Filtering Egress Traffic based on Frame Characteristics

  • 0
  • 1
  • Article
  • Updated 4 years ago
  • (Edited)
Article ID: 5888 

Products
DFE

Protocols/Features
Policy
SVL
UPN

Cause
It may sometimes be desired to filter certain traffic upon egress, based on frame characteristics such as MAC Address, IP Address, TCP/UDP Destination Port, etc. This traffic would be allowed to egress most ports within its VLAN except one or two physical ports.

Achieving this goal can be difficult because Policy can only take filtering/forwarding action against ingress traffic, at which time it has not yet been determined which egress port(s) will receive that traffic.

Solution
The following design should work well in a switching environment on devices such as the DFE that support both Policy and SVL (4918):
  1. Instead of using only VLAN x, use VLANs x and x2.
  2. Configure Shared VLAN Learning (5397) for these two VLANs, giving them a common FID.
  3. Configure the non-constrained ports as VLAN x PVID, with untagged egress for VLANs x and x2.
  4. Configure the constrained ports as VLAN x PVID, with untagged egress for VLAN x.
  5. Use Policy to reassign any targeted to-be-constrained frames from VLAN x to VLAN x2.
  6. Targeted frames egress only non-constrained ports, leaving all other switching unimpacted.
Even if supported, the use of the SecureStacks' "Protected Port" feature would not help here because the decision process requires more granularity than merely the Source Port / Destination Port combination.

Contact the GTAC for further assistance, as necessary.
Photo of FAQ User

FAQ User, Official Rep

  • 13,610 Points 10k badge 2x thumb

Posted 4 years ago

  • 0
  • 1

There are no replies.

This conversation is no longer open for comments or replies.