counter Counter
------- -------- --------- --------- ------------- -------------
-------------
Fa0/4 cdp ---- ---- 138 272 0
        stp ---- ---- 0 0 0
        vtp ---- ---- 0 0 0

Config:

CAT1 and CAT2

interface FastEthernet0/4
 switchport access vlan 20
 switchport trunk encapsulation dot1q
 switchport mode dot1q-tunnel
 l2protocol-tunnel cdp
 l2protocol-tunnel stp
 l2protocol-tunnel vtp

R5

interface FastEthernet0/0.156
 encapsulation dot1Q 156
 ip address 148.5.205.5 255.255.255.0

R6

interface FastEthernet0/0.156
 encapsulation dot1Q 156
 ip address 148.5.205.6 255.255.255.0

More monitor commands:

Rack2CAT1#sh int fa 0/4 sw
Name: Fa0/4
Switchport: Enabled
Administrative Mode: tunnel
Operational Mode: tunnel
Administrative Trunking Encapsulation: dot1q Operational Trunking
Encapsulation: native Negotiation of Trunking: Off Access Mode VLAN: 20
(VLAN20) Trunking Native Mode VLAN: 1 (default) Voice VLAN: none
Administrative private-vlan host-association: none Administrative
private-vlan mapping: none Administrative private-vlan trunk native
VLAN: none Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none Administrative
private-vlan trunk private VLANs: none Operational private-vlan: none
Trunking VLANs Enabled: ALL Pruning VLANs Enabled: 2-1001 Capture Mode
Disabled Capture VLANs Allowed: ALL

• Next message: James Matrisciano: "RE: IP phone 7960 unlock configuration"
• Previous message: Gustavo Novais: "RE: Some questions..."
• Maybe in reply to: gladston@br.ibm.com: "802.1Q Tunnel"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:01:18 GMT-3