Wired Intelligent Edge

 View Only
last person joined: yesterday 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

What is the established flag on Aruba 2920 & 2930

This thread has been viewed 18 times

  • 1.  What is the established flag on Aruba 2920 & 2930

    Posted Oct 21, 2021 02:31 PM
    I have been writing classes for the 2920 and 2930 switches.  I'd like to be able to allow devices to respond to a tcp connection but not initiate one.  What is the established flag?  There isn't actually an established flag so what does it do?

    match tcp 0.0.0.0 255.255.255.255 10.0.0.0 0.255.255.255 established


    I can do something to match the syn flag and drop it then allow all other IP but that uses more resources and the 2920 is pretty resource constrained.  If I could do what I want in one rule, I'd prefer it.


    ------------------------------
    Chris Ross
    ------------------------------


  • 2.  RE: What is the established flag on Aruba 2920 & 2930

    EMPLOYEE
    Posted Oct 22, 2021 07:54 AM
    Hello

    You can find information about the established option in the Aruba Access Security Guide

    https://www.hpe.com/psnow/doc/a00102227en_us
    page 344

    [established]
    This option applies only where TCP is the configured protocol type. It blocks the synchronizing packet associated with establishing a TCP connection in one direction on a VLAN while allowing all other IPv4 traffic for the same type of connection in the opposite direction. For example, a Telnet connect requires TCP traffic to move both ways between a host and the target device. Simply applying a deny to inbound Telnet traffic on a VLAN would prevent Telnet sessions in either direction because responses to outbound requests would be blocked. However, by using the established option, inbound Telnet traffic arriving in response to outbound Telnet requests would be permitted, but inbound Telnet traffic trying to establish a connection would be denied.

    There isn't a flag called "established" in the TCP header. As far as I know this rule will be matching TCP packets which have the ACK or the RST flag set.

    ------------------------------
    Emil Gogushev
    ------------------------------

    Original Message