Accepted Solutions
Hi @kurtish99 ,
Before I start, you may find reading this post useful too.
OK Now start with a picture - with:
- Apply Both Directions set in the Contract Subject
- Reverse Filter Ports set in the Contract Subject
- Stateful flag set in the filter
SYN packets from EPG User can happily reach EPG Web on port 80, and because both Apply Both Directions and Reverse Filter Ports is set in the Contract, the TCP SYN/ACK can find its way back from EPG Web to EPG User.
BUT because the Stateful option is set in the filter, the TCP SYN/ACK would NOT be allowed back if the ACK flag was not set in the "reversed filters" direction
- <Rant>Of course, if the Reverse Filter Ports was NOT set, the TCP SYN/ACK would have to have a DST port of 80, which is JUST STUPID - why Cisco even allow this combination in the GUI befuddles me</Rant>
So - back to your question, what's the purpose of the stateful flag.
To check the functioning of the STATEFUL FLAG, you'd have to spoof a packet from the Provider to the Consumer with a SOURCE PORT of 80 - like this where an evil person who has already compromised the web server has found port 23 open on a consumer device:
The whole idea of the Stateful option is to FORCE traffic from the Provider to the Consumer to have the ACK flag set, thereby preventing the Provider from sending a SYN packet to initiate a connection.
You will also find @Sergiu.Daniluk's answer to this useful too.
And finally - if you want to explore the way filters/contracts work you may find the built-in contract_parser.py python script useful too - it needs to be run from a leaf switch.
Leafxxx# contract_parser.py --epg tn-<YOUR_TENANT>/ap-<YOUR_AP>/epg-<YOUR_EPG>
or even
Leafxxx# contract_parser.py --epg tn-<YOUR_TENANT>/ap-<YOUR_AP>/epg-<YOUR_EPG> --port 22
I hope this helps.
Hi @kurtish99 ,
Before I start, you may find reading this post useful too.
OK Now start with a picture - with:
- Apply Both Directions set in the Contract Subject
- Reverse Filter Ports set in the Contract Subject
- Stateful flag set in the filter
SYN packets from EPG User can happily reach EPG Web on port 80, and because both Apply Both Directions and Reverse Filter Ports is set in the Contract, the TCP SYN/ACK can find its way back from EPG Web to EPG User.
BUT because the Stateful option is set in the filter, the TCP SYN/ACK would NOT be allowed back if the ACK flag was not set in the "reversed filters" direction
- <Rant>Of course, if the Reverse Filter Ports was NOT set, the TCP SYN/ACK would have to have a DST port of 80, which is JUST STUPID - why Cisco even allow this combination in the GUI befuddles me</Rant>
So - back to your question, what's the purpose of the stateful flag.
To check the functioning of the STATEFUL FLAG, you'd have to spoof a packet from the Provider to the Consumer with a SOURCE PORT of 80 - like this where an evil person who has already compromised the web server has found port 23 open on a consumer device:
The whole idea of the Stateful option is to FORCE traffic from the Provider to the Consumer to have the ACK flag set, thereby preventing the Provider from sending a SYN packet to initiate a connection.
You will also find @Sergiu.Daniluk's answer to this useful too.
And finally - if you want to explore the way filters/contracts work you may find the built-in contract_parser.py python script useful too - it needs to be run from a leaf switch.
Leafxxx# contract_parser.py --epg tn-<YOUR_TENANT>/ap-<YOUR_AP>/epg-<YOUR_EPG>
or even
Leafxxx# contract_parser.py --epg tn-<YOUR_TENANT>/ap-<YOUR_AP>/epg-<YOUR_EPG> --port 22
I hope this helps.
