https://community.extremenetworks.com/t5/faqs/filtering-egress-traffic-based-on-frame-characteristics/m-p/41559#M59 Article ID: 5888 <BR /> <BR /> <B>Products</B><BR /> DFE<BR /> <BR /> <B>Protocols/Features</B><BR /> Policy<BR /> SVL<BR /> UPN<BR /> <BR /> <B>Cause</B><BR /> It may sometimes be desired to filter certain traffic upon <I>egress</I>, based on frame characteristics such as MAC Address, IP Address, TCP/UDP Destination Port, etc. This traffic would be allowed to egress most ports within its VLAN except one or two physical ports.<BR /> <BR /> Achieving this goal can be difficult because Policy can only take filtering/forwarding action against <I>ingress</I> traffic, at which time it has not yet been determined which egress port(s) will receive that traffic.<BR /> <BR /> <B>Solution</B><BR /> The following design should work well in a switching environment on devices such as the DFE that support both Policy and SVL (<A href="http://bit.ly/1iwHISK" target="_blank" rel="nofollow noreferrer noopener">4918</A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><OL> <LI>Instead of using only VLAN x, use VLANs x and x2. </LI><LI>Configure Shared VLAN Learning (<A href="http://bit.ly/1avSTRA" target="_blank" rel="nofollow noreferrer noopener">5397</A>) for these two VLANs, giving them a common FID. </LI><LI>Configure the non-constrained ports as VLAN x PVID, with untagged egress for VLANs x and x2. </LI><LI>Configure the constrained ports as VLAN x PVID, with untagged egress for VLAN x. </LI><LI>Use Policy to reassign any targeted to-be-constrained frames from VLAN x to VLAN x2. </LI><LI>Targeted frames egress only non-constrained ports, leaving all other switching unimpacted.</LI></OL>Even if supported, the use of the SecureStacks' "Protected Port" feature would not help here because the decision process requires more granularity than merely the Source Port / Destination Port combination.<BR /> <BR /> <A href="http://www.enterasys.com/support/contact-support.aspx" target="_blank" rel="nofollow noreferrer noopener">Contact the GTAC</A> for further assistance, as necessary. Fri, 07 Feb 2014 20:31:00 GMT FAQ_User 2014-02-07T20:31:00Z https://community.extremenetworks.com/t5/faqs/filtering-egress-traffic-based-on-frame-characteristics/m-p/41559#M59 Article ID: 5888 <BR /> <BR /> <B>Products</B><BR /> DFE<BR /> <BR /> <B>Protocols/Features</B><BR /> Policy<BR /> SVL<BR /> UPN<BR /> <BR /> <B>Cause</B><BR /> It may sometimes be desired to filter certain traffic upon <I>egress</I>, based on frame characteristics such as MAC Address, IP Address, TCP/UDP Destination Port, etc. This traffic would be allowed to egress most ports within its VLAN except one or two physical ports.<BR /> <BR /> Achieving this goal can be difficult because Policy can only take filtering/forwarding action against <I>ingress</I> traffic, at which time it has not yet been determined which egress port(s) will receive that traffic.<BR /> <BR /> <B>Solution</B><BR /> The following design should work well in a switching environment on devices such as the DFE that support both Policy and SVL (<A href="http://bit.ly/1iwHISK" target="_blank" rel="nofollow noreferrer noopener">4918</A><span class="lia-unicode-emoji" title=":disappointed_face:">😞</span><OL> <LI>Instead of using only VLAN x, use VLANs x and x2. </LI><LI>Configure Shared VLAN Learning (<A href="http://bit.ly/1avSTRA" target="_blank" rel="nofollow noreferrer noopener">5397</A>) for these two VLANs, giving them a common FID. </LI><LI>Configure the non-constrained ports as VLAN x PVID, with untagged egress for VLANs x and x2. </LI><LI>Configure the constrained ports as VLAN x PVID, with untagged egress for VLAN x. </LI><LI>Use Policy to reassign any targeted to-be-constrained frames from VLAN x to VLAN x2. </LI><LI>Targeted frames egress only non-constrained ports, leaving all other switching unimpacted.</LI></OL>Even if supported, the use of the SecureStacks' "Protected Port" feature would not help here because the decision process requires more granularity than merely the Source Port / Destination Port combination.<BR /> <BR /> <A href="http://www.enterasys.com/support/contact-support.aspx" target="_blank" rel="nofollow noreferrer noopener">Contact the GTAC</A> for further assistance, as necessary. Fri, 07 Feb 2014 20:31:00 GMT https://community.extremenetworks.com/t5/faqs/filtering-egress-traffic-based-on-frame-characteristics/m-p/41559#M59 FAQ_User 2014-02-07T20:31:00Z