Reflexive ACLs

Reflexive ACLs allow IP packets to be filtered based on upper-layer session information.

Reflexive ACLs provide a level of security against spoofing and certain denial of service (DoS) attacks.

Reflexive ACLs are  harder to spoof because more  criteria must match in the packet for example, source and destination addresses and port numbers, not just acknowledgment (ACK) and reset (RST) bits.

The following configuration makes the  router keep track of the  traffic initiated from inside.

ip access-list extended OUTBOUND
permit icmp 1.1.1.0 0.0.0.255 12.16.0.0 0.0.0.255
permit tcp 1.1.1.0 0.0.0.255 12.16.0.0 0.0.0.255 reflect myfw

In the next configuration, we create an inbound policy, now the router will check  incoming traffic to see if it was initiated from inside an the reflexive ACL part of the OUTBOUND ACL, called MYFE, to the INBOUND ACL.

ip access-list extended INBOUND
permit icmp 12.16.0.0 0.0.0.255 1.1.1.0 0.0.0.255
evaluate myfw

Applies both an inbound and an outbound ACL to the outgoing interface.


Router(config)#interface Ethernet0/1
Router(config-if)#ip address 172.16.1.2 255.255.255.0
Router(config-if)#ip access-group INBOUND in
Router(config-if)#ip access-group OUTBOUND out

A Networker Blog

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s