Зарегистрируйтесь сейчас для лучшей персонализированной цитаты!

How Huawei S-Series Switches Enable Unidirectional Access

Apr, 08, 2024 Hi-network.com

For S-series switches (except S1700) and E-series switches, the TCP connection establishment process includes three handshakes, and the handshake data sent by the passive party carries RST or ACK flags, and does not carry other flags such as SYN, etc. Therefore, it is only necessary to configure ACLs on the passive party to allow TCP messages carrying RST or ACK to pass, and disallow TCP messages carrying other flags to pass. TCP messages carrying RST or ACK are allowed to pass, and TCP messages carrying other tokens are not allowed to pass.


Taking the box device as an example, it is required to realize unidirectional TCP access between the user and the server, i.e., only the server is allowed to actively establish TCP connection with the user, while the user is not allowed to actively establish TCP connection with the server.


To realize the above requirement, the ACL on Switch is configured as follows:


[Switch] acl number 3001

[Switch-acl-adv-3001] rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag ack

//Specify the type of SYN Flag in the TCP header of the matching message of the ACL rule as ack.

[Switch-acl-adv-3001] rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag rst

//Specify the type of SYN Flag in the TCP header of the matching message of the ACL rule as rst.

[Switch-acl-adv-3001] rule deny tcp destination 10.1.20.1 0.0.0.0

[Switch-acl-adv-3001] quit


Description: For ACL rules matching the TCP protocol, the established field indicates that the type of SYN Flag in the matching TCP message header is ack or rst. Therefore, the commands rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag ack and rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag rst can be replaced with rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag established.


Configure a flow policy and apply it to the outgoing direction of interface GE0/0/2 on which the Switch is connected to the server.


[Switch] traffic classifier c1

[Switch-classifier-c1] if-match acl 3001

[Switch-classifier-c1] quit

[Switch] traffic behavior b1

[Switch-behavior-b1] permit

[Switch-behavior-b1] quit

[Switch] traffic policy p1

[Switch-trafficpolicy-p1] classifier c1 behavior b1

[Switch-trafficpolicy-p1] quit

[Switch] interface gigabitethernet 0/0/2

[Switch-GigabitEthernet0/0/2] traffic-policy p1 outbound

[Switch-GigabitEthernet0/0/2] quit


tag-icon Горячие метки: Huawei переключается

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.
Our company's operations and information are independent of the manufacturers' positions, nor a part of any listed trademarks company.