126 Summit 200 Series Switch Installation and User Guide
Access Policies
Figure 18: Access list allows TCP traffic
Step 3 - Permit-Established Access List.
When a TCP session begins, there is a three-way handshake that includes a sequence of a SYN,
SYN/ACK, and ACK packets. Figure 19 shows an illustration of the handshake that occurs when host A
initiates a TCP session to host B. After this sequence, actual data can be passed.
Figure 19: Host A initiates a TCP session to host B
An access list that uses the permit-established keyword filters the SYN packet in one direction.
Use the permit-established keyword to allow only host A to be able to establish a TCP session to host B
and to prevent any TCP sessions from being initiated by host B, as illustrated in Figure 19. The
commands for this access control list is as follows:
create access-mask tcp_connection_mask ipprotocol dest-ip/32 dest-L4port
permit-established ports precedence 1000
create access-list telnet-deny tcp_connection_mask ipprotocol tcp dest-ip
10.10.10.100/32 dest-L4port 23 ports 10 permit-established
NOTE
This step may not be intuitive. Pay attention to the destination and source address, the ingress port that
the rule is applied to, and the desired affect.
NOTE
This rule has a higher precedence than the rule “tcp2_1” and “tcp1_2”.
Figure 20 shows the final outcome of this access list.
EW_03
To Next Page
Loading...
Need help?
General
