SkillsAndDrills.org
AP Networking

Controlling the traffic: firewalls and filtering

Segmentation creates zones — firewalls enforce the rules between them. This topic covers how MAC filtering protects switch access, how to choose the right type of firewall for each scenario, and how access control lists (ACLs) are constructed, ordered, and verified.

Go to practice page AP Networking topics Back to Networking

What this topic covers

  • 3.5.A — How MAC filtering increases security and prevents MAC flooding
  • 3.5.B — Firewall types — stateless, stateful, NGFW, perimeter, internal, and host-based
  • 3.5.C — Access control lists: constructing, ordering, and verifying firewall rules

Filtering at every layer

Network filtering happens at multiple layers simultaneously. MAC filtering restricts physical switch access at layer 2. Firewalls filter traffic at layer 3 and above using IP addresses, ports, and protocols. Together, these controls create multiple barriers that an attacker must bypass to reach a target — reducing overall risk even if one layer fails.

MAC filtering (3.5.A)

How MAC filtering works

MAC filtering restricts network access by allowing only approved MAC addresses to use a switch port. A switch port can be configured to permit only a specific set of MAC addresses — all other addresses are denied. This prevents unauthorized devices from physically connecting to the network through a switch.

Limiting the number and range of MAC addresses per switch port prevents unauthorized devices from gaining a foothold, even if they are physically present in the building.

MAC flooding and the CAM table

Switches use a Content Addressable Memory (CAM) table to map MAC addresses to switch ports. MAC filtering also helps prevent MAC flooding attacks:

MAC flooding attack sequence

  1. Attacker sends frames with thousands of spoofed source MAC addresses
  2. Switch CAM table fills completely (overflow)
  3. Switch enters a fail-open state — cannot look up destination MACs
  4. Switch broadcasts all traffic to all ports (behaves like a hub)
  5. Attacker intercepts traffic intended for other devices

MAC filtering limits the number of MACs per port, preventing the CAM table from being flooded by a single port.

Advertisement

Firewall types (3.5.B)

Firewalls create zones of different access levels and prevent unauthorized access or movement between zones. The appropriate firewall depends on the traffic inspection level needed, what the firewall protects, and the risk level of the zone.

By inspection level

Stateless firewall

Filters traffic using fixed rules based on IP address, port, or protocol. Does not track connections or log traffic. Best for: simple or low-risk segments that need basic filtering without connection awareness.

Stateful firewall

Tracks active connections and can log suspicious traffic patterns. Allows return traffic for established connections. Best for: zones that need connection awareness, logging, and compliance monitoring.

Next-generation (NGFW)

Includes advanced features like intrusion prevention (IPS) and application-layer filtering — can identify and block specific applications. Best for: high-risk zones requiring deep packet inspection.

By placement

Perimeter firewall

Protects the boundary between the internal network and the internet. First line of defense against external threats. Handles high traffic volumes with broad policies applied to all inbound and outbound traffic.

Internal firewall

Deployed within the network to isolate sensitive devices or departments and prevent lateral movement. Can create a screened subnet (DMZ) that hosts public-facing services at lower trust than the internal network.

Host-based firewall

Software installed on individual devices. Provides tailored, device-specific security regardless of which network the device joins. Best for: laptops and endpoints that move between networks (office, home, public Wi-Fi).

Advertisement

Configuring firewall rules (Access Control Lists) (3.5.C)

Firewalls use access control lists (ACLs) to decide which traffic is permitted or denied. ACL rules are evaluated in order from top to bottom — the first rule that matches is executed. Order matters critically.

ACL rule components

Each ACL rule specifies:

  • Direction: Inbound or outbound on an interface
  • Criteria: IP addresses, logical port number, service, or application
  • Action: Permit or Deny

Ports to allow / block

Allow (secure)

Port 443 – HTTPS

Port 22 – SSH/SFTP

Port 53 – DNS

Block (vulnerable)

Port 80 – HTTP

Port 23 – Telnet

Port 21 – FTP

Rule ordering — why it matters

More specific rules must be placed above broad, general rules. A broad deny-all placed at the top blocks every packet before specific allow rules can be reached.

✓ Correct order — SSH allowed, all else blocked

101 ALLOW inbound TCP port 22 from ALL

102 DENY inbound TCP ALL from ALL

✗ Wrong order — SSH also blocked

101 DENY inbound TCP ALL from ALL

102 ALLOW inbound TCP port 22 from ALL

Rule 101 matches all TCP including port 22 first — the allow rule is never reached.

After configuration: verify

Use ping to verify that allowed traffic succeeds and that blocked traffic is denied. Test both permitted and prohibited paths to confirm the entire ACL is working as intended.