Web and Unmanaged

VLAN ingress filtering

Occasional Contributor

VLAN ingress filtering

In VLAN port config of Procurve 1700-24 (but also in other models, it seems to be a more generic question) I find an "ingress filtering" option that can be enabled for each port. Help says::

Ingress Filtering Enabled - If enabled, incoming frames for VLANs which do not include this ingress port as a member will be discarded. (Default: Disabled)

This would suggest that, with option disabled, these frames are accepted.

But I did some test and it seems not to happen.

I  configured ports 1-10 belonging only to VLAN A, and 11-20 belonging only to VLAN B, and leave ingress filtering disabled. Then I connected to port 5 a PC, setting its ethernet card with VLAN B id.

The result is that I cannot reach VLAN B. This is fair to me, by itself: if I set port 5 not belonging to VLAN B it means that I don't want it in VLAN B. But I cannot see the point of "ingress filtering", I'm not able to create a scenario in which results are different with filtering on or  off.

A condition where with filtering on I cannot reach something that I can reach with filtering off.

Somewhere I read (it's not my first research on this matter) that this filter acts at ingress, and that frames are filtered on egress anyway.

In this case, I cannot see the point of leaving a frame "go in" and then blocking it. Why should I give hope to that frame and then soon delude it?

If we change point of view, I cannot neither find a positive scenario for "filtering off".  Some condition in which filtering on disrupts something legitimate.