Port Access mode allow tagged frames ?

Answered Question
Nov 8th, 2008

Hello,


From my understanding Cisco Catalyst switch port access mode only allow untagged frames to be received and proceeded. Tagged frames received on access mode port should be discarded.


But I have found in BCMSN course Student Guide following phrase


If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is

ignored, and the packet is switched at Layer 2 as a standard Ethernet frame.


Is in this case term access related to non Cisco equipment ? Or where are some Cisco Catalysts HW/SW combinations in which access mode port accept also tagged frames ?


With Best Regards


Tomas




Correct Answer by Giuseppe Larosa about 8 years 3 months ago

Hello Tomas,

802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.

for Sure it was in 2004-2005 when I did L2 security tests and read about the following:


This is the basis for one of the L2 security attack that is called vlan hopping:

if you send a frame with two 802.1Q tags and:

a) the external tag vlan-id = port access vlan

b) the same vlan is used as native vlan in a inter-switch trunk

the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.

the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.


Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Correct Answer
Giuseppe Larosa Sat, 11/08/2008 - 11:26

Hello Tomas,

802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.

for Sure it was in 2004-2005 when I did L2 security tests and read about the following:


This is the basis for one of the L2 security attack that is called vlan hopping:

if you send a frame with two 802.1Q tags and:

a) the external tag vlan-id = port access vlan

b) the same vlan is used as native vlan in a inter-switch trunk

the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.

the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.


Hope to help

Giuseppe


Actions

This Discussion