Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2298
Views
0
Helpful
2
Replies

Port Access mode allow tagged frames ?

Go to solution
1pipantom2
Level 1
Level 1

‎11-08-2008 10:56 AM - edited ‎03-06-2019 02:22 AM

Hello,

From my understanding Cisco Catalyst switch port access mode only allow untagged frames to be received and proceeded. Tagged frames received on access mode port should be discarded.

But I have found in BCMSN course Student Guide following phrase

If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is

ignored, and the packet is switched at Layer 2 as a standard Ethernet frame.

Is in this case term access related to non Cisco equipment ? Or where are some Cisco Catalysts HW/SW combinations in which access mode port accept also tagged frames ?

With Best Regards

Tomas

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-08-2008 11:26 AM

Hello Tomas,

802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.

for Sure it was in 2004-2005 when I did L2 security tests and read about the following:

This is the basis for one of the L2 security attack that is called vlan hopping:

if you send a frame with two 802.1Q tags and:

a) the external tag vlan-id = port access vlan

b) the same vlan is used as native vlan in a inter-switch trunk

the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.

the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.

Hope to help

Giuseppe

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-08-2008 11:26 AM

Hello Tomas,

802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.

for Sure it was in 2004-2005 when I did L2 security tests and read about the following:

This is the basis for one of the L2 security attack that is called vlan hopping:

if you send a frame with two 802.1Q tags and:

a) the external tag vlan-id = port access vlan

b) the same vlan is used as native vlan in a inter-switch trunk

the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.

the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.

Hope to help

Giuseppe

0 Helpful

Go to solution
1pipantom2
Level 1
Level 1
In response to Giuseppe Larosa

‎11-08-2008 10:21 PM

Hello Giuseppe ,

Thank You for clear explanation.

Tomas

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card