Thank you for the response Cmartyn BUT your describing the attack to me and thats not my question

My Question is why does an access port accept a TAGGED packet in the first place? i say that because VLAN is a Switch function and the host doesnt even know about it....

Why does a Switch accept Tagged packets from a host??? Thats the question

as I was told

if port configured as

switchport mode access

switchport access vlan 100

so this port is access port and it will not accept a TAGGED packet

if port configured as

switchport access vlan 100

so this port is access port and can be switched to trunk mode by dtp and it will  accept a TAGGED packet

This will mitigate 'VLAN hopping', not 'double tagging'.

Like I say, it works by exploiting the native VLAN, when the attackers specially crafted packet is sent, the first tag is removed when leaving the first switch, then, when the packet arrives at the second switch it will forward it to the specified VLAN. Essentially the packet is received as if it had legitimately been sent.

Martin

Make sure you specifiy the port as switchport mode access then you would see the difference.

Any port by default will be in dynamic desirable mode or dynamic auto based on the different hardware models.

In any case it would try to become a trunk if the other end desires to become a trunk.

In your case you have not specified that your port will be access. 

To make the port an access port you need to give the command “switch port mode access”

So two things here:

1. Switchport mode access---- makes the switcport to behave like an access port.

2. Switchport access vlan X---- makes the switch port part of vlan X

The first command is very important. The second command is not required. Even if there is no command it will default to default vlan 1.

Example;

Sw1----F0/1-----F0/1---SW2

!
interface FastEthernet0/1
!

Switch#sh int trunk
>.No output as the ports doesnt have any config.
Switch#

2)
Sw1----F0/1-----F0/1---SW2
I will configure the trunk port only on Sw1 ports.

SW1:
interface FastEthernet0/1
 switchport trunk encapsulation dot1q
 switchport mode trunk allowed vlan 1,6,100
!

SW2:
!
interface FastEthernet0/1>>>> no config on this port.
!

Result:
========

Switch2

#sh int tr
Port        Mode         Encapsulation  Status        Native vlan
Fa0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Fa0/1       1-1005

Port        Vlans allowed and active in management domain
Fa0/1       1

Port        Vlans in spanning tree forwarding state and not pruned
Fa0/1       1

2)

Now only native vlan information would be flowed across the links.

3) Lets take an example now:

I will configure the port to be part of access vlan 6 but I will not mentioned the cmd "switchport mode access"

SW2:-

interface f0/1
 switchport
 switchport access vlan 6 >>>>

In this setup, vlan6 of SW2 will be connected to vlan 1 of SW1

 When SW2 will forward traffic of vlan 6 on access port, it will be untagged traffic and SW1 will consider this traffic coming on native vlan which is by default vlan1. similarly reverse way. Now SW1 can forward traffic for vlan 1,6, and 100 but for vlan 6 and 100 traffic will be tagged and sw2 will not accept. But for vlan1 , sw1 will pass untagged traffic even on trunk port since this is native vlan for trunk port and sw2 will forward it further on vlan 6.

Sometime this would end up in vlan leaking as well.

HTH

Inayath

Hi

Thank you for all the responses 

The answer is that THEORETICALLY this attack is implemented on ACCESS ports and SOME switches do accept tagged packets on ACCESS PORTS! Yes i do mean ACCESS PORTS .. NOT Trunk Ports!   and they just go ahead and remove the tag and forward the packet on! wow! but the recent CISCO switches DROP these kind of packets but some earlier switches do used to pass them....its hard to tell which one does them with so many vendors around..This attack can be crafted using a tool called Scapy.

So to be on the safe side use a tagged native vlan option and always put unused ports in the native VLAN.....

We need to be sure of configuring the Trunk ports to make sure which vlans are to be allowed over it.

By default on the Switch all ports would belong to native vlan which is vlan 1.

And while configuring the Native vlan make sure to have the same vlans in Native at both the ends to avoid vlan leaking.

HTH

Regards

Inayath

***please do not forget to rate all usefull psts.

You mean to manually allow specific VLANS

That's always a very Positive & essential approach to manually allow VLANS

and to avoid these attacks we do have to change the specific NATIVE vlan to a vlan other than vlan 1

and also put unsued ports in that native vlan...

Yes that is what I meant.

NOTE: Native vlans which ever you have configured needs to be same at the other end to avoid any vlan leaking.

HTH