I've read that frames are tagged only when going over a trunk port and that access ports do not tag frames passing through them. But don't access ports actually tag frames? When I configure a particular port to be in a particular VLAN (for example VLAN 5), when traffic comes into the access port from a PC, isn't that frame then being tagged with the respective VLAN configured for that port? If the frame is not tagged by the switch's access port (assuming that the access port is not configured with a native VLAN, but another VLAN, for example VLAN5), then how would a trunk know what tag (VLAN 5) to put on that frame as it sends it across the trunk. If I'm able to configure a switch's access port to belong to a particular VLAN, then why wouldn't the switch tag the frame as it enters the switch access port? Isn't this the point of configuring an access port with a certain (non native) VLAN – to tag the frame to delimit where the frame can travel? Also, wouldn't the frame need to be tagged when entering the switch access port from the PC, so then the switch would know (if it was a broadcast) to where the broadcast should be delimited to (only ports within that VLAN)?
Vlan – Aren’t Switch Access ports tagged
trunkvlan
Related Solutions
Please check this -
Double tagging VLAN hopping attack takes advantage 802.1Q tagging and tag removal process of many types of switches. Many switches remove only one 802.1Q tag. In Double tagging attack, an attacker changes the original frame to add two VLAN tags. An outer tag, which is of his own VLAN and an inner hidden tag of the victim's VLAN. Here the attacker's PC must belong to the native VLAN of the trunk link.
When the double tagged frame reaches the switch, the switch can only see the outer tag of the VLAN that the interface really belongs to.
The Switch OmniSecuSW1 will now remove the outer VLAN Tag and will forward to all the ports belong to native VLAN (in this example, VLAN1). One copy of that frame is forwarded to the trunk link to reach the next switch OmniSecuSW2.
When the frame reaches OmniSecuSW2, it will open the frame to see the second tag. OmniSecuSW2 will now assume that frame belongs to VLAN 100 and it is forwarded to VLAN 100
For further reference -
If I were to configure the native vlan to 2, can vlan 1 traffic still travel from switch to switch?
Yes, now VLAN 1 is tagged. VLAN 2 is untagged.
After I configure the native vlan, do i need to allow it in the trunk? like switchport trunk allowed vlan 2?
By default, all VLANs are allowed on the trunk. If it was allowed before, it still is.
Does that means all untagged traffic like vlan 1 connected pc's will go to vlan 2 under native vlan in trunk? Do i need to configure vlan 2 access mode?
VLAN 1 is now tagged on the trunk port. The access ports work the same.
Does it happen like this: In first switch, all untagged frames like vlan 1 will goes under native vlan 2 in the trunk. Then they will travel across the trunk. After reach switch 2, these untagged frame belongs to vlan 2. These frame can talk to those untagged vlan 2 (vlan 2 access port). Am i right?
No, you're a little confused here. Frames are only tagged on trunk ports. Since you have set the native VLAN to 2, all other VLANs will be tagged. VLAN 1 is still VLAN 1, whether it's tagged or not.
I think you're confused by the term 'default.' All that means is that VLAN 1 exists on the switch(es) without you having to explicitly create it.
Best Answer
I think you're confusing what goes on internally on the switch. How it keeps track of which ports are in which VLAN is up to the manufacturer.
It's important to remember that 802.1q frames are a different format than "standard" Ethernet (802.3). Standard Ethernet frames do not have VLAN IDs. A PC or other device transmits and receives Ethernet frames (802.3) when they send/receive it to/from an access port of a switch.
When a switch transmits frames on a trunk, it uses 802.1q framing, which includes a VLAN tag. If the switch is transmitting frames with tags, then that port is a trunk port. Most hosts do not understand 802.1q frames, so they ignore them. That is why you can have tagged and untagged frames on the same port. But it's still a trunk port.