No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S1720, S2700, S3700, S5700, S6700, S7700, and S9700 Series Switches Common Operation Guide

This document describes the CLI-based configurations of universal protocols and common features for Huawei switches on basic networks.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags

Configuring a Packet Filtering Rule for TCP Packets Based on the Source IP Address Segment and TCP Flags

To implement unidirectional access control on a network segment, configure rules in an ACL. For example, to implement unidirectional access control on network segment 192.168.2.0/24, configure the following rules in ACL 3002. In the following rules, the hosts on 192.168.2.0/24 can only respond to TCP handshake packets, but cannot send TCP handshake packets. Set the descriptions of the ACL rules to Allow the ACK TCP packets through, Allow the RST TCP packets through, and Do not Allow the other TCP packet through.

To meet the preceding requirement, configure two permit rules to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass, and then configure a deny rule to reject other TCP packets from this network segment.
<HUAWEI> system-view
[HUAWEI] acl 3002
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack
[HUAWEI-acl-adv-3002] display this   // If you do not specify an ID for a created rule, you can view the rule ID allocated by the system, and configure a description for the rule by specifying the rule ID.
#                                                                               
acl number 3002                                                                 
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack           // The rule ID allocated by the system is 5.      
#                                                                               
return 
[HUAWEI-acl-adv-3002] rule 5 description Allow the ACK TCP packets through
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst
[HUAWEI-acl-adv-3002] display this
#                                                                               
acl number 3002                                                                 
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack                 
 rule 5 description Allow the ACK TCP packets through                 
 rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst       // The rule ID allocated by the system is 10.        
#                                                                               
return   
[HUAWEI-acl-adv-3002] rule 10 description Allow the RST TCP packets through
[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
[HUAWEI-acl-adv-3002] display this
#                                                                               
acl number 3002                                                                 
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag ack                 
 rule 5 description Allow the ACK TCP packets through                 
 rule 10 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag rst                
 rule 10 description Allow the RST TCP packets through                
 rule 15 deny tcp source 192.168.2.0 0.0.0.255       //  The rule ID allocated by the system is 15. 
#                                                                               
return   
[HUAWEI-acl-adv-3002] rule 15 description Do not Allow the other TCP packet through
You can specify the established parameter to allow the packets with the ACK or RST field being 1 from 192.168.2.0/24 to pass and configure a deny rule to reject other TCP packets from this subnet.
<HUAWEI> system-view
[HUAWEI] acl 3002
[HUAWEI-acl-adv-3002] rule permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established
[HUAWEI-acl-adv-3002] rule 5 description Allow the Established TCP packets through
[HUAWEI-acl-adv-3002] rule deny tcp source 192.168.2.0 0.0.0.255
[HUAWEI-acl-adv-3002] rule 10 description Do not Allow the other TCP packet through
[HUAWEI-acl-adv-3002] display this
#                                                                                                                                   
acl number 3002                                                                                                                     
 rule 5 permit tcp source 192.168.2.0 0.0.0.255 tcp-flag established                                                                
 rule 5 description Allow the Established TCP packets through                                                                       
 rule 10 deny tcp source 192.168.2.0 0.0.0.255                                                                                      
 rule 10 description Do not Allow the other TCP packet through                                                                      
#                                                                                                                                   
return

Related Information

Support Community

Videos

Configure ACL

Translation
Download
Updated: 2018-09-03

Document ID: EDOC1000057410

Views: 84715

Downloads: 12114

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next