Reflexive ACLs

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.

Reflexive ACLs provide a level of security against spoofing and certain denial of service (DoS) attacks.

Reflexive ACLs are  harder to spoof because more  criteria must match in the packet for example, source and destination addresses and port numbers, not just acknowledgment (ACK) and reset (RST) bits.

The following configuration makes the  router keep track of the  traffic initiated from inside.

ip access-list extended OUTBOUND
permit icmp
permit tcp reflect myfw

In the next configuration, we create an inbound policy, now the router will check  incoming traffic to see if it was initiated from inside an the reflexive ACL part of the OUTBOUND ACL, called MYFE, to the INBOUND ACL.

ip access-list extended INBOUND
permit icmp
evaluate myfw

Applies both an inbound and an outbound ACL to the outgoing interface.

Router(config)#interface Ethernet0/1
Router(config-if)#ip address
Router(config-if)#ip access-group INBOUND in
Router(config-if)#ip access-group OUTBOUND out

A Networker Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s