Firewall Filter Processing - Dell PowerConnect J-EX4200-24T Software Manual

Firewall Filter Processing

Related
Documentation
Determined by the dynamic allocation of TCAM for port, VLAN, and router firewall
filters on J-EX8200 switches
NOTE: The on-demand dynamic allocation of the shared space TCAM in
J-EX8200 switches is achieved by assigning free space blocks to firewall
filters. Firewall filters are categorized into two different pools. Port and VLAN
filters are pooled together (the memory threshold for this pool is 22K) while
router firewall filters are pooled separately (the threshold for this pool is
32K). The assignment happens based on the filter pool type. Free space
blocks can be shared only among the firewall filters belonging to the same
filter pool type. An error message is generated when you try to configure a
firewall filter beyond the TCAM threshold.
Each term consists of the following components:
Match conditions—Specifies the values or fields that the packet must contain. You can
define various match conditions, including the IP source address field, IP destination
address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet
type, TCP flags, and interfaces.
Action—Specifies what to do if a packet matches the match conditions. Possible
actions are to accept or discard the packet or to send the packet to a specific virtual
routing interface. In addition, packets can be counted to collect statistical information.
If no action is specified for a term, the default action is to accept the packet.
The order of the terms within a firewall filter configuration is important. Packets are
tested against each term in the order in which the terms are listed in the firewall filter
configuration. When a firewall filter contains multiple terms, the switch takes a top-down
approach and compares a packet against the first term in the firewall filter. If the packet
matches the first term, the switch executes the action defined by that term to either
permit or deny the packet, and no other terms are evaluated. If the switch does not find
a match between the packet and first term, it compares the packet to the next term in
the firewall filter by using the same match process. If no match occurs between the
packet and the second term, the switch continues to compare the packet to each
successive term defined in the firewall filter until a match is found. If a packet does not
match any terms in a firewall filter, the default action is to discard the packet.
Understanding Planning of Firewall Filters on page 2724
Understanding Firewall Filter Processing Points for Bridged and Routed Packets on
J-EX Series Switches on page 2726
Understanding How Firewall Filters Are Evaluated on page 2746
Understanding Firewall Filter Match Conditions on page 2748
Understanding the Use of Policers in Firewall Filters on page 2752
Chapter 100: Firewall Filters—Overview
2723