Native VLANs and untagged frames

Switchport access

Switchport trunk


When an untagged frame enters a [trunk](/switchport-trunk) port, that frame is placed on the configured [native VLAN](/native-vlans-and-untagged-frames).  By definition, an [access](/switchport-access) port is assigned a single [VLAN](/vlan) and it is expecting to receive only untagged frames.  

But what happens if a tagged frame arrives on an access port?  How does the switch handle such a situation?

On [Nexus](/nexus) devices, if an access port receives a packet with a VLAN tag in the header other than the access VLAN value, that port drops the packet without learning its MAC source address.

On older IOS devices such as the 2950 and 3550, the same behavior is observed.

On newer devices, starting with the 2960 for example, a switchport will not accept any tagged frames.  All tagged frames, even those on the actual assigned VLAN, are dropped unconditionally.

The only exceptions to this rule are:

* The use of [voice VLAN](/voip-configuring-a-switch-port-for-use-with-an-ip-phone) 
* The configuration of [Q-in-Q tunneling](/vlans-802.1q-tunneling-(qinq))

Ultimately, the behavior of an access port in such a situation may be slightly different on different platforms, IOS/NX-OS version, and also on different vendors' equipment.


Links:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/layer2/b_Cisco_Nexus_5000_Series_NX-OS_/Cisco_Nexus_5000_Series_NX-OS__chapter6.html#con_1206599

https://community.cisco.com/t5/switching/802-1q-tag-on-access-switchport/td-p/1686159

VLANs - when a tagged frame arrives on an access port

AAA - configuring a fallback method

ACI - Bridge Groups

ACL - IPv6 implicit statements

ACL - operators

ACL - time-based access list on IOS-XR

ACL Logging

ACL editor

ACL log update threshold

ACL logging matched packets

ACL wildcard mask

ACLs Filtering Locally Generated Traffic

ARP - determining the next hop MAC address

ARP - promiscuous mode

ARP - what is Proxy ARP

ARP table default timeout

ARP table

ASA - ASDM Cipher security levels

ASA - ASDM

ASA - AnyConnect Management VPN Tunnel

ASA - Crypto key size for Version 9.16

ASA - IKE proposal parameters

ASA - VTI VPN and MSS

ASA - crypto hardware processing

ASA - emulating an ASA device

ASA - multiple AnyConnect packages

ASA - multiple VPNs between the same endpoints

ASA - number of crypto maps per interface

ASA - object group protocol vs service

ASA - using FQDN in an ACL

ASA CTM ipsec poll ctl DU_IOCTL_RESUME_POLL ioctl failed error

ASA Contexts operate as separate virtual devices

ASA DDoS protection

ASA DMZ

ASA ECMP static routing

ASA Manual NAT and Auto NAT

ASA NAT control

ASA NAT port forwarding multiple ports to same IP

ASA NAT with DHCP assigned IP address on the  outside interface

ASA NAT with multiple inside subnets

ASA Site-to-Site IKEv1 IPSec VPN recv errors

ASA Static one to one NAT on a range of addresses

ASA Troubleshoot HTTP and ASDM access

ASA VPN with overlapping IP address spaces

ASA active-standby failover preemption

ASA and Firepower reimaging

ASA crypto map and tunnel group preshared keys

ASA group policies

ASA implicit rule

ASA limit CLI and ASDM access to specific users

ASA packet processing algorithm

ASA prerequisites for high availability

ASA redirect IP SLA messages to log buffer

ASA redundant interface

ASA security levels

ASA syslog logging in multiple context mode

ASA to Firepower migration

ASA troubleshooting IPSec

ASA tunnel-group

ASA understanding version numbers

ASA what triggers an active-standby failover

ASA won't respond to pings from different subnet

Anycast

Automation - Ansible connection plugins

BFD - intervals and timers

BFD - with multiple routing protocols

BFD echo mode and operation details

BFD how an administrative change differs from a failure

BFD one-arm echo

BGP - AFI and SAFI

BGP - AS_Path filtering use cases

BGP - Accumulated IGP metric

BGP - Atomic Aggregate Attribute

BGP - Autonomous System Number

BGP - ECMP for specific prefixes

BGP - End-of-RIB marker

BGP - Flowspec

BGP - Graceful Restart Mechanism

BGP - Labeled Unicast

BGP - Large BGP communities

BGP - MED vs AS Prepending

BGP - Network Layer Reachability Information (NLRI)

BGP - Outbound Route Filtering

BGP - RRs vs confederations

BGP - Why is MED non-transitive

BGP - aggregate-address default route

BGP - attributes and path selection

BGP - auto-summary best practices

BGP - auto-summary feature

BGP - definition of External BGP (eBGP)

BGP - definition of Internal BGP (iBGP)

BGP - eBGP loop prevention mechanism same AS number

BGP - eBGP next hop optimization

BGP - eBGP third party next hop

BGP - iBGP full-mesh peering

BGP - iBGP split horizon rule

BGP - multicast routing

VLANs - when a tagged frame arrives on an access port

Links to this page: