Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Access mode allow tagged frames ?

Hello,

From my understanding Cisco Catalyst switch port access mode only allow untagged frames to be received and proceeded. Tagged frames received on access mode port should be discarded.

But I have found in BCMSN course Student Guide following phrase

If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is

ignored, and the packet is switched at Layer 2 as a standard Ethernet frame.

Is in this case term access related to non Cisco equipment ? Or where are some Cisco Catalysts HW/SW combinations in which access mode port accept also tagged frames ?

With Best Regards

Tomas

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Port Access mode allow tagged frames ?

Hello Tomas,

802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.

for Sure it was in 2004-2005 when I did L2 security tests and read about the following:

This is the basis for one of the L2 security attack that is called vlan hopping:

if you send a frame with two 802.1Q tags and:

a) the external tag vlan-id = port access vlan

b) the same vlan is used as native vlan in a inter-switch trunk

the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.

the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.

Hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Re: Port Access mode allow tagged frames ?

Hello Tomas,

802.1Q tagged frames with a vlan-id = access vlan of the port are accepted on Cisco Catalysts.

for Sure it was in 2004-2005 when I did L2 security tests and read about the following:

This is the basis for one of the L2 security attack that is called vlan hopping:

if you send a frame with two 802.1Q tags and:

a) the external tag vlan-id = port access vlan

b) the same vlan is used as native vlan in a inter-switch trunk

the attacker can send a frame from vlan X to vlan y bypassing L3 security and routing devices.

the recommendation is to use as native vlan a dedicated vlan for all trunks that is never used on access ports.

Hope to help

Giuseppe

New Member

Re: Port Access mode allow tagged frames ?

Hello Giuseppe ,

Thank You for clear explanation.

Tomas

1152
Views
0
Helpful
2
Replies