Policy issues: Port PVID on CLI does not reflect "contain to VLAN" / what is default traffic action when containing to vlan?

  • 1
  • 1
  • Question
  • Updated 4 years ago
Hi,
Currently experimenting on C3 06.61.12.0005

First

Using this policy and applying it to a port:

*********************************************
->show policy profile 3
Profile Index            : 3
Profile Name             : Test
Row Status               : active
Port VID Status          : Enable
Port VID Override        : 110
CoS                      : 0
CoS Status               : Disable
Egress Vlans             : none
Forbidden Vlans          : none
Untagged Vlans           : 110
Rule Precedence          : 1-31
                         :MACSource(1),MACDest(2),IPSource(12),
                         :IPDest(13),UDPSrcPort(15),UDPDestPort(16),
                         :TCPSrcPort(17),TCPDestPort(18),ICMPType(19),
                         :IPTOS(21),IPProto(22),Ether(25),
                         :VLANTag(27)
Admin Profile Usage      : none
Oper Profile Usage       : none
Dynamic Profile Usage    : ge.1.17
*********************************************

Looking at the port the ingress VLAN still seems to be 1, however it really must be 110 because the traffic is flowing alright. Why doesn't the CLI show the reality?

*********************************************
->show vlan portinfo port ge.1.17
 Port           VLAN      Ingress   Egress
                          Filter     Vlan
-----------------------------------------------------------------
ge.1.17        1          Y          untagged: 1,110
*********************************************

Other question:

When setting a "contain to vlan" policy, it seems that the default traffic type will then be "allow". However I want to contain to vlan and be able to make classifications.... In any case I don't find an easy "drop all" rule to put there manually. Where am I thinking wrong?

Thanks for any advice.
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb

Posted 4 years ago

  • 1
  • 1
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,536 Points 3k badge 2x thumb
The Port VID Override (=110) will, as applicable, override the Port VLAN (=1).  So if I understand your question correctly, the CLI is indeed showing the reality.  It's just that it is necessary to look in more than one place in order to develop an understanding of how traffic will behave in a variety of circumstances.  Note that the Port VLAN value may well apply to a certain amount of traffic, because that traffic for whatever reason does not invoke Policy Profile 3.

As to your second question, I believe it would be helpful to see the Profile and underlying Rules that have been set up for the "contan to vlan" role you are discussing.  Policy is very flexible and there are typically multiple ways to accomplish any given effect.

Thank you.
(Edited)