Article ID: 5888
Products
DFE
Protocols/Features
Policy
SVL
UPN
Cause
It may sometimes be desired to filter certain traffic upon
egress, based on frame characteristics such as MAC Address, IP Address, TCP/UDP Destination Port, etc. This traffic would be allowed to egress most ports within its VLAN except one or two physical ports.
Achieving this goal can be difficult because Policy can only take filtering/forwarding action against
ingress traffic, at which time it has not yet been determined which egress port(s) will receive that traffic.
Solution
The following design should work well in a switching environment on devices such as the DFE that support both Policy and SVL (
4918😞
- Instead of using only VLAN x, use VLANs x and x2.
- Configure Shared VLAN Learning (5397) for these two VLANs, giving them a common FID.
- Configure the non-constrained ports as VLAN x PVID, with untagged egress for VLANs x and x2.
- Configure the constrained ports as VLAN x PVID, with untagged egress for VLAN x.
- Use Policy to reassign any targeted to-be-constrained frames from VLAN x to VLAN x2.
- Targeted frames egress only non-constrained ports, leaving all other switching unimpacted.
Even if supported, the use of the SecureStacks' "Protected Port" feature would not help here because the decision process requires more granularity than merely the Source Port / Destination Port combination.
Contact the GTAC for further assistance, as necessary.
