cancel
Showing results for 
Search instead for 
Did you mean: 

Port vlan tagged/untagged and Ingress filter (disabled and enabled)

Port vlan tagged/untagged and Ingress filter (disabled and enabled)

Eugene_van_Heer
New Contributor
I have been asked an interesting question by our SAP team and I thought it was a simple answer, but on reflection I realized that there are nuances which I don't know the answer to.
Can someone assist please?

Is my reasoning sound or what part of the puzzle am I missing?
Scenario 1 and 2 is with ingress-filter disabled
Scenario 3 and 4 is the same but with ingress-filter enabled
Port discard is set to none on all ports in all cases

I need clarity on the following:
Scenario 1, 3 and 4 especially the incoming untagged packet
Scenario 2, the incoming frame tagged with VLAN 1000

This is applicable to A/B/C/N/S series switches of which we have plenty.

==========

Scenario 1:
switch with port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting
ingress-filter disabled

The config:
set vlan create 1000
set port vlan fe.1.1 1 modify-egress
set vlan egress 1000 fe.1.1 tagged
clear vlan egress 1 fe.1.1
set port ingress-filter fe.1.1 disable

Results: Please confirm if these assumptions are correct
outgoing untagged packets [vlan 1] = dropped
outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.

incoming untagged packet = (?) [But since ingress-filter is disabled, does the packet not get placed into the vlan 1000 broadcast domain?]
Of course the return packet will be dropped as vlan 1 packets are forbidden from egressing this port.
incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
incoming packet tagged with vlan other than 1000 = dropped

==========

Scenario 2:
switch port VLAN 1000 untagged and vlan 1000 tagged
ingress filter disabled

The config:
set vlan create 1000
set port vlan fe.1.1 1000 modify-egress
set vlan egress 1000 fe.1.1 tagged
set port ingress-filter fe.1.1 disable

Results: Please confirm if these assumptions are correct
outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.

incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port
incoming frame tagged with VLAN 2000 = dropped
incoming frame tagged with VLAN 1000 = ? [My initial response was it will be dropped. But as ingress-filtering is disabled and the port is set to vlan 1000 nativly, is this assumption correct?]

==========

Scenario 3: [variation on 1]
switch with the port vlan 1 untagged and vlan 1000 tagged BUT with the native vlan forbidden from exiting:
ingress-filter enabled

The config:
set vlan create 1000
set port vlan fe.1.1 1 modify-egress
set vlan egress 1000 fe.1.1 tagged
clear vlan egress 1 fe.1.1
set port ingress-filter fe.1.1 enable

Results: Please confirm if these assumptions are correct
outgoing untagged packets [vlan 1] = dropped since vlan 1 is forbidden from egressing fe.1.1
outgoing packets tagged with vlan 1000 = transmitted out port with no change to header
packets tagged with vlan other than 1 or 1000 = doesn't even come close to the port.

incoming untagged packet = dropped (?) [I base this on the fact that the native (untagged vlan 1) is forbidden from egressing fe.1.1 and with ingress-filter enabled, this will drop all incoming untagged packets?]
incoming packet tagged with vlan 1000 = transmitted onto destination (which is also part of vlan 1000 broadcast domain)
incoming packet tagged with vlan other than 1000 = dropped

==========

Scenario 4: [variation on 2]
switch with the port vlan 1000 untagged plus vlan 1000 tagged (cisco = access port / native vlan AND also trunk enabled)
ingress filter enabled

The config:
set vlan create 1000
set port vlan fe.1.1 1000 modify-egress
set vlan egress 1000 fe.1.1 tagged
set port ingress-filter fe.1.1 enabled

Results: Please confirm if these assumptions are correct
outgoing packets [vlan 1000] = packets which originally entered the switch untagged elsewhere, is transmitted out this port with the vlan tag for 1000 added [no untagged packets exiting]
outgoing packets [vlan 1000] = packets which originally entered the switch tagged with vlan 1000 is transmitted out port with no change to header
packets tagged with vlan other than 1000 = doesn't even come close to the port.

incoming frame untagged = frame is part of vlan 1000 and will exit at another vlan 1000 port [but is this so since ingress filtering is enabled?]
incoming frame tagged with VLAN 2000 = dropped
incoming frame tagged with VLAN 1000 = transmitted ok [the tag on the packet is the same as the egress port, so the packets is transmitted]

==========

From documentation (C5 example)
show port ingress-filter
Use this command to show all ports that are enabled for port ingress filtering, which limits incoming VLAN ID frames according to a port VLAN egress list. If the VLAN ID specified in the received frame is not on the port’s VLAN egress list, then that frame is dropped and not forwarded.

6.3.3.5 set port ingress filter
Use this command to discard all frames received with a VLAN ID that don’t match the port’s VLAN egress list. When ingress filtering is enabled on a port, the VLAN IDs of incoming frames are compared to the port’s egress list. If the received VLAN ID does not match a VLAN ID on the port’s egress list, then the frame is dropped.
Ingress filtering is implemented according to the IEEE 802.1Q standard.

6 REPLIES 6

jeronimo
Contributor III
Is this possible with Summit/ExtremeStack switches?

Yes, the default behavior of EXOS is equivalent to EOS with ingress-filter enabled.

I believe ingress filter is enabled by default on EXOS.

Paul_Poyant
New Contributor III
GTM-P2G8KFN