Re?¬‚exive ACLs are not applied directly to an interface but are ???nested??? in an extended
named IP ACL that is applied to the interface.
Re?¬‚exive ACLs provide a truer form of session ?¬?ltering than an extended ACL that uses the
established parameter. Re?¬‚exive ACLs are much harder to spoof because more ?¬?lter criteria must
match before a packet is permitted through; for example, source and destination addresses and port
numbers, not just acknowledgment (ACK) and reset (RST) bits, are checked. Figure 6-7 illustrates
how the re?¬‚exive access list operates.
Figure 6-7 Re?¬‚exive Access Lists
Inbound Traffic
Initiated Outside
S0
Inbound Traffic
Initiated Inside
X
Access Control List Operation 217
Re?¬‚exive ACLs are an important part of securing your network against network hackers and can
be included in a ?¬?rewall defense. Re?¬‚exive ACLs provide a level of security against spoo?¬?ng and
certain denial of service (DoS) attacks. Re?¬‚exive ACLs are simple to use and, compared to basic
ACLs, provide greater control over which packets enter your network.
Although the entire con?¬?guration for re?¬‚exive ACLs is outside the scope of this course, the
following example shows the steps that are required to con?¬?gure a re?¬‚exive ACL.
Pages:
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331