Fortinet black logo

Administration Guide

Packet processing

Copy Link
Copy Doc ID 962fb21b-9bd3-11eb-b70b-00505692583a:146339
Download PDF

Packet processing

Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.

The packet is sent to each egress port that can send the packet (because the packet tag value matches the native VLAN or an Allowed VLAN on the port).

Ingress port

Untagged packet

  • packet is tagged with the native VLAN and allowed to proceed
  • the Allowed VLAN list is ignored

Tagged packet

  • tag VLAN value must match an Allowed VLAN or the native VLAN
  • packet retains the VLAN tag and is allowed to proceed

To control what types of frames are accepted by the port, use the following commands:

config switch interface

edit <interface>

set discard-mode <all-tagged | all-untagged | none>

end

Variable

Description

all-tagged

Tagged frames are discarded, and untagged frames can enter the switch.

all-untagged

Untagged frames are discarded, and tagged frames can enter the switch.

none

By default, all frames can enter the switch, and no frames are discarded.

Egress port

All packets that arrive at an egress port are tagged packets.

If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.

If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent out.

Otherwise, the packet is dropped.

Packet processing

Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.

The packet is sent to each egress port that can send the packet (because the packet tag value matches the native VLAN or an Allowed VLAN on the port).

Ingress port

Untagged packet

  • packet is tagged with the native VLAN and allowed to proceed
  • the Allowed VLAN list is ignored

Tagged packet

  • tag VLAN value must match an Allowed VLAN or the native VLAN
  • packet retains the VLAN tag and is allowed to proceed

To control what types of frames are accepted by the port, use the following commands:

config switch interface

edit <interface>

set discard-mode <all-tagged | all-untagged | none>

end

Variable

Description

all-tagged

Tagged frames are discarded, and untagged frames can enter the switch.

all-untagged

Untagged frames are discarded, and tagged frames can enter the switch.

none

By default, all frames can enter the switch, and no frames are discarded.

Egress port

All packets that arrive at an egress port are tagged packets.

If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.

If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent out.

Otherwise, the packet is dropped.