user@router> show configuration firewall
family inet {
filter demo {
term example {
from {
source-address {
100.100.100.0/24;
}
destination-address {
200.200.200.0/24;
}}
then {
reject;
}}
term testing {
from {
source-address {
10.10.10.0/28;
}
destination-address {
200.200.200.0/24;
}}
then sample;
}
term results {
from {
address {
200.200.200.0/24;
}}
then accept;
}
term final {
then policer LAPD;
}}}
Given the configuration shown in the exhibit, what will happen to traffic from source
10.10.10.25 destined to 200.200.200.1?
A.
The traffic will be rejected.
B.
The traffic will be dropped.
C.
The traffic will be forwarded.
D.
The traffic will be policed.
user@router> show configuration firewall
family inet {
filter demo {
term example {
from {
source-address {
100.100.100.0/24;
}
destination-address {
200.200.200.0/24;
}}
then {
reject;
}}
term testing {
from {
source-address {
10.10.10.0/28;
}
destination-address {
200.200.200.0/24;
}}
then sample;
}
term results {
from {
address {
200.200.200.0/24;
}}
then accept;
}
term final {
then policer LAPD;
}}}
Yeah, ok. This one I don’t get.
Everything I’m reading says it will be policed.
…Unless there is a typo here, should it be ???
term results {
from {
“destination”-address {
200.200.200.0/24;
}}
then accept;
}
term final {
then policer LAPD;
}}}
If that were the case, then the traffic from 10.10.10.25 would be forwarded.
Otherwise it looks like they’re dealing with the incoming traffic from 200.200.200.0/24 which they’re accepting. Which leaves the “from all other traffic” being policed by LAPD.
If anyone cares to explain (please, provide documentation links), just mail it to me. And thanks in advance.
It will be accepted because it will match this term:
term results {
from {
address {
200.200.200.0/24;
}
}
then accept;
‘address’ match condition can be either source or destination:
[edit]
lab@mx240-re0# set firewall family inet filter F term 1 from ?
Possible completions:
> address Match IP source or destination address