Extreme Networks Summit 300-48 User Manual

118

Summit 300-48 Switch Software User Guide

Access Policies

Figure 9: Access list allows TCP traffic

Step 3 - Permit-Established Access List.

When a TCP session begins, there is a three-way handshake that includes a sequence of a SYN,
SYN/ACK, and ACK packets. Figure 10 shows an illustration of the handshake that occurs when host A
initiates a TCP session to host B. After this sequence, actual data can be passed.

Figure 10: Host A initiates a TCP session to host B

An access list that uses the permit-established keyword filters the SYN packet in one direction.

Use the permit-established keyword to allow only host A to be able to establish a TCP session to host B
and to prevent any TCP sessions from being initiated by host B, as illustrated in Figure 10. The
commands for this access control list is as follows:

create access-mask tcp_connection_mask ipprotocol dest-ip/32 dest-L4port

permit-established ports precedence 1000

create access-list telnet-deny tcp_connection_mask ipprotocol tcp dest-ip

10.10.10.100/32 dest-L4port 23 ports 1:10 permit-established

NOTE

This step may not be intuitive. Pay attention to the destination and source address, the ingress port that
the rule is applied to, and the desired affect.

NOTE

This rule has a higher precedence than the rule “tcp2_1” and “tcp1_2”.

EW_035

TCP

UDP

ICMP

10.10.10.100

10.10.20.100

EW_036

SYN

Host A

Host B

SYN / ACK

ACK