This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EOS)
- RE: Port vlan tagged/untagged and Ingress filter (...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Port vlan tagged/untagged and Ingress filter (disabled and enabled)
Port vlan tagged/untagged and Ingress filter (disabled and enabled)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-05-2015 07:57 AM
I have been asked an interesting question by our SAP team and I thought it was a simple answer, but on reflection I realized that there are nuances which I don't know the answer to.
Can someone assist please?
Is my reasoning sound or what part of the puzzle am I missing?
Scenario 1 and 2 is with ingress-filter disabled
Scenario 3 and 4 is the same but with ingress-filter enabled
Port discard is set to none on all ports in all cases
I need clarity on the following:
Scenario 1, 3 and 4 especially the incoming untagged packet
Scenario 2, the incoming frame tagged with VLAN 1000
This is applicable to A/B/C/N/S series switches of which we have plenty.
==========
Scenario 1:
switch with port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting
ingress-filter disabled
The config:
set vlan create 1000
set port vlan fe.1.1 1 modify-egress
set vlan egress 1000 fe.1.1 tagged
clear vlan egress 1 fe.1.1
set port ingress-filter fe.1.1 disable
Results: Please confirm if these assumptions are correct
outgoing untagged packets [vlan 1] = dropped
outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.
incoming untagged packet = (?) [But since ingress-filter is disabled, does the packet not get placed into the vlan 1000 broadcast domain?]
Of course the return packet will be dropped as vlan 1 packets are forbidden from egressing this port.
incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
incoming packet tagged with vlan other than 1000 = dropped
==========
Scenario 2:
switch port VLAN 1000 untagged and vlan 1000 tagged
ingress filter disabled
The config:
set vlan create 1000
set port vlan fe.1.1 1000 modify-egress
set vlan egress 1000 fe.1.1 tagged
set port ingress-filter fe.1.1 disable
Results: Please confirm if these assumptions are correct
outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.
incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port
incoming frame tagged with VLAN 2000 = dropped
incoming frame tagged with VLAN 1000 = ? [My initial response was it will be dropped. But as ingress-filtering is disabled and the port is set to vlan 1000 nativly, is this assumption correct?]
==========
Scenario 3: [variation on 1]
switch with the port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting:
ingress-filter enabled
The config:
set vlan create 1000
set port vlan fe.1.1 1 modify-egress
set vlan egress 1000 fe.1.1 tagged
clear vlan egress 1 fe.1.1
set port ingress-filter fe.1.1 enable
Results: Please confirm if these assumptions are correct
outgoing untagged packets [vlan 1] = dropped since vlan 1 is forbidden from egressing fe.1.1
outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1 or 1000 = doesn't even come close to the port.
incoming untagged packet = dropped (?) [I base this on the fact that the native (untagged vlan 1) is forbidden from egressing fe.1.1 and with ingress-filter enabled, this will drop all incoming untagged packets?]
incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
incoming packet tagged with vlan other than 1000 = dropped
==========
Scenario 4: [variation on 2]
switch with the port vlan 1000 untagged plus vlan 1000 tagged (cisco = access port / native vlan AND also trunk enabled)
ingress filter enabled
The config:
set vlan create 1000
set port vlan fe.1.1 1000 modify-egress
set vlan egress 1000 fe.1.1 tagged
set port ingress-filter fe.1.1 enabled
Results: Please confirm if these assumptions are correct
outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 is transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.
incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port [but is this so since ingress filtering is enabled?]
incoming frame tagged with VLAN 2000 = dropped
incoming frame tagged with VLAN 1000 = transmitted ok [the tag on the packet is the same as the egress port, so the packets is transmitted]
==========
From documentation (C5 example)
show port ingress-filter
Use this command to show all ports that are enabled for port ingress filtering, which limits incoming VLAN ID frames according to a port VLAN egress list. If the VLAN ID specified in the received frame is not on the port’s VLAN egress list, then that frame is dropped and not forwarded.
6.3.3.5 set port ingress filter
Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. When ingress filtering is enabled on a port, the VLAN IDs of incoming frames are compared to the port’s egress list. If the received VLAN ID does not match a VLAN ID on the port’s egress list, then the frame is dropped.
Ingress filtering is implemented according to the IEEE 802.1Q standard.
Can someone assist please?
Is my reasoning sound or what part of the puzzle am I missing?
Scenario 1 and 2 is with ingress-filter disabled
Scenario 3 and 4 is the same but with ingress-filter enabled
Port discard is set to none on all ports in all cases
I need clarity on the following:
Scenario 1, 3 and 4 especially the incoming untagged packet
Scenario 2, the incoming frame tagged with VLAN 1000
This is applicable to A/B/C/N/S series switches of which we have plenty.
==========
Scenario 1:
switch with port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting
ingress-filter disabled
The config:
set vlan create 1000
set port vlan fe.1.1 1 modify-egress
set vlan egress 1000 fe.1.1 tagged
clear vlan egress 1 fe.1.1
set port ingress-filter fe.1.1 disable
Results: Please confirm if these assumptions are correct
outgoing untagged packets [vlan 1] = dropped
outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.
incoming untagged packet = (?) [But since ingress-filter is disabled, does the packet not get placed into the vlan 1000 broadcast domain?]
Of course the return packet will be dropped as vlan 1 packets are forbidden from egressing this port.
incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
incoming packet tagged with vlan other than 1000 = dropped
==========
Scenario 2:
switch port VLAN 1000 untagged and vlan 1000 tagged
ingress filter disabled
The config:
set vlan create 1000
set port vlan fe.1.1 1000 modify-egress
set vlan egress 1000 fe.1.1 tagged
set port ingress-filter fe.1.1 disable
Results: Please confirm if these assumptions are correct
outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.
incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port
incoming frame tagged with VLAN 2000 = dropped
incoming frame tagged with VLAN 1000 = ? [My initial response was it will be dropped. But as ingress-filtering is disabled and the port is set to vlan 1000 nativly, is this assumption correct?]
==========
Scenario 3: [variation on 1]
switch with the port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting:
ingress-filter enabled
The config:
set vlan create 1000
set port vlan fe.1.1 1 modify-egress
set vlan egress 1000 fe.1.1 tagged
clear vlan egress 1 fe.1.1
set port ingress-filter fe.1.1 enable
Results: Please confirm if these assumptions are correct
outgoing untagged packets [vlan 1] = dropped since vlan 1 is forbidden from egressing fe.1.1
outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1 or 1000 = doesn't even come close to the port.
incoming untagged packet = dropped (?) [I base this on the fact that the native (untagged vlan 1) is forbidden from egressing fe.1.1 and with ingress-filter enabled, this will drop all incoming untagged packets?]
incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
incoming packet tagged with vlan other than 1000 = dropped
==========
Scenario 4: [variation on 2]
switch with the port vlan 1000 untagged plus vlan 1000 tagged (cisco = access port / native vlan AND also trunk enabled)
ingress filter enabled
The config:
set vlan create 1000
set port vlan fe.1.1 1000 modify-egress
set vlan egress 1000 fe.1.1 tagged
set port ingress-filter fe.1.1 enabled
Results: Please confirm if these assumptions are correct
outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 is transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.
incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port [but is this so since ingress filtering is enabled?]
incoming frame tagged with VLAN 2000 = dropped
incoming frame tagged with VLAN 1000 = transmitted ok [the tag on the packet is the same as the egress port, so the packets is transmitted]
==========
From documentation (C5 example)
show port ingress-filter
Use this command to show all ports that are enabled for port ingress filtering, which limits incoming VLAN ID frames according to a port VLAN egress list. If the VLAN ID specified in the received frame is not on the port’s VLAN egress list, then that frame is dropped and not forwarded.
6.3.3.5 set port ingress filter
Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. When ingress filtering is enabled on a port, the VLAN IDs of incoming frames are compared to the port’s egress list. If the received VLAN ID does not match a VLAN ID on the port’s egress list, then the frame is dropped.
Ingress filtering is implemented according to the IEEE 802.1Q standard.
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-08-2015 06:03 AM
Hi Paul, thank you very much for the comprehensive explanation.
I have drawn up Visio diagrams to explain each scenario as per your explanation to my colleagues.
This will go a long way in helping our understanding of the various filters which can be applied.
Thank you also for the added information about the differences between forbidden egress [outgoing] and ingress-filter [incoming]. Another arrow to add to my knowlegebase.
I have drawn up Visio diagrams to explain each scenario as per your explanation to my colleagues.
This will go a long way in helping our understanding of the various filters which can be applied.
Thank you also for the added information about the differences between forbidden egress [outgoing] and ingress-filter [incoming]. Another arrow to add to my knowlegebase.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
10-05-2015 05:08 PM
First; it's worth stating for general understanding that Ingress = Incoming/Entering/Receiving; Egress = Outgoing/Exiting/Transmitting.
Second; here we are optionally using an Ingress Filter, and are not using Forbidden Egress at all. When speaking of VLANs it is best to avoid using the word "forbidden" unless we really mean the "Forbidden Egress" feature. Less confusion will ensue.
Second; here we are optionally using an Ingress Filter, and are not using Forbidden Egress at all. When speaking of VLANs it is best to avoid using the word "forbidden" unless we really mean the "Forbidden Egress" feature. Less confusion will ensue.
- Enabling the ingress-filter ['
set port ingress-filter
<port_string
>enable
'] prevents a packet from being accepted for port ingress if the packet's assigned VLAN would not be permitted to egress the same port. Forbidden egress ['set vlan forbidden
<VLAN_id
> <port_string
>'] (1) prevents the port from egressing packets of the specified VLAN and (2) ensures that any Dynamic requests (via for example GVRP or Dynamic VLAN Egress) for the port to join the VLAN will be ignored.
- outgoing descriptions are functionally correct incoming untagged packet = VLAN 1, packet will exit another VLAN 1 port incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port incoming packet tagged with VLAN 2000, packet will exit another VLAN 2000 port
- outgoing descriptions are functionally correct incoming packet untagged = VLAN 1000, packet will exit another VLAN 1000 port incoming packet tagged with VLAN 2000, packet will exit another VLAN 2000 port incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port
- outgoing descriptions are functionally correct incoming untagged packet = VLAN 1, dropped due to ingress filter incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port incoming packet tagged with VLAN 2000, dropped due to ingress filter
- outgoing descriptions are functionally correct incoming packet untagged = VLAN 1000, packet will exit another VLAN 1000 port incoming packet tagged with VLAN 2000, dropped due to ingress filter incoming packet tagged with VLAN 1000, packet will exit another VLAN 1000 port
