Score:0

802.1q multicast blocked by Cisco router

cn flag

We are using Cisco Catalyst 1000 switch (C100-16P-2G-L to be precise) and having a trouble of passing tagged multicast from one its port to another. We would like to pass it as it is (tagged), I assume it should be possible but how to configure (we need to pass multicast traffic with vlan id=257)? default configuration definitely doesn't work.

Some additional details related to default configuration:

  • tagged (id=257) multicast is not passing through!
  • untagged multicast is passing through
  • tagged unicast is passing through

This type of switch has vlan=1 as default, so if I send multicast traffic tagged with vlan id=1, it goes out de-tagged - this is not what I need.

Also I found that:

Switch#show topology
Topology                  Address Family   Associated VRF   State

base                      ipv4             default            UP

base                      ipv6             default           DOWN

base                      ipv4 multicast   default           DOWN

base                      ipv6 multicast   default           DOWN

could it be related, and how to change the topology?

These packets are sent from host:

$ sudo mz v_eno1 -v -c 0 -d 1s -B 239.0.0.5 -t udp "dp=32000" -P "AAAA"
    
 IP:  ver=4, len=32, tos=0, id=0, frag=0, ttl=255, proto=17, sum=0, SA=198.19.4.250, DA=239.0.0.5,
      payload=[see next layer]
 UDP: sp=0, dp=32000, len=12, sum=0, 
      payload=41:41:41:41
        ....

Captured on host:

$ tcpdump -nn "udp port 32000 or (vlan and udp port 32000)" -e -i eno1 -Xvvv
16:20:02.364860 f6:e0:32:f0:7b:74 > 01:00:5e:00:00:05, ethertype 802.1Q (0x8100), length 50: vlan 257, p 0, ethertype IPv4, (tos 0x0, ttl 255, id 26302, offset 0, flags [none], proto UDP (17), length 32)
    198.19.4.250.0 > 239.0.0.5.32000: [udp sum ok] UDP, length 4
    0x0000:  4500 0020 66be 0000 ff11 9afb c613 04fa  E...f...........
    0x0010:  ef00 0005 0000 7d00 000c 4640 4141 4141  ......}...F@AAAA

UPDATE 1

trying to setup trunk on incoming/outgoing ports, but:

Switch#configure terminal                                                                                                                                                               
Enter configuration commands, one per line.  End with CNTL/Z.                                                                                                                           
Switch(config)#interface GigabitEthernet1/0/2                                                                                                                                           
Switch(config-if)#switchport mode trunk                                                                                                                                                                                                                       
Switch(config-if)#vlan dot1q tag native
                   ^                                                                                                                                                                    
% Invalid input detected at '^' marker.  

Switch(config-if)#switchport trunk ?                                                                                                                                                    
  allowed  Set allowed VLAN characteristics when interface is in trunking mode                                                                                                          
  native   Set trunking native characteristics when interface is in trunking                                                                                                            
           mode                                                                                                                                                                         
  pruning  Set pruning VLAN characteristics when interface is in trunking mode  

should I select trunk mode?

UPDATE 2

Current setting for one of the ports:

Switch#show interfaces GigabitEthernet1/0/4 switchport
Name: Gi1/0/4
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk
Administrative Trunking Encapsulation: dot1q                                                                                                                                            
Operational Trunking Encapsulation: dot1q                                                                                                                                               
Negotiation of Trunking: On                                                                                                                                                             
Access Mode VLAN: 1 (default)                                                                                                                                                           
Trunking Native Mode VLAN: 1 (default)                                                                                                                                                  
Administrative Native VLAN tagging: disabled                                                                                                                                            
Voice VLAN: none                                                                                                                                                                        
Administrative private-vlan host-association: none                                                                                                                                      
Administrative private-vlan mapping: none                                                                                                                                               
Administrative private-vlan trunk native VLAN: none                                                                                                                                     
Administrative private-vlan trunk Native VLAN tagging: enabled                                                                                                                          
Administrative private-vlan trunk encapsulation: dot1q                                                                                                                                  
Administrative private-vlan trunk normal VLANs: none                                                                                                                                    
Administrative private-vlan trunk associations: none                                                                                                                                    
Administrative private-vlan trunk mappings: none                                                                                                                                        
Operational private-vlan: none                                                                                                                                                          
Trunking VLANs Enabled: ALL                                                                                                                                                             
Pruning VLANs Enabled: 2-1001                                                                                                                                                           
Capture Mode Disabled                                                                                                                                                                   
Capture VLANs Allowed: ALL                                                                                                                                                              
                                                                                                                                                                                        
Protected: false                                                                                                                                                                        
Unknown unicast blocked: disabled                                                                                                                                                       
Unknown multicast blocked: disabled                                                                                                                                                     
Appliance trust: none   

UPDATE 3

After trying to setup trunk on 2 ports:

interface GigabitEthernet1/0/2                                                                                                                                                          
 switchport trunk allowed vlan 257                                                                                                                                                      
 switchport trunk native vlan 257                                                                                                                                                       
 switchport mode trunk                                            

interface GigabitEthernet1/0/4                                                                                                                                                          
 switchport trunk allowed vlan 257                                                                                                                                                      
 switchport trunk native vlan 257                                                                                                                                                       
 switchport mode trunk       

still not passing through....

Ron Maupin avatar
us flag
Which multicast group? Remember that the IEEE has set aside an OUI (`01-80-C2`) for link-only multicast that cannot be forwarded to a different interface. Also, both IPv4 (`224.0.0.0/24`) and IPv6 (`ffX2::/8`) have link-local multicast scopes that cannot be routed to a different network. VLAN 1 is the default native (untagged) VLAN. You can tag the "native" VLAN with a command to do that.
cn flag
@RonMaupin please check updates, I am sending IPv4 traffic and MAC address 01:00:5e should be from valid multicast range, however I tested different with the same result
Ron Maupin avatar
us flag
Also, `224.224.224.245` is a group that RESERVED. You cannot just make up such an address. You should use multicast groups in the `239.0.0.0/8` Organization-Local scope. "_This type of switch has vlan=1 as default, so if I send multicast traffic tagged with vlan id=1, it goes out de-tagged - this is not what I need._" Remember that tags are only valid on trunks, and anything leaving an access interface will not be tagged. You can use the `vlan dot1q tag native` on a trunk interface to tag the native VLAN (the default native VLAN 1), but you cannot tag on access interfaces.
cn flag
@RonMaupin ok, I tried different, and I updated question with correct? one 239.0.0.5. Regarding "vlan dot1q tag native" - I don't have command "vlan" on switch console
Ron Maupin avatar
us flag
That is an interface command for interfaces you have configured as a trunk interface (`switchport mode trunk`). You cannot configure it globally.
cn flag
@RonMaupin I am not sure I am following, I am quite new to cisco and vlan configuration, could you post normal answer? (I updated question as I understood, but can't find dot1q native)
Ron Maupin avatar
us flag
OK, for that switch, the documentation says, "_Native VLAN tagging is not supported, and the vlan dot1q tag native command is not available._" You could change the native VLAN to a different VLAN number and VLAN 1 would then be tagged on trunk interfaces, but understand that most end-devices do not understand VLAN tags, Trunk interfaces are generally switch-to-switch interfaces. Things like PCs or printers will normally drop tagged frames as damaged.
Score:1
us flag

That particular switch model does not allow tagging of the native VLAN, per the Cisco documentation:

General Restrictions

  • Native VLAN tagging is not supported, and the vlan dot1q tag native command is not available.

If you want VLAN 1 (the default native VLAN) to be tagged on trunk interfaces, you need to change the native VLAN to a different VLAN number with something like:

switchport trunk native vlan 12

Understand that most end-devices (PCs, printers, servers, etc.) do not normally understand tagged frames and drop them as damaged, so you must make sure the device connected to the trunk interface supports and is configured to understand tagged frames (trunk).


Also, a layer-2 security best practice is to never use VLAN 1 or trunk the native VLAN. Assign the access interfaces to a different VLAN number, and restrict the native VLAN on trunk interfaces with the switchport trunk allowed command.

The default VLAN and the native VLAN are two different concepts, although they are both VLAN 1 by default.

cn flag
Thank you! I am fully aware of the use case, the switch is just in the middle of traffic path and end device "understands" tagged traffic (well, one of our competing solution is to bypass router at all, but by default we have this router). Question: can I have several native vlans? We need to pass through, say, vlans with ids 255-258 ?
cn flag
I updated with ports' configuration, maybe I got it wrong? not sure I understood your "assign the access interfaces to different VLAN number ..."
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.