Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understanding Firewall Filter Processing Points for Bridged and Routed Packets

You apply firewall filters at multiple processing points in the forwarding path. At each processing point, the action to be taken on a packet is determined by the configuration of the filter and the results of the lookup in the forwarding or routing table.

For both bridged (Layer 2) unicast packets and routed (Layer 3) unicast packets, firewall filters are applied in the prescribed order shown below (assuming that each filter is present and a packet is accepted by each one).

Bridged packets:

  1. Ingress port filter

  2. Ingress VLAN filter

  3. Egress VLAN filter

  4. Egress port filter

Routed packets:

  1. Ingress port firewall filter

  2. Ingress VLAN firewall filter (Layer 2 CoS)

  3. Ingress router firewall filter (Layer 3 CoS)

  4. Egress router firewall filter

  5. Egress VLAN firewall filter

  6. Egress port filter

Note:

MAC learning occurs before filters are applied, so switches learn the MAC addresses of packets that are dropped by ingress filters.