Another topic that I want to show you on VLAN is ingress filtering. This you can see in 2 places. The 1st place you see is inside the port which is inside the bridge as following:
Also, you see the bridge interface itself on the VLAN tab as you can see in the picture below:
Let’s see first its function on the physical port (so the 1st picture). The concept is very easy. If we are setting a security measure, in case an access port sends us a frame with a tag then we don’t accept it at the port. In fact, an end device should not send us a frame with a tag, right? You can also assign it to a trunk port in which if a frame comes to the trunk port having a VLAN tag different than what it is on the port itself, then it is dropped. This is the whole function of the ingress-filtering on the port-based. How to apply it? Have a look here:
So now any traffic coming on the Ether2 interface from an end device with a VLAN tag on, it will be rejected.
Let’s see now on the bridge level. On that level, once you enable the Ingress Filtering, then once the frame is received with a VLAN that doesn’t exist in the VLAN table then it will be dropped before the bridge sends it out to the egress.
Where is the VLAN table? Here it is:
Now, how can we enable ingress filtering on the bridge? It is just straight forward:
To mention that ingress filtering on both cases does not work if you don’t have VLAN Filtering enabled.
0 Comments