It may sometimes be desired to filter certain traffic upon egress, based on frame characteristics such as MAC Address, IP Address, TCP/UDP Destination Port, etc. This traffic would be allowed to egress most ports within its VLAN except one or two physical ports.
Achieving this goal can be difficult because Policy can only take filtering/forwarding action against ingress traffic, at which time it has not yet been determined which egress port(s) will receive that traffic.
The following design should work well in a switching environment on devices such as the DFE that support both Policy and SVL (4918):
- Instead of using only VLAN x, use VLANs x and x2.
- Configure Shared VLAN Learning (5397) for these two VLANs, giving them a common FID.
- Configure the non-constrained ports as VLAN x PVID, with untagged egress for VLANs x and x2.
- Configure the constrained ports as VLAN x PVID, with untagged egress for VLAN x.
- Use Policy to reassign any targeted to-be-constrained frames from VLAN x to VLAN x2.
- Targeted frames egress only non-constrained ports, leaving all other switching unimpacted.
Contact the GTAC for further assistance, as necessary.