Vlan hopping issue btw 2950 (Access) & Cat 6K (Distribution)

rmysored · ‎08-28-2014

Cat 6K is the Distribution Switch & 2950 is the Access Switch

Cat 6K int Gig 8/16 --- 2950 Fa 0/1

Cat 6K's Gig 8/16 is configured as Access port for Vlan 212 (10.106.167.0/24)

2950 has all its ports in Vlan 1. So, all frames from 2950 is sent untagged to Cat 6K which then tags them as Vlan 212. [Don't ask me why, but this is how they do it in our labs]

The problem here is, hosts configured in one other Vlan i.e. Vlan 244 (10.106.238.0/24) when connected to the 2950 Access Switch, can ping its Gateway 10.106.238.1.

Can someone explain why/how this is happening?

Leo Laohoo · ‎08-28-2014

Maybe Dynamic Trunking Protocol is enabled?

Martin Moran · ‎09-01-2014

Hi @rmysored,

The fact that all frames from 2950 are sent untagged to Cat 6K and then Cat 6K tags them as VLAN 212 is because the port Gi8/16 is an access port. Take the following example (Please, see the attached figure first):

- I have Sw1, Sw2 and PC1

- Sw1 and Sw2 are connected via a trunk port (passing all the VLANs by default)

- Sw2 is connecting PC1 via an access port in VLAN 10

When PC1 is sending frames to Sw2 it sends it untagged because PCs don't recognize tags and tipically they don't know in what VLAN they are
But when Sw2 is sending those frames (from PC1) to Sw1, Sw2 tags those frames as part of VLAN 10 because Sw2 is passing more VLANs to Sw1 via the trunk link and it has to recognize where the frames belongs to when they return back

In your case, Cat 6K is tagging the frames coming from the 2950 as part of VLAN 212 because its port facing the 2950 (an access port) is configured as part of that VLAN.

In the other hand, can you share the configurations of the Cat6K and 2950 for deeper investigations?

Hope to see your answers.

Rgrds,

Martin, IT Specialist