Reflexive ACLs have an important restriction??”that is, they can be used only in conjunction with an extendednamed
IP ACL. They cannot be defined with a numbered or standard-named IP ACL, or with any other non-IP
protocol ACLs. Reflexive ACLs can be used in combination with other standard and static extended ACLs.
With the extended ACL in Example 2-5, all ICMP traffic statically and all TCP traffic originating from source
10.0.0.0/24 going to destination 172.16.1.0/24 through the reflexive router is permitted on the return path
through the use of a dynamic mechanism in the inbound ACL. In essence, the reflexive process permits only the
return traffic that has been initiated from inside. (All other traffic is denied.)
Example 2-5. Reflexive ACL Example
interface Ethernet0
ip address 172.16.1.2 255.255.255.0
ip access-group inbound_acl in
ip access-group outbound_acl out
!
ip access-list extended inbound_acl
permit icmp any any
evaluate tcp_reflect
!
ip access-list extended outbound_acl
permit icmp any any
permit tcp 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255 reflect tcp_reflect
The context binding the outbound_acl ACL called tcp_reflect is linked with the evaluate tcp_reflect reference in
the inbound_acl ACL.
Pages:
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98