VRF traffic tagged with VLAN

Hi Experts,

I have a config on a switch which looks like this :

interface Port-channel1.12
 encapsulation dot1Q 12
 ip vrf forwarding AB_eth12
 ip address

I am unable to understand how VRF is coming in to picture with VLAN here ? In what case someone will have such config ?
does that mean that traffic which is part of VRF ‘AB_eth12’ and going from interface 1.12 is tagged with VLAN 12 ?

I believe any interface within that vrf tagged with 12 can communicate with it

thanks , a following Q is : can VLAN carry VRF routing ? i think yes but how ? what can be a use case?

Hello Abhishek

First of all @ashokmax2002 is correct. Essentially, this command associates the AB_eth12 VRF with the Port-channel1.12 interface which is a L3 interface.

Not sure what you mean here exactly. Do you mean if a VLAN interface can function as a VRF forwarding interface? If so then yes. Do you mean if a VLAN can transport VRF information? Again, yes. Any VRF forwarding association occurs at a L3 interface. Routing according to that VRF directs traffic over any VLAN necessary.

I hope this has been helpful!


Hi Laz,

current setup is like this . we need to bring the eigrp neightborship UP between both L3 sw. but there are some switches in between…which are just functioning as L2.


**config on L3sw1**

interface tengig4.511
 encapsulation dot1Q 511
 ip vrf forwarding abc-dev
 ip address
 ip authentication mode eigrp 999 md5
 ip authentication key-chain eigrp 999 EIGRP

**config on L2sw1**

interface Port-channelZ
  switchport trunk allowed vlan 511
 switchport mode trunk

Can i read this setup and config like below ?

Packet that comes to interface tengig4.511, will get tagged with vlan511 and when reached to other side vlan 511 is allowed so it wil be able to trave through L2 switches.

Hello Abhishek

Yes that would work as long as the 511 VLAN is clear right across to the L3sw2 device.

I hope this has been helpful!


I want to mention the reason why woul dany1 use dot1q encapsulation for VRF.

for example you have a core router which connect sto Metro ethernet service using 10 gig interface.

the metro ISP will form layer 2 connectivity between your core PE route and tons of customers.
now, e ach customer shouldn’t be able to communicate with another one through the same L2 service so each customer has its own VLAN as teh service access point (SAP) to the L2 metro ISP.

usually the customers will be connected via E-PIPE AKA VPWS or VPLS, depends on your network redundancy so the Metro ISP would look invisible for your PE router and your customer (L2 VPN).

so you will assign on that 10 gig port different vlans for each customer and some of them might want to have some L3 seperation using VRF with some far office on the other side of the world, while they are also seperated in the L2 metro which you as an ISP shouldn’t care about because it is different service to acomplish the same achivement.

int that case you should have vrf instance toward the 10gig interface that encapsulate only thet vlan data of that particular customer while other customers wouldn’t have to bother you with vrf and so you will configure them just with the regular dot1q encapsulation