Communiquez avec les autres et partagez vos connaissances professionnelles

Inscrivez-vous ou connectez-vous pour rejoindre votre communauté professionnelle.

Suivre

What is the reflexive access list ? and why is it useful ?

user-image
Question ajoutée par Mohammed Kazzaz , Systems & Networks Engineer , Ibn-Khaldun Co.
Date de publication: 2013/11/23
Mostafa Abdo
par Mostafa Abdo , Senior Infrastructure and Security Architect , Devoteam

Reflexive access lists allow IP packets to be filtered based on upper-layer session information. You can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. This is accomplished by reflexive filtering, a kind of session filtering.

Reflexive access lists can be defined with extended named IP access lists only. You cannot define reflexive access lists with numbered or standard named IP access lists or with other protocol access lists.

You can use reflexive access lists in conjunction with other standard access lists and static extended access lists.

Umesh Ashu
par Umesh Ashu , Corporate Trainer , Koenig-Solutions

 

They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router.

 

Reflexive ACLs can be defined only with extended named I P ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs.

 

R1)-fa0/0----------fa0/0-(R2)-ser0/0.23---------Frame-Relay---------ser0/0.23-(R3)-fa0/0---------fa0/0-(R4)(Hope you can understand the figure)

 

R1 and R2 belong to company – A. R3 and R4 belong to company – B. R2 is the border router that connects these companies to each other. R2 should be configured that it allows the return traffic for the following protocol:

 

R2 should allow the return HTTP traffic that is originated locally by R1. R2 should allow the return Telnet traffic that is originated locally by R1. R2 should allow OSPF traffic into the network.

 

 

On R2

 

R2(config)#ip access-list extended outbound R2(config-ext-nacl)#permit tcp any any eq80 reflect umesh R2(config-ext-nacl)#permit tcp any any eq23 reflect umesh R2(config-ext-nacl)#permit OSPF any any

R2(config)# ip access-list extended inbound R2(config-ext-nacl)#permit OSPF any any 

R2(config-ext-nacl)#evaluate umesh

 

 

R2(config)# int ser0/0.23 R2(config-subif)# ip access-group inbound in R2(config-subif)# ip access-group outbound outR2(config-subif)# endR2#

 

To test the configuration on R4 R4#sh ip route ----------you will see OSPF routes-----------

 

R4#ping1.1.1.1 you will see …

U.U.U(Unreachable).

 

More Questions Like This