Access Port:
- An access port can have only one VLAN configured on the interface; it can carry traffic for only one VLAN.
- Frames coming in to the interface will be tagged and Frames going out to the interface will be untagged.
Trunk port:
- A trunk port can have two or more VLANs configured on the interface; it can carry traffic for several VLANs simultaneously. Allow all the tagged packets or tagged packets of configured vlan on the particular port.
- Switch port configured as a trunk port send and receive IEEE 801.q VLAN tagged Ethernet frames.
If a nontrunking port receives an 802.1Q frame, the source and
destination MAC addresses are read, the tag field is ignored, and the
frame is switched normally at Layer 2.
Native VLAN:
If a switch receives untagged Ethernet frames on its Trunk port, they are forwarded to the VLAN that is configured on the Switch as native VLAN. Both sides of the trunk link must be configured to be in same native VLAN.
Native VLAN:
If a switch receives untagged Ethernet frames on its Trunk port, they are forwarded to the VLAN that is configured on the Switch as native VLAN. Both sides of the trunk link must be configured to be in same native VLAN.
- An 802.1Q trunk port can carry tagged and untagged frames because Ethernet is assumed to be a shared medium and there may hosts on the medium that cannot handle untagged frames.
- Untagged frames must placed into a VLAN by the receiving switch, the native VLAN is the VLAN used.
- When a switch receives an untagged frame on a tagged interface it is assumed membership of the Native VLAN.
- For 802.1.Q tagged interfaces, Cisco uses untagged frames to carry admin various protocols between the switches e.g. CDP, DTP, LACP (?). Not all vendors implement a native VLANs.
- Configurable Native VLAN IDs are a response to the security vulnerability published by SANS in July 2000 that noted a possible VLAN hopping attack using the Native VLAN. Because VLAN1 on Cisco switches has special significance
- It is not mandatory for vendors to implement Native VLANs so vendor interoperability for protocols using the feature will be a specific configuration issue.
- For Cisco switches the Native VLAN ID must match on both end of the trunk.
- By default the Native VLAN is 1.
- My “Security Best Practice” is to configure the Native VLAN ID to VLAN 666 and to ensure that this VLAN is not used anywhere in the network. The number “666” helps people to remember this. An attacker who attempts to use the VLAN hopping attack will end up in a dead VLAN that has no hosts to leverage.
Comments
Post a Comment