VLAN Hopping

Unanswered Question
Apr 19th, 2008

Hi all,

I have been trying to implement a scenario in which vlan hopping is performed.

From a packet generator I created a packet with the added 802.1q tags. The inner tag was the native vlan, and the outer was the destination vlan.

The problem is that the switch seems not to be interpreting the double (or single) tagged frame received on an access link. I had tried to send a single tagged frame also but that did not work either.

I use ethereal to capture the frames sent out on the access port and the tag appears properly on the frame.

Any help appreciated.

Regards

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
onurcoskun Sat, 04/19/2008 - 06:45

Also, is there a means to enable 802.1q double tagging

on an access link?

cisconoobie Sun, 04/20/2008 - 19:15

If the port is setup with switchport mode access it will not allow vlan tagging.

Dont hardcode the port with anything, leave it default or use dynamic desirable.

Use your PC and fake a trunk and inject the frames.

onurcoskun Mon, 04/21/2008 - 01:00

I think the IOS on the 3750 do now allow double tagged frames on an access port.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_se/configuration/guide/swint.html#wp1107751

Below is what the link says about tagged frames on access ports:

If an access port receives a tagged packet (Inter-Switch Link [ISL] or 802.1Q tagged), the packet is dropped, and the source address is not learned.

Actions

This Discussion