At its simplest, ingress filtering involves establishing an access control list that contains the Internet Protocol addresses (IP addresses) of permitted source addresses. Conversely, the access control list may also be used to block prohibited source addresses.
Ingress filtering takes advantage of the Layer 2 IP address filtering capability of a router at the network's edge and blocks traffic that has a high probability of being malicious. It makes this determination based on whether the contents of an IP packet header meet defined criteria. The packet filter examines several attributes, most notably in this case the source IP address. If the source address is invalid -- that is, if it doesn't match its originating network -- the filter determines the address is forged (or "spoofed") and drops the packet.
Ingress filtering is also a feature on switches; in that context, it is used to filter traffic on virtual LANs (VLANs) to prevent malicious activity within a private network, such as VLAN hopping. In VLANs, ingress filtering will discard frames whose port is not a member of the VLAN it is trying to access.