Showing results for 
Search instead for 
Did you mean: 
Popup Hotspot Using ISR 1000 with WiFi/LTE for Teleworkers and Micro Branchesr

802.1q tag on access switchport


How a switchport should behave is defined in "IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks" Std 802.1Q-1998 which in Annex D defines Trunk, Access and Hybrid links.

To summarize in 2 lines (even though the interpretation of the standard might be controversial) according to the standards if the port is an access link only untagged frames should be accepted while ANY type of tagged frame should be dropped, including the ones matching the vlan ID.

The only case where tagged frames (matching VLAN IDs) are accepted is when the port is a hybrid link, which is a link that can receive both tagged and untagged traffic. An access port with voice vlan configured is a hybrid link as it can receive both untagged traffic (from PC) and tagged traffic from phones.

That leads that one between the Cat2950 and the Cat2960 is not behaving correctly as they show different behaviors. The answer is that the correct behavior is the Cat2960 as on access ports all tagged frames should be dropped no matter what. The reason is that the dropping/forwarding decision is taken at port ASIC level and the one on old Cat2950 was not able to drop frames with tag matching the allowed vlans.

New port ASICs have this capability and the same behavior is seen on other Catalysts switches (personally tested on 3560,4500) even though other behavior can still be seen (again it depends on port ASIC, so some model can have ASICs not able to do so).

To conclude this long story since what the standard defines for hybrid links can be somehow considered a security breach (personally I cannot figure out why) as allowing tagged frames matching vlan ID can be perceived as a potential issue Cisco is working on an enhancement feature by which an interface k n o b  (this word gets censored for some reason) will be available to expressely decide the port behavior regarding tagged frames whether drop or allow them. However before that will be available port ASIC behaviour must be consistent across all platforms, and this is what Cisco is doing right now.

This document was generated from the following discussion: 802.1q tag on access switchport