[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Understanding Ingress and Egress in General (Part 1)

Published on
57,679 Points
7 Endorsements
Last Modified:
There are numerous misunderstandings of the Ingress and Egress concepts when related to different OSI layers, so here is a brief overview:

There is no big philosophy when one keeps in mind that Ingress/Egress-terms were originally explaining OSI L2 features. So they are always switch port related. First we had "dumb" L2 switches with only physical ports. Then a frame - mind NOT a packet - from a PC1 to the switch port 1 is ingress and the same frame from 24 to PC2 is egress. To summarize as a definition on L2 ports: ingress is incoming from an adjacent node, egress outgoing to an adjacent node.

This concept was later needed to explain OSI L2 enhancements like VLAN and QoS where different tags were applied to the frame header and a decision had to be made from the switch, where exactly to add or strip them down.  So for example for a “client” switch port (called under Cisco "switchport mode access") belonging to a certain VLAN this header information had to be erased before egressing, whereas for a VLAN trunk port (i.e., switchport mode trunk) this header information had to be preserved by the egressing process.

Later on the terms were applied on L3-enhanced switches which brought some troubles since there we have L3 packets (this means with additional IP header) that are being routed and not switched. There physical ports and VLAN-ports mingled the straight understanding but the logic behind stayed the same – a bridged frame that has to cross-over VLANs is ingressing the source VLAN port and egressing the destination VLAN port. See further details on “Understanding Ingress and Egress on L3 Switches (Part 2)".

And at the very latest many people started using the words for edge routers / gateways, using egress term for all outgoing connection (from the perspective of the "insider", usually a LAN with private IP address scope, but not obligatory) and ingress for the incoming packets (i.e., from MAN or WAN). In other words on the level of the corporate gateway or firewall the egress term is applied to the information from Intranet to Internet and ingress term signifies the information from Internet to the Intranet (the latter also known as corporate LAN). In such usage, the L2 and L3 aspect of ports on the firewall (usually called under Cisco PIX-devices "outside" and "inside") is generally being neglected.

Summary: we discussed the Ingress and Egress concepts in their historical development as well as in their implication within different network levels. Under the listed circumstances it is thus advisable to interprete these terms in their context.

Expert Comment

Great information, thanks!

Expert Comment


Featured Post

OWASP Proactive Controls

Learn the most important control and control categories that every architect and developer should include in their projects.

Join & Write a Comment

Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month