Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Tagged-frame processing on an access port

Hi all,

I am creating an analysis of double-tagging VLAN hopping attack. What I am not sure is how Catalyst exactly processes a tagged frame if it is received on an access port.

When I used old Catalyst 2950 with IOS 12.1(22) and sent a tagged frame with VLAN ID corresponding to access VLAN of the port, the switch stripped the tag and forwarded the frame. When I do the same on Catalyst 2960 (IOS 12.2(35)) or 3560 (IOS 12.2(25)), forwarding of the fails. What makes me mad is that I can't find any note about this behavior nor number of errors on that interface increase.

Are new Catalysts (or IOSes) automatically protected against VLAN hopping and drop tagged traffic by default?

Thx a lot.

CreatePlease login to create content