Ingress processing ensures that the port accepts only packets with allowed VLAN values (untagged packets are assigned the native VLAN, which is implicitly allowed). At this point, all packets are now tagged with a valid VLAN.
The packet is sent to each egress port that can send the packet (because the packet tag value matches the native VLAN or an Allowed VLAN on the port).
- The packet is tagged with the native VLAN and allowed to proceed.
- The Allowed VLAN list is ignored.
- The tag VLAN value must match an Allowed VLAN or the native VLAN.
- The packet retains the VLAN tag and is allowed to proceed.
To control what types of frames are accepted by the port:
config switch interface
set discard-mode <all-tagged | all-untagged | none>
Tagged frames are discarded, and untagged frames can enter the switch.
Untagged frames are discarded, and tagged frames can enter the switch.
By default, all frames can enter the switch, and no frames are discarded.
All packets that arrive at an egress port are tagged packets.
If the packet tag value is on the Allowed VLAN list, the packet is sent out with the existing tag.
If the packet tag value is the native VLAN or on the Untagged VLAN list, the tag is stripped, and then the packet is sent out.
Otherwise, the packet is dropped.