Configuring Reflexive Access Lists

20 Mar

Configuring Reflexive Access Lists
To define a reflexive access list, you must create an entry in an extended named IP access list. This entry must use the reflect keyword and is nested inside of another access list. To define reflexive access lists, follow these steps:

1.Use this command to define an extended named access list:

ip access−list extended name

If the reflexive access list is configured for an external interface, the extended named IP access list should be one that is applied to outbound traffic, and if the reflexive access list is configured for an internal interface, the extended named IP access list should be one that is applied to inbound traffic. This command moves you into access list configuration mode.

2.In access list configuration mode, use this configuration command to define the reflexive access list:

permit protocol any any reflect name <timeout timeout−seconds>

The protocol parameter should be specified for each upper−layer protocol that should be permitted.

3.Use the IP access−list extended name command to define another extended named access list. The name of this access list must be different from the name that was used to create the access list in Step 1. If the access list that was created in Step 1 was for inbound packets, then the access list that is created during this step is created for outbound packets. This command moves you into access list configuration mode.

4.Use permit statements to permit any traffic that should not be subjected to the reflexive access list, and then use the evaluate name command to create an entry that references the reflect statement that was created in Step 2. The name parameter defined in this step should match the name parameter that was created in Step 2 with the reflectname parameter.

5.Apply the extended named IP access list to the interface, using this command:

ip access−group name {in | out}

When previous access lists were configured, this command was somewhat simple, but when applying reflexive access lists, each in or out option must be used. This will be further explained in the following paragraphs.

6.Optionally, use this command to change the default idle timeout for each temporary access list entry (the default idle timeout period is 300 seconds):

ip reflexive−list timeout seconds

A brief discussion is needed in order to provide clarity to the preceding configuration steps. Reflexive access lists are normally configured on external interfaces, which will prevent IP traffic from entering the router and the internal network unless the traffic is part of a session already established from within the internal network. If the reflexive access list is not configured on the external interface and more than two interfaces are in use, then more than likely it will be configured on the internal interface, which prevents IP traffic from entering your internal network unless the traffic is part of a session already established from within the internal network.

If reflexive access lists are being configured and applied to an external interface, the extended named IP access list should be applied to outbound traffic. If reflexive access lists are being configured and applied to an internal interface, the extended named IP access list should be applied to inbound traffic. After the reflexive access list has been defined (Step 1), the access list must be “nested” within the second access list that is created in Step 4. If reflexive access lists are being configured and applied to an external interface, nest the reflexive access list within an extended named IP access list applied to inbound traffic. If reflexive access lists are being configured and applied to an internal interface, nest the reflexive access list within an extended named IP access list applied to outbound traffic.

Figure 7.9 displays a network in which reflexive access lists may be used. In this example, reflexive access lists are configured on the Ethernet0/0 interface of Router 2 for outbound traffic that is originated from the internal networks. The reflexive access list configuration of Router 2 is shown in Listing 7.25.

Figure 7.9: Reflexive access list network.
Listing 7.25: Reflexive access list configuration of Router 2.

hostname Router−2
!
ip reflexive−list timeout 100
!
interface Ethernet1/1
ip address 192.168.20.1 255.255.255.0
no ip directed−broadcast
!
interface Ethernet1/0
ip address 192.168.30.1 255.255.255.0
no ip directed−broadcast
!
interface Ethernet0/0
ip address 192.168.10.1 255.255.255.0
ip access−group in−filter in
ip access−group out−filter out
no ip directed−broadcast
!
ip classless
ip route 192.168.40.0 255.255.255.0 192.168.10.2
ip route 192.168.50.0 255.255.255.0 192.168.10.2
!
!
ip access−list extended out−filter
permit icmp any any
evaluate protect
ip access−list extended in−filter
permit icmp any any
permit tcp any any reflect protect
permit udp any any reflect protect
!

The configuration in Listing 7.26 defines two access lists and each is applied to the Ethernet0/0 interface. The reflexive access list has been named “protect,” and before there is any packet movement through the router, you can view the access list by using the show IP access−lists command. Using this command on Router 2 prior to any packet movement through the router displays the output listed in Listing 7.27.

Listing 7.26: Display of the access lists defined on Router 2.

Router−2#show access−lists
Extended ip access list out−filter
permit icmp any any (40008 matches)
permit tcp any any reflect protect
permit udp any any reflect protect
Extended ip access list in−filter
permit icmp any any
evaluate protect
Router−2#

Notice that no information regarding the reflexive access list is displayed in the output in Listing 7.27; no traffic has triggered the access list yet. There is, however, ping traffic moving through the router, but ping traffic is not subjected to the reflexive access list filters. To trigger the reflexive access list, initiate a Telnet session from Router 2 to Router 1. After the Telnet session has started, you can issue the show access−lists command again to view the reflexive access list. Issuing the command on Router 2 displays the output in Listing 7.28.

Listing 7.27: Displaying the reflexive access list on Router 2.

Router−2#sh access−lists
Extended ip access list out−filter
permit icmp any any (70006 matches)
permit tcp any any reflect protect
permit udp any any reflect protect
!
Extended ip access list in−filter
permit icmp any any
evaluate protect
!
Reflexive ip access list protect
permit tcp host 192.168.20.1 eq 11003 host 192.168.50.1
eq telnet −
(49 matches) (time left 95)
permit tcp host 192.168.30.1 eq 11002 host 192.168.40.1 −
eq telnet −
(49 matches) (time left 62)
permit tcp host 192.168.30.2 eq 11001 host 192.168.40.1 −
eq telnet −
(69 matches) (time left 18)
Router−2#

The configuration that has been examined in this section so far has been for reflexive access lists on an internal interface basis. Configuring reflexive access lists on an external interface basis is just the opposite of the configuration in Listing 7.26. Figure 7.10 displays a network in Router 2 should be configured for a reflexive access list that should be placed on an external interface. Listing 7.28 displays Router 2’s configuration.

Figure 7.10: External reflexive access list.
Listing 7.28: External reflexive access list on Router 2.

hostname Router−2
!
ip reflexive−list timeout 100
!
interface Ethernet1
ip address 192.168.20.1 255.255.255.0
no ip directed−broadcast
!
interface Serial0
ip address 192.168.10.1 255.255.255.0
ip access−group in−filter in
ip access−group out−filter out
no ip directed−broadcast
!
ip classless
ip route 0.0.0.0 0.0.0.0 serial0
!
ip access−list extended in−filter
permit icmp any any
evaluate protect
ip access−list extended out−filter
permit icmp any any
permit tcp any any reflect protect
permit udp any any reflect protect
!


Random Posts

No comments yet

Leave a Reply

You must be logged in to post a comment.