How a switchport should behave is defined in "IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks" Std 802.1Q-1998 which in Annex D defines Trunk, Access and Hybrid links.
To summarize in 2 lines (even though the interpretation of the standard might be controversial) according to the standards if the port is an access link only untagged frames should be accepted while ANY type of tagged frame should be dropped, including the ones matching the vlan ID.
The only case where tagged frames (matching VLAN IDs) are accepted is when the port is a hybrid link, which is a link that can receive both tagged and untagged traffic. An access port with voice vlan configured is a hybrid link as it can receive both untagged traffic (from PC) and tagged traffic from phones.
That leads that one between the Cat2950 and the Cat2960 is not behaving correctly as they show different behaviors. The answer is that the correct behavior is the Cat2960 as on access ports all tagged frames should be dropped no matter what. The reason is that the dropping/forwarding decision is taken at port ASIC level and the one on old Cat2950 was not able to drop frames with tag matching the allowed vlans.
New port ASICs have this capability and the same behavior is seen on other Catalysts switches (personally tested on 3560,4500) even though other behavior can still be seen (again it depends on port ASIC, so some model can have ASICs not able to do so).
To conclude this long story since what the standard defines for hybrid links can be somehow considered a security breach (personally I cannot figure out why) as allowing tagged frames matching vlan ID can be perceived as a potential issue Cisco is working on an enhancement feature by which an interface k n o b (this word gets censored for some reason) will be available to expressely decide the port behavior regarding tagged frames whether drop or allow them. However before that will be available port ASIC behaviour must be consistent across all platforms, and this is what Cisco is doing right now.
Hi Team,I have this server with ip 10.4.1.122 and trying to reach other end server 10.4.7.100 (192.168.31.3). once it reach the router we have done a source and destination nat. So 10.4.1.122 become 10.20.30.21 and Destination become 10.4.7.100 to 192.168...
Good day, Our Cisco Router 1921 Series failed PCI scans on Weak IPsec Encryption Settings port 500/udp. More information on the scan results, THREAT:This host contains an ISAKMP/IKE key exchange server to negotiate encryption keys for IPsec...
Network Insider Live Webinar
Tuesday, June 23, 2020 10:00 am Pacific Time (San Francisco, GMT-08:00)
Learn how Software-Defined Access and new innovations in Cisco DNA Center provide a better way to control your network. We will explore new enhancements, ...
Hi, Seems like I'm having this weird issue on my network that a specific IP block under switch1 vrf cust instance experiencing some delay or issue when accessing/connecting to a public proxy server and sometimes this cause delay when browsing using t...
I have a Catalyst 2960-X 48FPS-L with an uplink in port 52 using a tranciever module which is connected using an ethernet cable to a Catalyst 2960G on port 4. The link has been working for a few weeks, however today it went down. Both ports sh...