DES-7200 Configuration Guide Chapter 1 Access Control List
Configuration
1-27
1.12.1.2 Topology View
As shown in the above figure, two networks are connected through a layer 3 switch.
Network A connects to the G3/1 port of the switch and network B connects to the G3/2
port of the switch.
1.12.1.3 Analysis
By filtering the packets of TCP connection request originated by network B on the G3/2
port of the switch, you can block the TCP connection request from hosts in network B
to network A. Accoding to the analysis of TCP connection, the SYN of the flag field in
the TCP header of the initial TCP request packet is reset and the ACK is set to 0.
Therefore, to enable network A to access network B in the one-way direction, configure
the Match-all option of the extended ACL to set the SYN of the TCP header to 1 and
ACK to 0 on the inbounding direction of theG3/2 port.
1.12.1.4 Configuration Steps
1) Define an Access Control List (ACL)
# Enter the configuration mode of the switch
DES-7200# configure terminal
# Create the extended ACL101 in the configuration mode
DES-7200(config)# ip access-list extended 101
# Deny the packets whose SYN is 1 and permit other packets whose SYN is 0
(including ACK)
DES-7200(config-ext-nacl)# deny tcp any any match-all SYN
# Permit other IP packets
DES-7200(config-ext-nacl)# permit ip any any
2) Apply the ACL at the interface
# Exit ACL mode
DES-7200(config-ext-nacl)# exit
DES-7200(config)# interface vlan 1
DES-7200(config)# ip address 1.1.1.1 255.255.255.0