NOTE: Check out
How to Format Your Document from a Templatefor the HTML CODE to copy
General Guidelines for Document creation
- Title of the document: Be specific while giving the Title for the Document. Example
Bad: "Route-tracking feature" Good: "Configuration and Troubleshooting Route-Tracking feature on FWSM" - Make sure that the configurations, screen shots, etc. you use in the document do not contain any confidential or your customer-related information
- Use the product names in the document in a consistent fashion. Say for example, if you are creating a document on Cisco Unified Communications Manager, Use the same name throughout the document, don’t use Cisco Call manager anywhere in the document.
- Include the IP addresses in the network diagram for easy reference.
- The people who read these documents are people who have a problem and need a solution. With that in mind, keep the document as short as possible. Make sure that your document addresses the problem and provides a solution.
- Do the Spell check before submitting the document.
Note: General Guidelines are only for Information. Make sure to delete this section before publishing the Document. |
Introduction
This document explains the concept of Reflexive access lists.
Prerequisites
Router Running IOS
Network Diagram
Concept
Reflexive access lists allow you to dynamically open up your filtering router to allow reply packets back through, in response to an outbound TCP connection or UDP session initiated from within your network. This mechanism reduces exposure to spoofing and denial-of-service, since desirable inbound flows are mostly in response to outbound traffic.
The idea of reflexive ACL is to take a packet flow, extract session information i-e source/destination IP and ports and create dynamic entry in access-list that is applied in opposite direction, to permit the "mirrored" flow. We basically need a named access-list to implement traffic reflection.
Reflexive access list works like a charm with simple protocols like http and telnet. However, complex protocols like FTP open additional data channels which can not be properly intercepted by reflexive access lists.
And one another important aspect to keep in mind is reflexive acls have poor scalablity, since routers need to open pinholes on temporary basis and needs to age them out, constantly keeping the track of every new "session".
Also router-orignated traffic is not subjected to reflection, unless we use local policy to divert it on a loopback interface to make it ingress.
Ensure that you meet these requirements before you attempt this configuration:
Configuration
Please provide sample configuration relevant to the document.
Please refer the following example for reflexive acl----
In this specific example, we will permit tcp, udp and ICMP traffic from inside to outside network.
Internet Router—
!!!! Outbound access-list, mirror all outbound sessions
ip access-list extended OUTBOUND
permit tcp any any reflect MIRROR
permit udp any any reflect MIRROR
permit icmp any any reflect MIRROR
!!!! Ingress ACL, permit only the "returning" packets
ip access-list extended INBOUND
evaluate MIRROR
Applying the acls on the interface-----
interface FastEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip access-group INBOUND in
ip access-group OUTBOUND out
duplex auto
speed auto
end
Verify
ROUTER1#show access-lists
Extended IP access list INBOUND
10 evaluate MIRROR
Reflexive IP access list MIRROR
Extended IP access list OUTBOUND
10 permit tcp any any reflect MIRROR
20 permit udp any any reflect MIRROR
30 permit icmp any any reflect MIRROR
Related Information
Note:
- Please provide the relevant Document/Tools link for Reference. Say for example, if you have taken any Product Installation/Configuration Guide as reference for creating this document then you can provide the same link in this section.
- When you are referring any Tool/link which requires CCO login then Pl mention the same.