Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
22536
Views
55
Helpful
13
Replies

802.1q tag on access switchport

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3

‎06-21-2011 05:55 AM - edited ‎03-07-2019 12:54 AM

What does a switch (2960 to 6500) do when it receives frame with an 802.1q header (all bits set to 0) on an interface configured with switchport mode access?

Any hint is welcome. Regards mat

Labels:
0 Helpful
6 Accepted Solutions

Accepted Solutions

Go to solution
milan.kulik
Level 10
Level 10

‎06-21-2011 06:10 AM

Hi,

if it's tagged for a VLAN to which the interface is assigned to, it should accept it.

In other cases it should drop it.

HTH,

Milan

View solution in original post

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to milan.kulik

‎06-21-2011 06:38 AM

Hi Milan,

If it is an access port it should not receive a tagged frame, isn't it? except for the voice vlan but then this is technically a trunk port even it is configured as an access.

Can you confirm/infirm my reasoning?

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful

Go to solution
CSCO11832637
Level 1
Level 1
In response to milan.kulik

‎06-21-2011 07:13 AM

Hi,

from cisco Doc:

"If an access port receives a packet with an 802.1Q tag in the header other than the access VLAN value,

that port drops the packet without learning its MAC source address."

I think you should go for a  trunk link as alain proposed.

Regards,

Guillaume

View solution in original post

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to CSCO11832637

‎06-21-2011 12:40 PM

Gentlemen,

To my knowledge, an access port also accepts tagged frames if they conform to one of the following criteria:

  • Either the VLAN ID in the tag is set to 0 which means that this is a priority-tagged frame (802.1p)
  • Or the VLAN ID in the tag is equal to the access VLAN of the port

I had this confirmed on 2950 Catalyst switches, and I presume it was also true for 3550. I am not sure about higher Catalysts, though.

The newer 2960 Catalysts actually introduce another prerequisite: a switchport must be configured with a voice VLAN to accept any tagged frames whatsoever. If there is no voice VLAN configured on an access port, all tagged frames, including those whose VID is 0 or the port's access VLAN, will be dropped unconditionally. This is probably a security feature to disallow injection of tagged frames into the network on ports where no tagging is expected at all.

Best regards,

Peter

View solution in original post

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎06-21-2011 02:46 PM

Hello Peter,

>> This is probably a security feature to disallow injection of tagged frames into the network on ports where no tagging is expected at all.

yes a countermeasure to dual vlan hopping attack where the external vlan tag is equal to the access vlan id on the port.

I would add that older switches like a C5500 CATOS accept tagged frames with any vlan-id defined on the switch allowing for single vlan hopping attack.

an 802.1Q haeder with all zeroes would mean vlan-id = 0 802.1P bits =0 and canonical format indicator = 0 => ethernet so yes it would be a good match for voice-vlan 802.1p command on the switchport

I was used to the behaviour you have described in first two bullets.

Hope to help

Giuseppe

View solution in original post

Go to solution
rsimoni
Cisco Employee
Cisco Employee
In response to Peter Paluch

‎06-21-2011 02:53 PM

Hi all,

Peter is perfectly right, however there is still something to add on the topic.

How a switchport should behave is defined in "IEEE Standards for Local and

Metropolitan Area Networks: Virtual Bridged Local Area Networks" Std 802.1Q-1998 which in Annex D defines Trunk, Access and Hybrid links.

To summarize in 2 lines (even though the interpretation of the standard might be controversial) according to the standards if the port is an access link only untagged frames should be accepted while ANY type of tagged frame should be dropped, including the ones matching the vlan ID.

The only case where tagged frames (matching VLAN IDs) are accepted is when the port is a hybrid link, which is a link that can receive both tagged and untagged traffic. An access port with voice vlan configured is a hybrid link as it can receive both untagged traffic (from PC) and tagged traffic from phones.

That leads that one between the Cat2950 and the Cat2960 is not behaving correctly as they show different behaviors. The answer is that the correct behavior is the Cat2960 as on access ports all tagged frames should be dropped no matter what. The reason is that the dropping/forwarding decision is taken at port ASIC level and the one on old Cat2950 was not able to drop frames with tag matching the allowed vlans.

New port ASICs have this capability and the same behavior is seen on other Catalysts switches (personally tested on 3560,4500) even though other behavior can still be seen (again it depends on port ASIC, so some model can have ASICs not able to do so).

To conclude this long story since what the standard defines for hybrid links can be somehow considered a security breach (personally I cannot figure out why) as allowing tagged frames matching vlan ID can be perceived as a potential issue Cisco is working on an enhancement feature by which an interface k n o b  (this word gets censored for some reason) will be available to expressely decide the port behavior regarding tagged frames whether drop or allow them. However before that will be available port ASIC behaviour must be consistent across all platforms, and this is what Cisco is doing right now.

regards,

Riccardo

View solution in original post

13 Replies 13

Go to solution
milan.kulik
Level 10
Level 10

‎06-21-2011 06:10 AM

Hi,

if it's tagged for a VLAN to which the interface is assigned to, it should accept it.

In other cases it should drop it.

HTH,

Milan

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to milan.kulik

‎06-21-2011 06:38 AM

Hi Milan,

If it is an access port it should not receive a tagged frame, isn't it? except for the voice vlan but then this is technically a trunk port even it is configured as an access.

Can you confirm/infirm my reasoning?

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
CSCO11832637
Level 1
Level 1
In response to milan.kulik

‎06-21-2011 07:13 AM

Hi,

from cisco Doc:

"If an access port receives a packet with an 802.1Q tag in the header other than the access VLAN value,

that port drops the packet without learning its MAC source address."

I think you should go for a  trunk link as alain proposed.

Regards,

Guillaume

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to CSCO11832637

‎06-21-2011 12:40 PM

Gentlemen,

To my knowledge, an access port also accepts tagged frames if they conform to one of the following criteria:

  • Either the VLAN ID in the tag is set to 0 which means that this is a priority-tagged frame (802.1p)
  • Or the VLAN ID in the tag is equal to the access VLAN of the port

I had this confirmed on 2950 Catalyst switches, and I presume it was also true for 3550. I am not sure about higher Catalysts, though.

The newer 2960 Catalysts actually introduce another prerequisite: a switchport must be configured with a voice VLAN to accept any tagged frames whatsoever. If there is no voice VLAN configured on an access port, all tagged frames, including those whose VID is 0 or the port's access VLAN, will be dropped unconditionally. This is probably a security feature to disallow injection of tagged frames into the network on ports where no tagging is expected at all.

Best regards,

Peter

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Peter Paluch

‎06-21-2011 02:46 PM

Hello Peter,

>> This is probably a security feature to disallow injection of tagged frames into the network on ports where no tagging is expected at all.

yes a countermeasure to dual vlan hopping attack where the external vlan tag is equal to the access vlan id on the port.

I would add that older switches like a C5500 CATOS accept tagged frames with any vlan-id defined on the switch allowing for single vlan hopping attack.

an 802.1Q haeder with all zeroes would mean vlan-id = 0 802.1P bits =0 and canonical format indicator = 0 => ethernet so yes it would be a good match for voice-vlan 802.1p command on the switchport

I was used to the behaviour you have described in first two bullets.

Hope to help

Giuseppe

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Giuseppe Larosa

‎06-22-2011 05:59 AM

Giuseppe,

Thank you very much for sharing that knowledge. I did not know about the Cat5500 CATOS switches. A pretty dull attack, actually

Best regards,

Peter

0 Helpful

Go to solution
rsimoni
Cisco Employee
Cisco Employee
In response to Peter Paluch

‎06-21-2011 02:53 PM

Hi all,

Peter is perfectly right, however there is still something to add on the topic.

How a switchport should behave is defined in "IEEE Standards for Local and

Metropolitan Area Networks: Virtual Bridged Local Area Networks" Std 802.1Q-1998 which in Annex D defines Trunk, Access and Hybrid links.

To summarize in 2 lines (even though the interpretation of the standard might be controversial) according to the standards if the port is an access link only untagged frames should be accepted while ANY type of tagged frame should be dropped, including the ones matching the vlan ID.

The only case where tagged frames (matching VLAN IDs) are accepted is when the port is a hybrid link, which is a link that can receive both tagged and untagged traffic. An access port with voice vlan configured is a hybrid link as it can receive both untagged traffic (from PC) and tagged traffic from phones.

That leads that one between the Cat2950 and the Cat2960 is not behaving correctly as they show different behaviors. The answer is that the correct behavior is the Cat2960 as on access ports all tagged frames should be dropped no matter what. The reason is that the dropping/forwarding decision is taken at port ASIC level and the one on old Cat2950 was not able to drop frames with tag matching the allowed vlans.

New port ASICs have this capability and the same behavior is seen on other Catalysts switches (personally tested on 3560,4500) even though other behavior can still be seen (again it depends on port ASIC, so some model can have ASICs not able to do so).

To conclude this long story since what the standard defines for hybrid links can be somehow considered a security breach (personally I cannot figure out why) as allowing tagged frames matching vlan ID can be perceived as a potential issue Cisco is working on an enhancement feature by which an interface k n o b  (this word gets censored for some reason) will be available to expressely decide the port behavior regarding tagged frames whether drop or allow them. However before that will be available port ASIC behaviour must be consistent across all platforms, and this is what Cisco is doing right now.

regards,

Riccardo

Go to solution
MATTHIAS SCHAERER
Level 3
Level 3
In response to rsimoni

‎06-22-2011 01:32 AM

Thanks to everybody for this overwhelming number of enlightening answers. They all match my observations and explain the behavior as well as the reasons for the intentions in the implementation.

The situation where I observed the behavior was in an industrial network containing Siemens PLC communicating to a Simatic Manager. I assume that the PLC intended to use 802.1p without having any knowledge about the VLAN topology. A hint in the internet brought up the voice vlan idea which sounded a bit weird firstly but with all your explanations above it makes very much sense now.

I could imagine other situations with Windows XP and higher using QoS on an Ethernet V2 NIC.

Thanks again, hopefully other people can use this post as well.

Mat

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to rsimoni

‎06-22-2011 05:57 AM

Riccardo,

Thanks for that wonderful answer and explanation. Rated as deserved.

Best regards,

Peter

0 Helpful

Go to solution
rsimoni
Cisco Employee
Cisco Employee
In response to Peter Paluch

‎06-23-2011 01:21 AM

Peter,

I am glad you appreciated 

Riccardo

0 Helpful

Go to solution
sivam siva
Level 3
Level 3
In response to Peter Paluch

‎08-21-2019 01:31 PM

@Peter Paluch  @rsimoni  @Giuseppe Larosa

 

Can anyone explain my below doubt?

 

If I have configured trunk with native VLAN 2, what if trunk port receives a frame that is tagged with VLAN 2

(Normally that port should expect to receive VLAN 2 frame as untagged), so my doubt is will it accept and process that frame in vlan2?.

 

Thanks 

Siva

0 Helpful

Go to solution
yan.rai@gmail.com
Level 1
Level 1
In response to CSCO11832637

‎08-15-2018 10:58 PM

Yep

0 Helpful

Go to solution
Arad
Level 1
Level 1
In response to milan.kulik

‎01-30-2019 11:51 PM


agreed with Milan,
As Cisco document if a non-802.1q enabled device or an access port receives an 802.1q farme, the tag is ignored and the packet is switched at L2 as a standard Ethernet frame. this allows for the placement of the unmanaged switches and so on. but if the tagged packet is received on access port other than the current access VLAN value so the packet is dropped.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card