Allied Telesis x908, X900-12XT/S Blocking TCP sessions in one direction

Page 17 | AlliedWare Plus™ OS How To Note

Examples

Blocking TCP sessions in one direction

This example uses two QoS class-maps.

Administrators often want to block the establishment of TCP sessions in one direction, but

allow TCP sessions to be established in the opposite direction. To do this, it is necessary to

block the very first packet of an outgoing TCP session from being forwarded, but to allow

any packets that reply to the initiation of an incoming TCP session to be forwarded.

The very first packet of a TCP session has the SYN flag set, and no other flags. The reply to

that packet has the SYN and ACK flags set, and no other flags. So, to block TCP sessions

from being established in one direction, but not the other direction, we must block packets

that have only the SYN flag set, but allow packets that have both the SYN and ACK flags set.

To configure this on port 1.0.10:

1. Create an ACL with an action of deny. This ACL will only be used to set the action taken

on packets with only the SYN flag set, not to select the traffic, so it needs to match all IP

traffic. To do this, enter global configuration mode and use the command:

awplus(config)#access-list 3000 deny tcp any any

2. Create a class-map that matches on packets that have both the SYN and ACK flags set. To

do this, use the commands:

awplus(config)#class-map ack-syn-flags

awplus(config-cmap)#match tcp-flags ack syn

You want to permit this traffic, so you do not need to make an ACL to specify an action.

3. Create a second class-map that matches on packets that have only the SYN flag set. Use

the ACL to give this class-map an action of drop. To do this, use the commands:

awplus(config-cmap)#class-map syn-flags

awplus(config-cmap)#match tcp-flags syn

awplus(config-cmap)#match access-group 3000

4. Create a policy-map and add both class-maps to it. Add the class-map that matches both

flags first, followed by the class-map that drops packets with only t he SY N flag . To do thi s,

use the commands:

awplus(config-cmap)#policy-map flags

awplus(config-pmap)#class ack-syn-flags

awplus(config-pmap-c)#class syn-flags

5. Apply the policy-map to port 1.0.10. To do this, use the commands:

awplus(config-pmap-c)#interface port1.0.10

awplus(config-if)#service-policy input flags