What I'm seeing is that I have a machine connected to ether3 and to ether1. Both machines can be configured to use VLANs. The machine connected to ether1 has vlans 200,300 configured with 192.168.72.16/24 and 192.168.73.16/24, respectively.
The machine on ether3 started out having 192.168.73.15/24 assigned to the interface directly. I then pinged 192.168.73.16 (the ether1 machine's tagged interface) and it worked as it should: the untagged packet came in on ether3, was tagged to VLAN300, and exited the switch on ether1 with VLAN tag 300. That is as I would expect.
Then I set up VLAN300 on the ether3 machine. I put the address 192.168.73.15/24 on the VLAN300 interface and tried pinging 192.168.73.16. The packet would come in on the switch port ether3 tagged and exit on ether1 as being tagged with VLAN300. How do I block this? I want anything tagged coming in on an "access" port like this dropped. (Otherwise, if a possibly hostile machine on an "access" port can tag it's outgoing traffic, it can send traffic anywhere it wants!)
I tried removing ether3 from VLAN 300 and that didn't even cause the incoming tagged VLAN300 traffic to be dropped. I have also tried setting
Code: Select all
/interface ethernet switch set drop-if-invalid-or-src-port-not-member-of-vlan-on-ports=ether3