Supporting BCVRE Study Guide Chapter 6 Firewalls
Supporting BCVRE Study Guide Chapter 6 Firewalls

Supporting BCVRE Study Guide Chapter 6 Firewalls

Posted on

Objectives: As a Brocade Certified vRouter Engineer, you must be able to demonstrate the ability to install, configure and troubleshoot features of Brocade Vyatta Network OS.

Target: This course is for anyone tasked with configuring or managing the Brocade Vyatta vRouter. This course also for those who are preparing to take the BCVRE Certification Exam.

Course prerequisites: Before taking these bundled courses, students should have basic IT networking experience, including working knowledge of TCP/IP.

BCvRE Bootcamp


  • Stateful firewalls
  • The Firewall Rulebase
  • State-Based Rules
  • Applying Rulebases

Stateful firewalls

A firewall is a device that blocks unwanted traffic from entering your network.

Stateful firewalls unlike a traditional router access list.

  • Firewall tracks information about sessions between devices, and not just individual packets.

The first packet in a session passes through the firewall rules. If the rules permit the traffic, the firewall not only passes the traffic, but adds information about the session to its session table, called the conntrack table in the vRouter.

  • All other packets in the session match the entry in the session table and are permitted without having to look at the firewall rules again.

Stateful firewalls can also automatically allow the reverse- direction flow of a session without needing any additional rules.

vRouter packet processing

In the vRouter, the firewall filtering function occurs after destination NAT and the routing lookup, but before source NAT. When configuring firewall filter rules, you need to consider whether the traffic you want to filter is being translated in order to configure the correct addresses in your rules.

vRouter packet processing
vRouter packet processing

The Firewall Rulebase

firewall rulebase is simply a list of individual firewall rules. Each rule includes.

  • Match criteria: the traffic you want to filter
    • Source and destination addresses
    • Source and destination port
    • Protocol
  • Action: the action to take on a packet that matches the filter
    • Accept
    • Reject
    • Drop

In the vRouter, each rulebase has a unique name. You can create as many different rulebases as you need to support your security requirements, and can apply the same rulebase to multiple locations.

Each rulebase is an ordered list, with each rule having a unique number within the list.

When the vRouter compares a packet with the rulebase, it starts with the first rule in the list, and continues until a match is found.

  • Once a match is found, the device performs the action for that rule and does not look any further.
    • This means that the order of your list is important.
    • You should specify the most specific rules first in the list, then add your more general rules later in the list.

You also need to remember that the default action for a list is to drop traffic, so if a packet arrives at a firewalled interface and does not match a rule, the packet will not go through the router.

Sample Topology

Scenario, add Firewall in R2:

  • Block PING from R1 to R3
  • Allow TELNET from R1 to R3
  • Block SSH from R1 to R3
Sample Topology
Sample Topology

R1 Basic Configuration

R2 Basic Configuration

R3 Basic Configuration

Verify R1

Verify R2

Verify R3

R2 Firewall Configuration

Verify R2 Firewall

Verify R2 Firewall

State-Based Rules

vRouter firewall operations are stateful, and you mayneed to add rules regarding statefulness to your rulebases, depending on the flow of traffic in your network and where you place your firewalls.

State-Based Rules
State-Based Rules

Applying Rulebases

On a vRouter, you have two options for applying firewalls:

  • Individual interfaces. Each interface can have one rulebase in each direction – one for inbound traffic, and one for outbound traffic.
  • Zones. A zone is a group of interfaces. You create the zone and specify which interfaces are included in the zone, then apply the rulebase to the zone.

R2 State Rulebases Configuration

R2 Verify State Rulebases

The End of The Word

That’s information “Supporting BCVRE Study Guide Chapter 6 Firewalls” who can admin convey. Hope it is useful.

If you liked this article, don’t forget to click on the bell on the bottom right to get our updated information. And follow along too fans page facebook , chanel youtube and we instagram. Apart from that, we also have a collection of source code at GitHub. Thank you

Gravatar Image adalah tempat belajar blogger pemula dan profesional. Kamu bisa menemukan kami di sosial media berikut Facebook | Youtube | Instagram. Ingin bekerja sama dengan kami, silahkan hubungi kami.

Leave a Reply

Your email address will not be published. Required fields are marked *