Options
vlan hopping
EdTheLad
Member Posts: 2,111 ■■■■□□□□□□
I was watching a vod describing vlan hopping and it was explaining how if a double tagged frame arrives on an access port with the outer tag have the same vlan as the access-ports native vlan, the outer tag is stripped and vlan hopping occurs.
This doesn't seem correct to me, as far as i'm aware if an access port receives a dot1q tagged frame on ingress the frame will be discarded, the access port will only process untagged frames on ingress.
The only way i see vlan hopping occuring is if the malicious user was connected to a trunk port or a qnq port.
I don't really want to test this but will if i have to, can anyone confirm my thoughts?
This doesn't seem correct to me, as far as i'm aware if an access port receives a dot1q tagged frame on ingress the frame will be discarded, the access port will only process untagged frames on ingress.
The only way i see vlan hopping occuring is if the malicious user was connected to a trunk port or a qnq port.
I don't really want to test this but will if i have to, can anyone confirm my thoughts?
Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
Comments
-
Options
_maurice
Member Posts: 142
Hi Ed.
I asked the same question recently. Check this- http://www.techexams.net/forums/ccnp/37997-vlan-security.html
VLAN hopping can only occur in one of 2 ways. 1. Via a trunk port using DTP to simulate a switch. 2. Or if a trunk port on the switch has a native vlan that is the same vlan as the access port you are plugged into. By the way, access ports do not have native vlans, only trunk ports have native vlans. -
Options
APA
Member Posts: 959
The only way i see vlan hopping occuring is if the malicious user was connected to a trunk port or a qnq port.
You said it
hence the importance of trunk security if you must configure an end user port as a trunk port.
CCNA | CCNA:Security | CCNP | CCIP
JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
JNCIS:SP | JNCIP:SP