Examples

Blocking TCP sessions in one direction

This example uses two QoS class-maps.

Administrators often want to block the establishment of TCP sessions in one direction, but allow TCP sessions to be established in the opposite direction. To do this, it is necessary to block the very first packet of an outgoing TCP session from being forwarded, but to allow any packets that reply to the initiation of an incoming TCP session to be forwarded.

The very first packet of a TCP session has the SYN flag set, and no other flags. The reply to that packet has the SYN and ACK flags set, and no other flags. So, to block TCP sessions from being established in one direction, but not the other direction, we must block packets that have only the SYN flag set, but allow packets that have both the SYN and ACK flags set.

To configure this on port 1.0.10:

1.Create an ACL with an action of deny. This ACL will only be used to set the action taken on packets with only the SYN flag set, not to select the traffic, so it needs to match all IP traffic. To do this, enter global configuration mode and use the command:

awplus(config)#access-list 3000 deny tcp any any

2.Create a class-map that matches on packets that have both the SYN and ACK flags set. To do this, use the commands:

awplus(config)#class-map ack-syn-flags

awplus(config-cmap)#match tcp-flags ack syn

You want to permit this traffic, so you do not need to make an ACL to specify an action.

3.Create a second class-map that matches on packets that have only the SYN flag set. Use the ACL to give this class-map an action of drop. To do this, use the commands:

awplus(config-cmap)#class-map syn-flags

awplus(config-cmap)#match tcp-flags syn

awplus(config-cmap)#match access-group 3000

4.Create a policy-map and add both class-maps to it. Add the class-map that matches both flags first, followed by the class-map that drops packets with only the SYN flag. To do this, use the commands:

awplus(config-cmap)#policy-map flags

awplus(config-pmap)#class ack-syn-flags

awplus(config-pmap-c)#class syn-flags

5.Apply the policy-map to port 1.0.10. To do this, use the commands:

awplus(config-pmap-c)#interface port1.0.10

awplus(config-if)#service-policy input flags

Page 17 AlliedWare Plus™ OS How To Note

Page 17
Image 17
Allied Telesis X900-12XT/S, x908 manual Blocking TCP sessions in one direction, This example uses two QoS class-maps

X900-12XT/S, x908 specifications

The Allied Telesis x908 and the SwitchBlade x900 series of network switches are cutting-edge solutions designed to address the demands of modern networking environments. These switches are known for their high performance, reliability, and robust feature sets, making them ideal for enterprise and service provider networks.

The Allied Telesis x908 series consists of modular and chassis-based systems that can accommodate a variety of network configurations. One of the main features of the x908 series is its ability to offer high scalability with support for a large number of ports. This makes it suitable for data centers and large enterprise networks where space and bandwidth optimization are critical.

In addition to scalability, the x908 series supports advanced Layer 2 and Layer 3 switching capabilities. This allows for efficient traffic management and routing, ensuring that data is delivered swiftly and reliably. The x908 also incorporates intelligent features such as Quality of Service (QoS), which prioritizes critical network traffic, ensuring that time-sensitive data—like voice and video—maintains its quality during transmission.

The SwitchBlade x900 series takes this functionality further with its innovative modular architecture. This allows organizations to configure their networks to meet specific needs by choosing from a variety of interface cards and service modules. The SwitchBlade x900 also supports advanced security features such as Access Control Lists (ACLs) and VLAN segmentation, which provide enhanced protection against unauthorized access and network threats.

Another hallmark of the x908 and SwitchBlade series is their support for high-speed Ethernet technologies, including 10G and 40G Ethernet. This enables organizations to keep pace with the increasing bandwidth demands of applications and services, particularly in cloud computing and data-intensive workloads.

Both the x908 and the SwitchBlade x900 series are designed with energy efficiency in mind, featuring power-saving technologies that reduce overall operational costs. Coupled with Allied Telesis' management tools, which provide detailed analytics and monitoring, network administrators can optimize performance and energy consumption simultaneously.

In summary, the Allied Telesis x908 and SwitchBlade x900 series offer a comprehensive suite of features, high performance, scalability, and advanced networking technologies. They represent a strategic investment for organizations looking to build resilient, efficient, and future-proof network infrastructures.