Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 3335

Understanding Firewall Filter Processing Points for Bridged and Routed Packets on
EX Series Switches
Copyright © 2010, Juniper Networks, Inc.
Juniper Networks EX Series Ethernet Switches are multilayered switches that provide
Layer 2 switching and Layer 3 routing. You apply firewall filters at multiple processing
points in the packet forwarding path on EX Series switches. At each processing point,
the action to be taken on a packet is determined based on the results of the lookup in
the switch's forwarding table. A table lookup determines which exit port on the switch
to use to forward the packet.
For both bridged unicast packets and routed unicast packets, firewall filters are evaluated
and applied hierarchically. First, a packet is checked against the port firewall filter, if
present. If the packet is permitted, it is then checked against the VLAN firewall filter, if
present. If the packet is permitted, it is then checked against the router firewall filter, if
present. The packet must be permitted by the router firewall filter before it is processed.
Figure 83 on page 3231 shows the various firewall filter processing points in the packet
forwarding path in a multilayered switching platform.
Figure 83: Firewall Filter Processing Points in the Packet Forwarding Path
For a multicast packet that results in replications, an egress firewall filter is applied to
each copy of the packet based on its corresponding egress VLAN.
Chapter 106: Firewall Filters—Overview
3231