44.10 Configuration Examples
44.10.1 Configuring TCP One-Way
Connection
The one-way ACL function can be enabled through the configuration of TCP flag filtering
44.10.1.1 Configuration Requirements
To ensure the security of network A, the host of network A can initiate a TCP communication
request to the host of network B. But on the contrary, the host of network B cannot initiate
any TCP communication request to the host of netowrk A.
44.10.1.2 Topology
As shown in the figure above, two networks are connected through a L3 switch. Network A is
connected to the G3/1 interface and network B is connected to the G3/2 interface.
44.10.1.3 Analysis
To forbid the host of network B from initiating any TCP communication request to network A,
you can perform configuration to filter TCP connection request packets initiated from
network B and forwarded at the G3/2 interface. According to the TCP connection process,
the SYN flag of the initial TCP flag field in the initial TCP request packet can be set and the
ACK flag bit is set to 0. You can select the Match-all option in the extended access control
list to filter the packets with the initial SYN flag bit set to 1 and ACK flag bit set to 0 in the
G3/2 input direction, thus implementing one-way access from network A to network B.
44.10.1.4 Configuration Steps
1) Defining an access control list
# Enter the switch configuration mode.
DGS-3610# configure terminal
# Create an extended ACL ACL101 in the configuration mode.
DGS-3610(config)# ip access-list extended 101
# Deny the packets with the SYN of TCP Flag set to 1 and other flag bits (including the
ACK flag bit) set to 0.
DGS-3610(config-ext-nacl)# deny tcp any any match-all SYN
To Next Page
Loading...
