802.1Q-Tagged Frames Through Unmanaged Switch – Forwarded or Dropped?

As a follow-up to the post yesterday on native VLANs, there was a question on what would happen to 802.1Q-tagged frames traversing an unmanaged switch. Unmanaged in this case being a switch that does not support VLANs. While this might be more of a theoretical question today, it’s still interesting to dive into it to better understand how a 802.1Q-tagged frame is different from an untagged frame.

Before we can answer the question on what a VLAN-unaware switch should do, let’s refresh our memory on the Ethernet header. The Ethernet frame consists of Destination MAC, Source MAC, Ethertype, and FCS. 802.1Q adds an additional four bytes consisting of Tag Protocol Identifier (TPID) and Tag Control Information (TCI). This is shown below:

Note how the TPID in the tagged frame is in the place of EtherType for untagged frames. It’s also a 2-byte field and the TPID is set to 0x8100 for tagged frames. The EtherType field is still there and would be for example 0x0800 for IPv4 payload.

To demonstrate what this looks like on the wire, I’ve setup two routers with the following configuration:

hostname R1
!
vrf definition ETHERNET
 !
 address-family ipv4
 exit-address-family
!
interface GigabitEthernet1.100
 encapsulation dot1Q 100 native
 ip address 10.0.0.1 255.255.255.252
!
interface GigabitEthernet1.200
 encapsulation dot1Q 200
 vrf forwarding ETHERNET
 ip address 10.0.0.1 255.255.255.252

The other side is identical, except for the IP of 10.0.0.2. I added a VRF to be able to use the same IP addresses on both interfaces. Note that one subinterface uses untagged frames and the other tagged frames. I then initiated a ping from 10.0.0.2 to 10.0.0.1. For VLAN 100, the untagged frame is shown below:

Frame 11: 114 bytes on wire (912 bits), 114 bytes captured (912 bits)
Ethernet II, Src: 52:54:00:0e:3a:34, Dst: 52:54:00:0a:78:a2
    Destination: 52:54:00:0a:78:a2
    Source: 52:54:00:0e:3a:34
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.2, Dst: 10.0.0.1
Internet Control Message Protocol

Now let’s compare this to the tagged frame:

Frame 21: 118 bytes on wire (944 bits), 118 bytes captured (944 bits)
Ethernet II, Src: 52:54:00:0e:3a:34, Dst: 52:54:00:0a:78:a2
    Destination: 52:54:00:0a:78:a2
    Source: 52:54:00:0e:3a:34
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1100 1000 = ID: 200
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.2, Dst: 10.0.0.1
Internet Control Message Protocol

It’s a little confusing how Wireshark is displaying this, but the TPID is set to 0x8100 and the EtherType is set to 0x0800. If we look at an ARP frame we’ll see that the EtherType is set to 0x0806:

Frame 2: 64 bytes on wire (512 bits), 64 bytes captured (512 bits)
Ethernet II, Src: 52:54:00:0a:78:a2, Dst: ff:ff:ff:ff:ff:ff
    Destination: ff:ff:ff:ff:ff:ff
    Source: 52:54:00:0a:78:a2
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 200
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1100 1000 = ID: 200
    Type: ARP (0x0806)
    Padding: 0000000000000000000000000000
    Trailer: 00000000
Address Resolution Protocol (reply/gratuitous ARP)

Now we understand that from a switch perspective, operating at L2, the only thing that is different with a tagged frame vs untagged frame is the value of 0x8100 vs for example 0x0800 and that the frame will be four bytes larger.

What should then an unmanaged switch (device that doesn’t do 802.1Q) do with a 802.1Q-tagged frame? It should forward it! Without modifying the frame! Even for a device that doesn’t understand 802.1Q, this is a perfectly valid frame. The frame just has an value in the EtherType field (TPID but the switch wouldn’t know this) that it doesn’t recognize. That does not warrant dropping the frame, or even worse, modifying it.

Let’s take another example. What if you implemented IPv6 and had an EtherType of 0x86DD. Should a switch drop frames with this EtherType just because it doesn’t support IPv6? That would be absurd! A switch should not concern itself with the payload of the frame. It should just bridge the frame based on the MAC address table.

Now we understand that the reasonable thing to do for a VLAN-unaware switch is to forward the frame. The only acceptable exception is dropping a full-sized frame that is now 1522 bytes instead of 1518 bytes as the frame would exceed the MTU of the interface.

Note that things could still break if you have a VLAN-unaware switch. For example, what if you have the same MAC address in two different VLANs? The VLAN-unaware switch can’t handle this properly as it’s not VLAN-aware.

While we understand that the reasonable thing to do is to forward the frame, this is not always how things go in real life. Some VLAN-unaware switches will forward the frame intact, some will drop the frame, or some may even remove the 802.1Q header! All bets are off!

In this post we learned how 802.1Q was able to introduce VLAN tagging “transparently” by having the TPID field be the same format as EtherType. Switches should bridge frames based on destination MAC address and not be concerned with what the payload is. VLAN-unaware switches should in theory be transparent to 802.1Q-tagged frames, but not all devices operate like this.