Reset Search
 

 

Article

What is the Effect of an Ingress Filter when working with EOS-based VLANs?

« Go Back

Information

 
TitleWhat is the Effect of an Ingress Filter when working with EOS-based VLANs?
Question
What is the effect of an Ingress Filter when working with EOS-based VLANs?
Environment
  • SecureStack
  • A2-Series, A4-Series
  • B2-Series, B3-Series, B5-Series
  • C2-Series, C3-Series, C5-Series
  • K-Series
  • N-Series
  • S-Series
  • 7100-Series
Answer
Enabling the ingress-filter ['set port ingress-filter <port_string> enable'] prevents a packet from being accepted for port ingress if the packet's assigned VLAN would not be permitted to egress the same port. ["How to configure ports for Ingress Filtering"]

Two scenarios follow, each with ingress filtering first disabled (this is the default) and then enabled.
Note1: Ingress = Incoming/Entering/Receiving; Egress = Outgoing/Exiting/Transmitting.
Note2: It is assumed that no overriding Policy ('set policy...') has been configured.

Scenario 1a: Port VLAN Identifier (PVID) is 2, and the port has Untagged VLAN 2 egress plus Tagged VLAN 3 egress.

  Configuration-
    set vlan create 2,3                     [create new VLANs 2 and 3 on this device]
    set port vlan fe.1.1 2 modify-egress    [set the port as PVID 2 with only Untagged VLAN 2 egress]
    set vlan egress 3 fe.1.1 tagged         [set the port with Tagged VLAN 3 egress also]
    set port ingress-filter fe.1.1 disable  [disable ingress filtering on this port - this is the default]

  Behavior-
    Packets (ingressed elsewhere and) assigned to VLAN 2 may egress this port, and when transmitted they are Untagged.
    Packets (ingressed elsewhere and) assigned to VLAN 3 may egress this port, and when transmitted they are Tagged as VLAN 3.
    Ingressed untagged packets are assigned to VLAN 2 (per the PVID), and are forwarded for egress from another VLAN 2 port.
    Ingressed VLAN-2-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 2 port.
    Ingressed VLAN-3-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 3 port.
    Ingressed VLAN-4-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 4 port.

Note3: You may ask how it is that VLAN 4 has not been created, yet this device appears to pass VLAN 4 traffic. It is possible that GVRP or some other dynamic means has created an egress for VLAN 4, on some other port of this device. If not, then VLAN 4 packets will ultimately be dropped rather than egressed.

Scenario 1b: Same as 1a except with ingress-filter enabled.

  Configuration-
    same as with 1a, plus...
    set port ingress-filter fe.1.1 enable   [enable ingress filtering on this port]

  Behavior-
    Packets (ingressed elsewhere and) assigned to VLAN 2 may egress this port, and when transmitted they are Untagged.
    Packets (ingressed elsewhere and) assigned to VLAN 3 may egress this port, and when transmitted they are Tagged as VLAN 3.
    Ingressed untagged packets are assigned to VLAN 2 (per the PVID), and are forwarded for egress from another VLAN 2 port.
    Ingressed VLAN-2-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 2 port.
    Ingressed VLAN-3-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 3 port.
    Ingressed VLAN-4-tagged packets retain that VLAN assignment, then are dropped due to the ingress filter.

Scenario 2a: Port VLAN Identifier (PVID) is 2, and the port has Tagged VLAN 3 egress plus Forbidden VLAN 4 egress.

Note4: Forbidden egress ['set vlan forbidden <VLAN_id> <port_string>'] (1) prevents the port from egressing packets of the specified VLAN and (2) ensures that any Dynamic requests (via for example GVRP or Dynamic VLAN Egress) for the port to join the VLAN will be ignored. This is most typically applied by NetSight Policy Manager to override a prior Static (=Manual) or Dynamic egress assignment. ["Understanding dynamic vlan egress"]

  Configuration-
    set vlan create 2,3,4                   [create new VLANs 2, 3, and 4 on this device]
    set port vlan fe.1.1 2 modify-egress    [set the port as PVID 2 with only Untagged VLAN 2 egress]
    clear vlan egress 2 fe.1.1              [clear the Untagged VLAN 2 egress from this port]
    set vlan egress 3 fe.1.1 tagged         [set the port with Tagged VLAN 3 egress]
    set vlan egress 4 fe.1.1 tagged         [set the port with Tagged VLAN 4 egress]
    set vlan forbidden 4 fe.1.1             [...but then override the Tagged VLAN 4 egress permission]
    set port ingress-filter fe.1.1 disable  [disable ingress filtering on this port - this is the default]

  Behavior-
    Only packets (ingressed elsewhere and) assigned to VLAN 3 may egress this port, and when transmitted they are VLAN-3-tagged.
    Ingressed untagged packets are assigned to VLAN 2 (per the PVID), and are forwarded for egress from another VLAN 2 port.
    Ingressed VLAN-2-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 2 port.
    Ingressed VLAN-3-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 3 port.
    Ingressed VLAN-4-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 4 port.

Note5: You may ask why one would configure VLAN 4 egress on a port then forbid VLAN 4 egress on the same port. As implied in the prior Note, this is being done in a somewhat artificial environment for the purpose of demonstration. More typically, the Egress and Forbid actions would not be configured by the same means (Static//Dynamic/Policy).

Scenario 2b: Same as 2a except with ingress-filter enabled.

  Configuration-
    same as with 2a, plus...
    set port ingress-filter fe.1.1 enable   [enable ingress filtering on this port]

  Behavior-
    Only packets (ingressed elsewhere and) assigned to VLAN 3 may egress this port, and when transmitted they are VLAN-3-tagged.
    Ingressed untagged packets are assigned to VLAN 2 (per the PVID), then are dropped due to the ingress filter.
    Ingressed VLAN-2-tagged packets retain that VLAN assignment, then are dropped due to the ingress filter.
    Ingressed VLAN-3-tagged packets retain that VLAN assignment, and are forwarded for egress from another VLAN 3 port.
    Ingressed VLAN-4-tagged packets retain that VLAN assignment, then are dropped due to the ingress filter & forbidden egress.
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255