Another topic that I want to show you on VLAN is ingress filtering. This you can see in 2 places. The 1st place you see is inside the port which is inside the bridge as following:

Also, you see the bridge interface itself on the VLAN tab as you can see in the picture below:

Let’s see first its function on the physical port (so the 1^st picture). The concept is very easy. If we are setting a security measure,  in case an access port sends us a frame with a tag then we don’t accept it at the port. In fact, an end device should not send us a frame with a tag, right? You can also assign it to a trunk port in which if a frame comes to the trunk port having a VLAN tag different than what it is on the port itself, then it is dropped. This is the whole function of the ingress-filtering on the port-based. How to apply it? Have a look here:

So now any traffic coming on the Ether2 interface from an end device with a VLAN tag on, it will be rejected.

Let’s see now on the bridge level. On that level, once you enable the Ingress Filtering, then once the frame is received with a VLAN that doesn’t exist in the VLAN table then it will be dropped before the bridge sends it out to the egress.

Where is the VLAN table? Here it is:

Now, how can we enable ingress filtering on the bridge? It is just straight forward:

To mention that ingress filtering on both cases does not work if you don’t have VLAN Filtering enabled.