Join the discussion
Question 1/23
You are asked to create a new firewall filter to evaluate Layer 3 traffic that is being sent between VLANs. In this scenario, which two statements are correct? (Choose two.)
Correct Answer: C,D
Explanation
A firewall filter is a configuration that defines the rules that determine whether to forward or discard packets at specific processing points in the packet flow. A firewall filter can also modify the attributes of the packets, such as priority, marking, or logging. A firewall filter can be applied to various interfaces, protocols, or routing instances on a Juniper device1.
A firewall filter has a family attribute, which specifies the type of traffic that the filter can evaluate. The family attribute can be one of the following: inet, inet6, mpls, vpls, iso, or ethernet-switching2. The family inet firewall filter is used to evaluate IPv4 traffic, which is the most common type of Layer 3 traffic on a network.
To create a family inet firewall filter, you need to specify the appropriate match criteria and actions for each term in the filter. The match criteria can include various fields in the IPv4 header, such as source address, destination address, protocol, port number, or DSCP value. The actions can include accept, discard, reject, count, log, policer, or next term3.
To apply a firewall filter to Layer 3 traffic that is being sent between VLANs, you need to apply the filter to the appropriate IRB interface. An IRB interface is an integrated routing and bridging interface that provides Layer 3 functionality for a VLAN on a Juniper device. An IRB interface has an IP address that acts as the default gateway for the hosts in the VLAN. An IRB interface can also participate in routing protocols and forward packets to other VLANs or networks4.
Therefore, option C is correct, because you should create a family inet firewall filter with the appropriate match criteria and actions. Option D is correct, because you should apply the firewall filter to the appropriate IRB interface.
Option A is incorrect, because you should not create a family ethernet-switching firewall filter with the appropriate match criteria and actions. A family ethernet-switching firewall filter is used to evaluate Layer 2 traffic on a Juniper device. A family ethernet-switching firewall filter can only match on MAC addresses or VLAN IDs, not on IP addresses or protocols5.
Option B is incorrect, because you should not apply the firewall filter to the appropriate VLAN. A VLAN is a logical grouping of hosts that share the same broadcast domain on a Layer 2 network. A VLAN does not have an IP address or routing capability. A firewall filter cannot be applied directly to a VLAN; it must be applied to an interface that belongs to or connects to the VLAN6.
References:
1: Firewall Filters Overview 2: Configuring Firewall Filters 3: Configuring Firewall Filter Match Conditions and Actions 4: Understanding Integrated Routing and Bridging Interfaces 5: Configuring Ethernet-Switching Firewall Filters 6: Understanding VLANs
A firewall filter is a configuration that defines the rules that determine whether to forward or discard packets at specific processing points in the packet flow. A firewall filter can also modify the attributes of the packets, such as priority, marking, or logging. A firewall filter can be applied to various interfaces, protocols, or routing instances on a Juniper device1.
A firewall filter has a family attribute, which specifies the type of traffic that the filter can evaluate. The family attribute can be one of the following: inet, inet6, mpls, vpls, iso, or ethernet-switching2. The family inet firewall filter is used to evaluate IPv4 traffic, which is the most common type of Layer 3 traffic on a network.
To create a family inet firewall filter, you need to specify the appropriate match criteria and actions for each term in the filter. The match criteria can include various fields in the IPv4 header, such as source address, destination address, protocol, port number, or DSCP value. The actions can include accept, discard, reject, count, log, policer, or next term3.
To apply a firewall filter to Layer 3 traffic that is being sent between VLANs, you need to apply the filter to the appropriate IRB interface. An IRB interface is an integrated routing and bridging interface that provides Layer 3 functionality for a VLAN on a Juniper device. An IRB interface has an IP address that acts as the default gateway for the hosts in the VLAN. An IRB interface can also participate in routing protocols and forward packets to other VLANs or networks4.
Therefore, option C is correct, because you should create a family inet firewall filter with the appropriate match criteria and actions. Option D is correct, because you should apply the firewall filter to the appropriate IRB interface.
Option A is incorrect, because you should not create a family ethernet-switching firewall filter with the appropriate match criteria and actions. A family ethernet-switching firewall filter is used to evaluate Layer 2 traffic on a Juniper device. A family ethernet-switching firewall filter can only match on MAC addresses or VLAN IDs, not on IP addresses or protocols5.
Option B is incorrect, because you should not apply the firewall filter to the appropriate VLAN. A VLAN is a logical grouping of hosts that share the same broadcast domain on a Layer 2 network. A VLAN does not have an IP address or routing capability. A firewall filter cannot be applied directly to a VLAN; it must be applied to an interface that belongs to or connects to the VLAN6.
References:
1: Firewall Filters Overview 2: Configuring Firewall Filters 3: Configuring Firewall Filter Match Conditions and Actions 4: Understanding Integrated Routing and Bridging Interfaces 5: Configuring Ethernet-Switching Firewall Filters 6: Understanding VLANs
Add Comments
- Other Question (23q)
- Q1. You are asked to create a new firewall filter to evaluate Layer 3 traffic that is being se...
- Q2. Exhibit (Exhibit) Referring to the exhibit, which statement is correct?...
- Q3. Exhibit. (Exhibit) What is the management IP address of the device shown in the exhibit?...
- Q4. Which two types of tunnels are able to be created on all Junos devices? (Choose two.)...
- Q5. You are a network operator who wants to add a second ISP connection and remove the default...
- Q6. You deployed a new EX Series switch with DHCP snooping enabled and you do not see any entr...
- Q7. Exhibit (Exhibit) Your ISP is announcing a default route to both R1 and R2. You want your ...
- Q8. Which statement is correct about the storm control feature?...
- Q9. You are configuring an IS-IS IGP network and do not see the IS-IS adjacencies established....
- Q10. Exhibit (Exhibit) Referring to the exhibit, which two configuration changes must you apply...
- Q11. Exhibit (Exhibit) You are troubleshooting an issue where traffic to 192.168.10.0/24 is bei...
- Q12. Exhibit. (Exhibit) Which router will become the OSPF BDR if all routers are powered on at ...
- Q13. Exhibit. (Exhibit) You are using OSPF to advertise the subnets that are used by the Denver...
- Q14. Exhibit (Exhibit) You are receiving the BGP route shown in the exhibit from four different...
- Q15. Exhibit (Exhibit) What does the * indicate in the output shown in the exhibit?...
- Q16. Exhibit (Exhibit) You are a network operator troubleshooting BGP connectivity. Which two s...
- Q17. What is the default MAC age-out timer on an EX Series switch?...
- Q18. You want to ensure traffic is routed through a GRE tunnel. In this scenario, which two sta...
- Q19. What are two characteristics of RSTP alternate ports? (Choose two.)...
- Q20. You are asked to connect an IP phone and a user computer using the same interface on an EX...
- Q21. You are troubleshooting a BGP routing issue between your network and a customer router and...
- Q22. Exhibit. (Exhibit) You want to enable redundancy for the EBGP peering between the two rout...
- Q23. An update to your organization's network security requirements document requires managemen...
