802.1Q中的secure/check/fallback/disable的简单分析

802.1Q中的secure/check/fallback/disable的简单分析
芯片手册原文
Security & Port Mapping
The 802.1Q Security features of the device supports the discarding of ingressing frames that don’t meet the security requirements, and ensuring that those frames that do meet the requirements, are sent to the allowed ports only. Three levels of security are supported and they can be set differently on each port. The security options are processed using the VID assigned to the frame
(Section 2.2.2.7) as follows:
Secure – The VID must be contained in the VTU and the Ingress port must be a member of the VLAN else the frame is discarded. The frame is allowed to exit only those ports that are both:
• Members of the frame’s VLAN and
• Included in the source port’s port-based VLAN (both In-Chip and cross-chip, see Section 2.2.1)
Check – The VID must be contained in the VTU or the frame is discarded (the frame will not be discarded if the Ingress port is not a member of the VLAN). The frame is allowed to exit only those ports that are both:
• Members of the frame’s VLAN and
• Included in the source port’s port-based VLAN (both In-Chip and cross-chip, see Section 2.2.1)
Fallback – Frames are not discarded if their VID is not contained in the VTU.
• If the frame’s VID is contained in the VTU, the frame is allowed to exit only those ports that are both:
• Members of the frame’s VLAN and
• Included in the source port’s port-based VLAN (both In-Chip and cross-chip, see Section 2.2.1)
• If the frame’s VID is not contained in the VTU, the frame is allowed to exit only those ports that are:
• Included in the source port’s port-based VLAN (both In-Chip and cross-chip, see Section 2.2.1)
802.1Q Disabled – Frames are not discarded if their VID is not contained in the VTU. The frame is allowed to exit only those ports that are:
• Included in the source port’s VLAN (both In-Chip and cross-chip, see Section 2.2.1)
Secure, Check, Fallback, or 802.1Q Disabled modes for the port are controlled by the port’s 802.1QMode bits (Port offset 0x08).

以下是翻译及分析
设备的802.1Q安全功能支持丢弃不符合安全要求的进入帧，并确保将符合要求的那些帧仅发送到允许的端口。 支持三种安全级别，可以在每个端口上对它们进行不同的设置。 使用分配给帧的VID处理安全选项，如下所示：
安全模式– VID必须包含在VTU（VID translate unit）中，并且入口端口必须是VLAN的成员，否则将丢弃该帧。该帧会退出一些端口这些端口同时满足以下的两个属性：
1、帧的VLAN的成员
2、包括在源端口中的基于端口的VLAN（包括单个和级联的交换机）
分析:根据VLAN表检查标记的流量是否有入口流量，丢弃所有未标记的流量。必须在VLAN表中找到适当的VLAN ID的入口和出口端口，否则流量将被丢弃。在安全模式下对于数据的传播较为严格，必须在VTU中并且VID要相同，一般的端口使用该模式
也可以在程序的例程中的注释中找到
//Enable 802.1Q for each port as GT_SECURE mode except CPU port.

检查模式– VID必须包含在VTU中，否则帧将被丢弃（如果Ingress端口不是VLAN的成员，则不会丢弃帧）。允许该帧退出同时有以下的两个属性的端口
1、框架的VLAN的成员
2、包括在源端口的基于端口的VLAN中
分析：根据VLAN表检查标记的流量是否有入口流量，丢弃所有未标记的流量。如果标记了入口流量，并且在VLAN表中找不到相应VLAN ID的出口，则流量将被丢弃。在检查模式下只要在VTU中，那么VID可以是不同的那么VLAN隔离的性质就无了，一般不使用

后备模式（Fallback）–如果VTU中未包含帧的VID，则不会丢弃这些帧。
如果帧的VID包含在VTU中，则仅允许帧退出以下两个端口：
1、帧的VLAN的成员
2、包括在源端口的基于端口的VLAN中
如果VTU中不包含帧的VID，则仅允许帧退出以下端口：
1、包括在源端口的基于端口的VLAN中
分析：用于CPU端口中，其上两种一般用于普通的端口中。根据VLAN表检查标记的流量是否有入口流量，并转发所有未标记的流量。如果标记了入口流量，并且在VLAN表中找不到相应VLAN ID的出口，则流量将被丢弃。如果在VLAN表中找不到VLAN ID，则转发流量。用于仅在特定端口中允许已知VLAN。也可以在程序的例程中的注释中找到
//Enable 802.1Q for CPU port as GT_FALLBACK mode

802.1Q禁用–如果VTU中未包含帧的VID，则不会丢弃这些帧。该帧只允许退出以下端口：
包括在源端口的VLAN中
分析：完全禁用针对VLAN表的入口流量检查。在入口端口上设置时，不会丢弃任何流量。该模式一般用于基于端口的VLAN

刚接触交换机不久，欢迎大佬指正