Understanding Egress Firewall Filters with PVLANs
If you apply firewall filters to private VLANs in the output direction, the behavior of the filters might be unexpected. This topic explains how egress filters behave when applied to private VLANs.
If you apply a firewall filter in the output direction to a primary VLAN, the filter also applies to the secondary VLANs that are members of the primary VLAN when the traffic egresses with the primary VLAN tag or isolated VLAN tag, as listed below:
Traffic forwarded from a secondary VLAN trunk port to a promiscuous port (trunk or access)
Traffic forwarded from a secondary VLAN trunk port to a PVLAN trunk port.
Traffic forwarded from a promiscuous port (trunk or access) to a secondary VLAN trunk port
Traffic forwarded from a PVLAN trunk port. to a secondary VLAN trunk port
Traffic forwarded from a community port to a promiscuous port (trunk or access)
If you apply a firewall filter in the output direction to a primary VLAN, the filter does not apply to traffic that egresses with a community VLAN tag, as listed below:
Traffic forwarded from a community trunk port to a PVLAN trunk port
Traffic forwarded from a promiscuous port (trunk or access) to a community trunk port
Traffic forwarded from a PVLAN trunk port. to a community trunk port
If you apply a firewall filter in the output direction to a community VLAN, the following behaviors apply:
The filter is applied to traffic forwarded from a promiscuous port (trunk or access) to a community trunk port (because the traffic egresses with the community VLAN tag).
The filter is applied to traffic forwarded from a community port to a PVLAN trunk port (because the traffic egresses with the community VLAN tag).
The filter is not applied to traffic forwarded from a community port to a promiscuous port (because the traffic egresses with the primary VLAN tag or untagged).