A secure communication network may be implemented by authenticating, authorizing and enforcing access control on end hosts. In implementing a secure communication network end hosts may each be associated with a security group tag (SGT). Access control may be enforced using role based access control lists (RBACLs) that are based on the source host's and the destination host's SGTs. The access control is usually applied at the egress (exit point) of the network through egress filtering. Access control applied at the egress may not be efficient because data packets that may eventually get dropped by access control at the egress will flow through the entire network. This unnecessary data packet flow through the network could take up valuable bandwidth that could be utilized for other data traffic.
One approach to solve the problem of unnecessary traffic flow through the network caused by filtering at the egress is to enforce RBACLs and filter at the ingress (entry point) of the network. However, storing SGTs and RBACLs for all possible destination hosts on all first-hop ingress switches is difficult to administer and maintain. It would therefore provide an advantage to have an efficient solution for ingress filtering that was easy to administer and maintain in a communications network.