[c-nsp] 3560g switch - tagged vlans and untagged frames
Beck, Andre
cisco-nsp at ibh.net
Wed Apr 10 15:50:40 EDT 2013
On Tue, Apr 09, 2013 at 12:30:52AM -0400, Jeff Kell wrote:
> On 4/9/2013 12:16 AM, Mike wrote:
> > It it helps. I do also have dot1q native vlan tagging enabled. I just
> > can't see inside of the switch and understand where my frames are
> > going. If I put it into switchport mode access, and switchport access
> > vlan 6, it all works fine and I see mac addresses in the table.
>
> If you enable native vlan tagging, it will drop any untagged frames.
ISTR that this has actually changed some time ago. Initially, tag native
would have tagged the native VLAN on egress (as the name implies) and
would have accepted the native VLAN tagged on ingress, but still also
accepted untagged frames as valid and associated them with the native
VLAN. Later (something in my spotty memory says it was somewhere around
12.2(4x)SE on the 3k range) this was changed, as tag native was pushed
as a security feature against VLAN hopping attacks. Some users were in
for a surprise when that changed. Then again, I may well remember that
wrong, it all played out in 2007 or so...
HTH,
Andre.
--
Cool .signatures are so 90s...
-> Andre Beck +++ ABP-RIPE +++ IBH IT-Service GmbH, Dresden <-
More information about the cisco-nsp
mailing list