Intel 480T Switch User Manual


 
322
Intel
®
NetStructure 480T Routing Switch User Guide
Step 3 - Permit-Established Access List
When a TCP session begins, there is a three-way handshake that
includes a sequence of a SYN, SYN/ACK and ACK packets.
Figure 17.3 shows an illustration of the handshake that occurs when
Host A initiates a TCP session to Host B. After this sequence, actual
data can be passed.
Figure 17.3: Host A initiates a TCP session to Host B
An access list that uses the permit-established keyword filters the
SYN packet in one direction.
Use the permit-established keyword to allow only Host A to be able
to establish a TCP session to Host B and to prevent any TCP
sessions from being initiated by Host B, as illustrated in
Figure 17.3. The syntax for this access-list is:
Pay attention to the
destination and source
address, and the desired
effect.
create access-list <mylist> tcp destination
<ipaddress> ip-port <portnumber> source <ipaddress>
ip-port any permit-established ports <portnumber>
precedence 8
The exact command line entry for this example is:
This rule has a higher
precedence than the rule
tcp2.
create access-list telnet-allow tcp destination
10.10.10.100/32 ip-port 15 source any ip-port any
permit-established ports any precedence 8
EW
_
SYN
Host A Host B
SYN / ACK
ACK
10.10.20.10010.10.10.100