HPE Community
Web and Unmanaged
1823726 Members
3639 Online
109664 Solutions
New Discussion

VLAN ingress filtering

 
ecorec
Occasional Contributor

‎11-07-2021 09:44 AM - edited ‎11-07-2021 09:50 AM

‎11-07-2021 09:44 AM - edited ‎11-07-2021 09:50 AM

VLAN ingress filtering

In VLAN port config of Procurve 1700-24 (but also in other models, it seems to be a more generic question) I find an "ingress filtering" option that can be enabled for each port. Help says::

Ingress Filtering Enabled - If enabled, incoming frames for VLANs which do not include this ingress port as a member will be discarded. (Default: Disabled)

This would suggest that, with option disabled, these frames are accepted.

But I did some test and it seems not to happen.

I  configured ports 1-10 belonging only to VLAN A, and 11-20 belonging only to VLAN B, and leave ingress filtering disabled. Then I connected to port 5 a PC, setting its ethernet card with VLAN B id.

The result is that I cannot reach VLAN B. This is fair to me, by itself: if I set port 5 not belonging to VLAN B it means that I don't want it in VLAN B. But I cannot see the point of "ingress filtering", I'm not able to create a scenario in which results are different with filtering on or  off.

A condition where with filtering on I cannot reach something that I can reach with filtering off.

Somewhere I read (it's not my first research on this matter) that this filter acts at ingress, and that frames are filtered on egress anyway.

In this case, I cannot see the point of leaving a frame "go in" and then blocking it. Why should I give hope to that frame and then soon delude it?

If we change point of view, I cannot neither find a positive scenario for "filtering off".  Some condition in which filtering on disrupts something legitimate.

0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.