Reflexive Access List

An access-list by default doesn't record the sessions. The many permit and deny rules that make up an access list are read from top to bottom. No additional condition is met if any of the criteria are met, hence it is executed.

A reflexive Access-list serves as a stateful firewall for a very small workplace by only allowing traffic that is initiated within the network while blocking other packets coming from the outside.

Reflexive Access List -

Reflexive Access-list is an access-list that only accepts answers to packets from network sessions that have already been started (from the outside network).

Working of Reflexive Access List -

Reflexive Access-list are activated when a session begins inside the network and leaves the network through the router (operating reflexive Access-list). As a result, it makes a temporary entry for traffic that originates inside the network and only permits outside traffic that is necessary for the session (traffic generated within the network). When the session is over, this transient entry is deleted.

Characteristics Of Temporary Entry -

The source and destination addresses in the entry are identical to those in the outbound packet (the packet leaving the network), with the exception that they are switched when the packet is arriving from outside the network.
Even if they are switched when coming from outside the network, the entries should contain the same source and destination port numbers as the original outbound packet.
The entry ought to use the same outgoing packet's protocol.

Characteristics of Reflexive access-list -

The designated Extended Access-list should contain the Reflexive Access-list.
Direct application to an interface is not possible.
After a session starts, a temporary entry is created, and it is automatically deleted when the session is over.
The Access-list does not have an implied deny at the end.
Similar to a standard access list, if one of the conditions is met, no further entries are considered.
With numbered Access-list, reflexive Access-list cannot be defined.
Named or numbered standard Access-list cannot define reflexive Access-list.

Configuration -

There are two routers: router1 (IP address: 10.1.1.1/24 on fa0/0 and 11.1.1.1/24 on fa0/1), router2 (IP address: 11.1.1.2/24 on fa0/0 and 12.1.1.1/24 on fa0/1) and two PCs (IP addresses: 10.1.1.2/24" and 12.1.1.2/24," respectively). To enable pinging between PCs, we will first provide routes using EIGRP to all of the routers.

Configuring Eigrp on router1:

router1(config)#router Eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#network 11.1.1.0
router1(config-router)#No auto-summary

Configuring Eigrp on router2:

router2(config)#router Eigrp 100
router2(config-router)#network 11.1.1.0
router2(config-router)#network 12.1.1.0
router2(config-router)#No auto-summary

At this point, we'll permit IP, TCP, and UDP traffic from within the network (10.1.1.0 network) and assess traffic arriving from outside the network (12.1.1.0 and 11.1.1.0 network). Making an access list with the name "reflexive" for inside traffic leaving.

router1(config)#ip Access-list extended reflexive 
router1(config-ext-na)#permit ip any any reflect ip_database
router1(config-ext-nacl)#permit tcp any any reflect tcp_database
router1(config-ext-nacl)#permit udp any any reflect udp_database

Here, IP, TCP, and UDP communication is permitted, and they are designated as the ip database, tcp database, and udp database, respectively.

Reflexive is not a keyword in this context; it is the name of the Access-list. Apply this Access-list now to router1's int fa0/1's outbound so that traffic leaving the router will be permitted.

router1(config)#int fa0/1
router1(config-if)#ip access-group reflexive out

Apply an access list now for internal network traffic, also known as inbound traffic. Only that communication, which is started by the internal (10.1.1.0) network, should be allowed to enter.

router1(config)#ip access-list extended reflexive_in
router1(config-ext-nacl)#permit Eigrp any any
router1(config-ext-nacl)#evaluate tcp_database
router1(config-ext-nacl)#evaluate udp_database
router1(config-ext-nacl)#evaluate ip_database 

Since we have enabled Eigrp traffic here, the routers should be able to communicate with one another; otherwise, no traffic will be able to return to the ether network.

In order to allow traffic that has been started inside the network using TCP, UDP, or IP, we have evaluated the udp databse, ip database, and tcp database. Apply this now in the inside direction of interface fa0/1 so that the traffic coming in can be assessed.

router1(config)#int fa0/1
router1(config-if)#ip access-group reflexive_in in

The Access-list in this case is called reflexive in.

Benefits -

The reflexive Access-list has the following benefits:

Simple to implement
gives more control over traffic flowing from external networks.
offers protection from specific Dos assaults and spoofing.

The disadvantage

Some applications use dynamic ports, which increases the risk of failure since the source and destination ports need to be static for the reflexive Access-list.

Next TopicSynchronous Optical Network (SONET)

← prev next →