From my understanding Cisco Catalyst switch port access mode only allow untagged frames to be received and proceeded. Tagged frames received on access mode port should be discarded.
But I have found in BCMSN course Student Guide following phrase
If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is
ignored, and the packet is switched at Layer 2 as a standard Ethernet frame.
Is in this case term access related to non Cisco equipment ? Or where are some Cisco Catalysts HW/SW combinations in which access mode port accept also tagged frames ?
With Best Regards
802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.
for Sure it was in 2004-2005 when I did L2 security tests and read about the following:
This is the basis for one of the L2 security attack that is called vlan hopping:
if you send a frame with two 802.1Q tags and:
a) the external tag vlan-id = port access vlan
b) the same vlan is used as native vlan in a inter-switch trunk
the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.
the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.
Hope to help