Port vlan tagged/untagged and Ingress filter (disabled and enabled)

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
I have been asked an interesting question by our SAP team and I thought it was a simple answer, but on reflection I realized that there are nuances which I don't know the answer to.
Can someone assist please?

Is my reasoning sound or what part of the puzzle am I missing?
Scenario 1 and 2 is with ingress-filter disabled
Scenario 3 and 4 is the same but with ingress-filter enabled
Port discard is set to none on all ports in all cases

I need clarity on the following:
Scenario 1, 3 and 4 especially the incoming untagged packet
Scenario 2, the incoming frame tagged with VLAN 1000

This is applicable to A/B/C/N/S series switches of which we have plenty.

==========

Scenario 1:
switch with port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting
ingress-filter disabled

The config:
  set vlan create 1000
  set port vlan fe.1.1 1 modify-egress
  set vlan egress 1000 fe.1.1 tagged
  clear vlan egress 1 fe.1.1
  set port ingress-filter fe.1.1 disable

Results: Please confirm if these assumptions are correct
  outgoing untagged packets [vlan 1] = dropped
  outgoing packets tagged with vlan 1000 =  transmitted out port with no change to header
  packets tagged with vlan other than 1000 =  doesn't even come close to the port.

  incoming untagged packet = (?) [But since ingress-filter is disabled, does the packet not get placed into the vlan 1000 broadcast domain?]
                                  Of course the return packet will be dropped as vlan 1  packets are forbidden from egressing this port.
  incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
  incoming packet tagged with vlan other than 1000 = dropped

==========

Scenario 2:
switch port VLAN 1000 untagged and vlan 1000 tagged
ingress filter disabled

The config:
  set vlan create 1000
  set port vlan fe.1.1 1000 modify-egress
  set vlan egress 1000 fe.1.1 tagged
  set port ingress-filter fe.1.1 disable

Results: Please confirm if these assumptions are correct
  outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
  outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 =  transmitted out port with no change to header
  packets tagged with vlan other than 1000 =  doesn't even come close to the port.

  incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port
  incoming frame tagged with VLAN 2000 = dropped
  incoming frame tagged with VLAN 1000 = ?  [My initial response was it will be dropped. But as ingress-filtering is disabled and the port is set to vlan 1000 nativly, is this assumption correct?]

==========

Scenario 3: [variation on 1]
switch with the port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting:
ingress-filter enabled

The config:
  set vlan create 1000
  set port vlan fe.1.1 1 modify-egress
  set vlan egress 1000 fe.1.1 tagged
  clear vlan egress 1 fe.1.1
  set port ingress-filter fe.1.1 enable
 
Results: Please confirm if these assumptions are correct
  outgoing untagged packets [vlan 1] = dropped since vlan 1 is forbidden from egressing fe.1.1
  outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
  packets tagged with vlan other than 1 or 1000 =  doesn't even come close to the port.

  incoming untagged packet = dropped (?) [I base this on the fact that the native (untagged vlan 1) is forbidden from egressing fe.1.1 and with ingress-filter enabled, this will drop all incoming untagged packets?]
  incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
  incoming packet tagged with vlan other than 1000 = dropped

==========

Scenario 4: [variation on 2]
switch with the port vlan 1000 untagged plus vlan 1000 tagged (cisco = access port / native vlan AND also trunk enabled)
ingress filter enabled

The config:
  set vlan create 1000
  set port vlan fe.1.1 1000 modify-egress
  set vlan egress 1000 fe.1.1 tagged
  set port ingress-filter fe.1.1 enabled

Results: Please confirm if these assumptions are correct
  outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
  outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 is transmitted out port with no change to header
  packets tagged with vlan other than 1000 =  doesn't even come close to the port.

  incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port [but is this so since ingress filtering is enabled?]
  incoming frame tagged with VLAN 2000 = dropped
  incoming frame tagged with VLAN 1000 = transmitted ok [the tag on the packet is the same as the egress port, so the packets is transmitted]

==========

From documentation (C5 example)
show port ingress-filter
Use this command to show all ports that are enabled for port ingress filtering, which limits incoming VLAN ID frames according to a port VLAN egress list. If the VLAN ID specified in the received frame is not on the port’s VLAN egress list, then that frame is dropped and not forwarded.

6.3.3.5 set port ingress filter
Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. When ingress filtering is enabled on a port, the VLAN IDs of incoming frames are compared to the port’s egress list. If the received VLAN ID does not match a VLAN ID on the port’s egress list, then the frame is dropped.
Ingress filtering is implemented according to the IEEE 802.1Q standard.
Photo of Eugene van Heerden

Eugene van Heerden

  • 174 Points 100 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,536 Points 3k badge 2x thumb
First; it's worth stating for general understanding that Ingress = Incoming/Entering/Receiving; Egress = Outgoing/Exiting/Transmitting.

Second; here we are optionally using an Ingress Filter, and are not using Forbidden Egress at all. When speaking of VLANs it is best to avoid using the word "forbidden" unless we really mean the "Forbidden Egress" feature. Less confusion will ensue.
  • Enabling the ingress-filter ['set port ingress-filter  <port_string>  enable'] prevents a packet from being accepted for port ingress if the packet's assigned VLAN would not be permitted to egress the same port.
  • Forbidden egress ['set vlan forbidden  <VLAN_id>  <port_string>'] (1) prevents the port from egressing packets of the specified VLAN and (2) ensures that any Dynamic requests (via for example GVRP or Dynamic VLAN Egress) for the port to join the VLAN will be ignored.
Scenario 1 [PVID 1, Tagged VLAN 1000 egress] Results:
  • outgoing descriptions are functionally correct
  • incoming untagged packet = VLAN 1, packet will exit another VLAN 1 port
  • incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port
  • incoming packet tagged with VLAN 2000, packet will exit another VLAN 2000 port
Scenario 2 [PVID 1000, Tagged VLAN 1000 egress] Results:
  • outgoing descriptions are functionally correct
  • incoming packet untagged = VLAN 1000, packet will exit another VLAN 1000 port
  • incoming packet tagged with VLAN 2000, packet will exit another VLAN 2000 port
  • incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port
Scenario 3 [PVID 1, Tagged VLAN 1000 egress, ingress filter enabled] Results:
  • outgoing descriptions are functionally correct
  • incoming untagged packet = VLAN 1, dropped due to ingress filter
  • incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port
  • incoming packet tagged with VLAN 2000, dropped due to ingress filter
Scenario 4 [PVID 1000, Tagged VLAN 1000 egress, ingress filter enabled] Results:
  • outgoing descriptions are functionally correct
  • incoming packet untagged = VLAN 1000, packet will exit another VLAN 1000 port
  • incoming packet tagged with VLAN 2000, dropped due to ingress filter
  • incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port
Photo of Eugene van Heerden

Eugene van Heerden

  • 174 Points 100 badge 2x thumb
Hi Paul, thank you very much for the comprehensive explanation.

I have drawn up Visio diagrams to explain each scenario as per your explanation to my colleagues.

This will go a long way in helping our understanding of the various filters which can be applied.

Thank you also for the added information about the differences between forbidden egress [outgoing] and ingress-filter [incoming]. Another arrow to add to my knowlegebase.
Photo of Paul Poyant

Paul Poyant, Employee

  • 3,536 Points 3k badge 2x thumb
Photo of jeronimo

jeronimo

  • 1,198 Points 1k badge 2x thumb
Is this possible with Summit/ExtremeStack switches?
Photo of Jeremy

Jeremy, Embassador

  • 9,788 Points 5k badge 2x thumb
I believe ingress filter is enabled by default on EXOS.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,742 Points 10k badge 2x thumb
Yes, the default behavior of EXOS is equivalent to EOS with ingress-filter enabled.