Register now or log in to join your professional community.
Reflexive access lists allow IP packets to be filtered based on upper-layer session information. You can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive filtering, a kind of session filtering.
Reflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists.
You can use reflexive access lists in conjunction with other standard access lists and static extended access lists.
They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router.
Reflexive ACLs can be defined only with extended named I P ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs.
R1)-fa0/0----------fa0/0-(R2)-ser0/0.23---------Frame-Relay---------ser0/0.23-(R3)-fa0/0---------fa0/0-(R4)(Hope you can understand the figure)
R1 and R2 belong to company – A. R3 and R4 belong to company – B. R2 is the border router that connects these companies to each other. R2 should be configured that it allows the return traffic for the following protocol:
R2 should allow the return HTTP traffic that is originated locally by R1. R2 should allow the return Telnet traffic that is originated locally by R1. R2 should allow OSPF traffic into the network.
On R2
R2(config)#ip access-list extended outbound R2(config-ext-nacl)#permit tcp any any eq80 reflect umesh R2(config-ext-nacl)#permit tcp any any eq23 reflect umesh R2(config-ext-nacl)#permit OSPF any any
R2(config)# ip access-list extended inbound R2(config-ext-nacl)#permit OSPF any any
R2(config-ext-nacl)#evaluate umesh
R2(config)# int ser0/0.23 R2(config-subif)# ip access-group inbound in R2(config-subif)# ip access-group outbound outR2(config-subif)# endR2#
To test the configuration on R4 R4#sh ip route ----------you will see OSPF routes-----------
R4#ping1.1.1.1 you will see …
U.U.U(Unreachable).