Thanks  Dariusz Sosnowski.

BR
Narsimha

On Mon, Feb 19, 2024 at 10:20 PM Dariusz Sosnowski <dsosnowski@nvidia.com> wrote:
Hi,

I apologize for the very late response.

> From: narsimharaj pentam <pnarsimharaj@gmail.com>
> Sent: Friday, August 18, 2023 05:34
> To: users@dpdk.org
> Subject: VLAN filtering in mlx5
>
> Hi
>
> We are using a mellanox mlx5 card (firmware version: 16.35.1012) with mlx5_pci driver.  Enabled multiple ports  DPDK port 0 (internally referred as slot 1 port 0: s1p0)  and DPDK port 1(slot 0 port 0 : s0p0). Multiple vlans are created on each of these interfaces , s0p0.100,
> s0p0.101,s0p0.102  and s0p1.200,s0p1.201,s0p1.202.
Are these kernel VLAN interfaces?

> In our network we receive broadcast (ARP) and multicast(ICMPV6 for neighbour discovery) on port 0 and port 1. At the DPDK application we are observing the packets intended for interface s0p0.100 are  landing on other vlan interfaces s0p0.101,sop0.102.
> The VLAN traffic is not segregated accordingly.
>
> Do we support VLAN filtering in mlx5 ?
>
> Came across VLAN filtering "vlan_filter_set" , will this help to drop unintended VLAN traffic ? or  Do we need to create any VLAN specific rte flows in addition to the vlan filter set ? 
VLAN filtering is supported by mlx5 PMD.

It's important to note that:
- VLAN configuration in the kernel is not inherited by the mlx5 PMD.
- When DPDK application is started on mlx5 devices, application will intercept the traffic - unless flow isolation is enabled (https://doc.dpdk.org/guides/howto/flow_bifurcation.html).
- Which packets are intercepted by an application depends on:
    - Promiscuous mode.
    - All multicast mode:
        - If enabled ALL multicast packets from ALL VLANs are received.
        - If disabled, only broadcast and IPv6 multicast traffic from registered VLANs is received.
    - Registered MAC Addresses - default one and additional registered through rte_eth_dev_mac_addr_add()
    - Registered VLANs - registered through rte_eth_dev_vlan_filter()
VLAN filtering itself does not require any additional flow rules.

So, if I understand the requirement correctly, then in your case it would be required to:
- Disable promiscuous mode on both ports
- Disable all multicast mode on both ports
- On s0p0 explicitly enable VLANs 100, 101 and 102 through rte_eth_dev_vlan_filter().
- On s1p0 explicitly enable VLANs 200, 201 and 202 through rte_eth_dev_vlan_filter().

Best regards,
Dariusz Sosnowski