When processing inbound Ethernet frames, which firewall filter is evaluated first by an EX Series switch?

When processing inbound Ethernet frames, which firewall filter is evaluated first by an EX Series switch?

When processing inbound Ethernet frames, which firewall filter is evaluated first by an EX Series switch?

A.
port filter

B.
VLAN filter

C.
trunk filter

D.
route filter

Explanation:
Understanding Planning of Firewall Filters

Before you create a firewall filter and apply it to an interface, determine what you want the firewall filter to accomplish and how to use its match conditions and actions to achieve your goals. It is important that you understand how packets are matched to match conditions, the default and configured actions of the firewall filter, and proper placement of the firewall filter.

You can configure and apply no more than one firewall filter per port, VLAN, or router interface, per direction. The number of firewall filter terms allowed per filter cannot exceed 2048. In addition, you should try to be conservative in the number of terms (rules) that you include in each firewall filter because a large number of terms requires longer processing time during a commit and also can make firewall filter testing and troubleshooting more difficult. Similarly, applying firewall filters across many switch and router interfaces can make testing and troubleshooting the rules of those filters difficult.

Before you configure and apply firewall filters, answer the following questions for each of those firewall filters:

1. What is the purpose of the firewall filter?
For example, you can use a firewall filter to limit traffic to source and destination MAC addresses, specific protocols, or certain data rates or to prevent denial of service (DoS) attacks.

2. What are the appropriate match conditions?

a. Determine the packet header fields that the packet must contain for a match. Possible fields include:
* Layer 2 header fieldsSource and destination MAC addresses, dot1q tag, Ethernet type, VLAN
* Layer 3 header fieldsSource and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, TTL type)
* TCP header fieldsSource and destination ports and flags
* ICMP header fieldsPacket type and code

b. Determine the port, VLAN, or router interface on which the packet was received

3. What are the appropriate actions to take if a match occurs?
Possible actions to take if a match occurs are accept, discard, and forward to a routing instance.

4. What additional action modifiers might be required?
Determine if additional actions are required if a packet matches a match condition; for example, you can specify an action modifier to count, analyze, or police packets.

5. On what interface should the firewall filter be applied?

Start with the following basic guidelines:
* If all the packets entering a port need to be exposed to filtering, then use port firewall filters.
* If all the packets that are bridged need filtering, then use VLAN firewall filters.
* If all the packets that are routed need filtering, then use router firewall filters.

Before you choose the interface at which to apply a firewall filter, understand how that placement can impact traffic flow to other interfaces. In general, apply a firewall filter that filters on source and destination IP addresses, IP protocols, or protocol informationsuch as ICMP message types, and TCP and UDP port numbersnearest to the source devices. However, typically apply a firewall filter that filters only on a source IP address nearest to the destination devices. When applied too close to the source device, a firewall filter that filters only on a source IP address could potentially prevent that source device from accessing other services that are available on the network.

* Note: Egress firewall filters do not affect the flow of locally generated control packets from the Routing Engine.

6. In which direction should the firewall filter be applied?
You can apply firewall filters to ports on the switch to filter packets that are entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed) interfaces to filter packets that are entering or exiting a VLAN or routed interface. Typically, you configure different sets of actions for traffic entering an interface than you configure for traffic exiting an interface.



Leave a Reply 0

Your email address will not be published. Required fields are marked *