For S-series switches (except S1700) and E-series switches, the TCP connection establishment process includes three handshakes, and the handshake data sent by the passive party carries RST or ACK flags, and does not carry other flags such as SYN, etc. Therefore, it is only necessary to configure ACLs on the passive party to allow TCP messages carrying RST or ACK to pass, and disallow TCP messages carrying other flags to pass. TCP messages carrying RST or ACK are allowed to pass, and TCP messages carrying other tokens are not allowed to pass.
Taking the box device as an example, it is required to realize unidirectional TCP access between the user and the server, i.e., only the server is allowed to actively establish TCP connection with the user, while the user is not allowed to actively establish TCP connection with the server.
To realize the above requirement, the ACL on Switch is configured as follows:
[Switch] acl number 3001
[Switch-acl-adv-3001] rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag ack
//Specify the type of SYN Flag in the TCP header of the matching message of the ACL rule as ack.
[Switch-acl-adv-3001] rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag rst
//Specify the type of SYN Flag in the TCP header of the matching message of the ACL rule as rst.
[Switch-acl-adv-3001] rule deny tcp destination 10.1.20.1 0.0.0.0
[Switch-acl-adv-3001] quit
Description: For ACL rules matching the TCP protocol, the established field indicates that the type of SYN Flag in the matching TCP message header is ack or rst. Therefore, the commands rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag ack and rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag rst can be replaced with rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag established.
Configure a flow policy and apply it to the outgoing direction of interface GE0/0/2 on which the Switch is connected to the server.
[Switch] traffic classifier c1
[Switch-classifier-c1] if-match acl 3001
[Switch-classifier-c1] quit
[Switch] traffic behavior b1
[Switch-behavior-b1] permit
[Switch-behavior-b1] quit
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch] interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2] traffic-policy p1 outbound
[Switch-GigabitEthernet0/0/2] quit
Зарегистрируйтесь по электронной почте сейчас для еженедельной акции акции
100% free, Unsubscribe any time!Add 1: Room 605 6/F FA YUEN Commercial Building, 75-77 FA YUEN Street, Mongkok KL, HongKong Add 2: Room 405, Building E, MeiDu Building, Gong Shu District, Hangzhou City, Zhejiang Province, China
Whatsapp/ тел: +8618057156223 * телефон: *: 0086 571 86729517 Tel in HK: 00852 66181601
Электронная почта: [email protected]