SupportDocumentationSwitchesData Center SwitchCloudEngine 12800&16800TroubleshootingMaintenance Handbook

CloudEngine 16800, 9800, 8800, and 6800 Series Switches Troubleshooting Guide (V300)

How Do I Configure a Device to Implement Unidirectional TCP Access?

How Do I Configure a Device to Implement Unidirectional TCP Access?

The TCP connection establishment process involves a three-way handshake. The handshake packet sent by the receiver carries the RST or ACK flag but does not carry other flags such as SYN. Therefore, you only need to configure an ACL on the receiver to allow only packets with the RST or ACK flag to pass through.

On the network shown in the figure, unidirectional TCP access between a user and a server needs to be implemented. That is, the server is allowed to proactively establish a TCP connection with the user, but the user is not allowed to proactively establish a TCP connection with the server.

Figure 51-3 Network diagram of unidirectional TCP access

To meet the preceding requirements, configure an ACL on Device as follows:

[~HUAWEI] acl number 3001
[*HUAWEI-acl-adv-3001] rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag ack  //Configure an ACL rule to match TCP packets in which the SYN flag type in the TCP packet header is ACK.
[*HUAWEI-acl-adv-3001] rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag rst  //Configure an ACL rule to match TCP packets in which the SYN flag type in the TCP packet header is RST.
[*HUAWEI-acl-adv-3001] rule deny tcp destination 10.1.20.1 0.0.0.0
[*HUAWEI-acl-adv-3001] quit
[*HUAWEI] commit

For an ACL rule that matches TCP packets, the established field indicates that the SYN flag type in the TCP packet header is ACK or RST. Therefore, the rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag ack and rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag rst commands can be replaced by the rule permit tcp destination 10.1.20.1 0.0.0.0 tcp-flag established command.

Configure a traffic policy and apply the traffic policy to the outbound direction of GE1/0/2 connecting Device to the server.

[~HUAWEI] traffic classifier c1
[*HUAWEI-classifier-c1] if-match acl 3001
[*HUAWEI-classifier-c1] quit
[*HUAWEI] traffic behavior b1
[*HUAWEI-behavior-b1] permit
[*HUAWEI-behavior-b1] quit
[*HUAWEI] traffic policy p1
[*HUAWEI-trafficpolicy-p1] classifier c1 behavior b1
[*HUAWEI-trafficpolicy-p1] quit
[*HUAWEI] interface GE 1/0/2
[*HUAWEI-GE1/0/2] traffic-policy p1 outbound
[*HUAWEI-GE1/0/2] quit
[*HUAWEI] commit