Switchport access or trunk?

MrTone123 · ‎05-31-2011

Hi:

I've recently taken over the management of a group of switches, and have a question about a configuration.

One interface has the following setup:

interface GigabitEthernet1/0/40
description Trunk to HPCore
switchport access vlan 10
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,30
switchport mode access
spanning-tree portfast disable

This looks like it's an access port on vlan 10, but it is also setup for trunking?

Do the frames to/from this port have dot1q tags on vlan 30, but not on vlan 10?

I've just never seen access and trunk combined on one interface.

This interface does connect to an HP switch, which by the config seems to be setup for tagged frames on vlan 30, but untagged on the default vlan.

Thanks,

Tony

Karel Vins · ‎05-31-2011

Hi,

port mode is set to access, so trunk-related config is "ignored".

Regards,

Karel Vins

Ven Taylor · ‎05-31-2011

yeah. You can delete those trunk-based entries without causing trouble. Keeping your interface configs clean will save time when scrubbing through configs later.

interface GigabitEthernet1/0/40
no switchport trunk encapsulation dot1q
no switchport trunk allowed vlan 10,30

Ven Taylor

MrTone123 · ‎05-31-2011

OK, thanks for the info. I figured it was only an access port, but with the HP switch on the other end was setup for both vlans, I just wanted to be sure.

So what happens when this switchport receives a dot1q tagged frame? Does it ignore it?

Richard Burts · ‎05-31-2011

Tony

If an access port receives a tagged frame then yes it will just ignore that frame.

HTH

Rick

[edit] It looks like my response was incorrect. If an access port receives a tagged frame it ignores the tag and forwards the frame at layer 2.

+5 to Ven whose post pointed this out.

HTH

Rick

Ven Taylor · ‎05-31-2011

Not necessarily, but there are circumstances that would allow the frame to "hop" to another vlan.

Give this a read if you have time:

https://learningnetwork.cisco.com/thread/25898

It refers to a possible vulnerability, but it wouldn't be something I'd be concerned with personally.

Ven

Ven Taylor

Antonio Knox · ‎05-31-2011

This is true, which is why it is best practice to use non-default (non-vlan 1) native vlans on all trunk ports.

MrTone123 · ‎05-31-2011

Thanks for the link to that great discussion.

But there appears to be a few different opinions:

I read:

"According to the command description and security recommendations/best practices the command "switchport mode access" will prevent processing of dot1q tagged frames."

and

"If a non-802.1Q-enabled device or an access port receives an 802.1Q frame, the tag data is ignored and the packet is switched at Layer 2 as a standard Ethernet frame."

Which is correct?

Thanks,

Tony

Antonio Knox · ‎05-31-2011

Both, in a sense. If the native vlan of the trunk doesn't match the access vlan of the access port, then yes the frame is ignored. However, if the native vlan of the trunk connected to the access port matches the access vlan of that port, then you run into the vlan hopping possibility, which prompts the utilization of non-default native vlan configurations. Likelihood of you running into this issue are slim either way, but to the security conscious, an ounce of prevention is worth a ton of repair.

Karel Vins · ‎05-31-2011

If an access port receives a tagged packet (Inter-Switch Link [ISL] or IEEE 802.1Q tagged), the packet is dropped, and the source address is not learned.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_58_se/configuration/guide/swint.html#wp1107751

KV