Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member


Hi. When switch does switching, it operates only mac addresses, or it also checks vlan number? For example: Switch receive packet from one vlan and this packet somehow has destination mac belonging to host in another vlan, will switch forward this packet despite the number of vlan?

Everyone's tags (1)
Cisco Employee

S3#show mac address-table

S3#show mac address-table dynamic
          Mac Address Table

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0000.0c3e.1063    DYNAMIC     Fa0/2
   3    0019.555d.9c95    DYNAMIC     Fa0/19
   5    0019.555d.9c95    DYNAMIC     Fa0/19
  10    0019.aa80.1112    DYNAMIC     Fa0/13
  37    0019.555d.9c95    DYNAMIC     Fa0/19


Notice the first column of the MAC address table lists the VLAN.  The switch verifies the VLAN and will only forward frames out ports in that VLAN and trunks.  In order to move move packets between VLANs, you need a layer 3 device.

New Member

Thank you. I think so, too.

Thank you. I think so, too. But vlan hopping attack explanation says that first switch send a packet sourced from one vlan to another vlan. For example, first switch receive a double tagged packet from attacker, then strip off first tag (which supposed to be native vlan tag), and send it through trunk to another switch. But the fact that this double tagged packet in the destination mac field should contain mac address from another vlan, but despite this first switch forward this packet. It sounds strange to me.

CreatePlease login to create content