10.7 Configuring IP Session Filtering (Reflexive Access Lists)
10.7.4 Reflexive access lists configuration examples
There are two examples in this section:
  • External Interface Configuration Example
  • Internal Interface Configuration Example

External Interface Configuration Example

This example has reflexive access lists configured for an external interface, for a topology similar to the one in Figure .

This configuration example permits both inbound and outbound TCP traffic at interface Serial 1, but only if the first packet (in a given session) originated from inside your network. The interface Serial 1 connects to the Internet.

Define the interface where the session-filtering configuration is to be applied:

interface serial 1
 description Access to the Internet via this interface

Apply access lists to the interface, for inbound traffic and for outbound traffic:

ip access-group inboundfilters in
ip access-group outboundfilters out

Define the outbound access list. This is the access list that evaluates all outbound traffic on interface Serial 1.

ip access-list extended outboundfilters

Define the reflexive access list tcptraffic. This entry permits all outbound TCP traffic and creates a new access list named tcptraffic. Also, when an outbound TCP packet is the first in a new session, a corresponding temporary entry will be automatically created in the reflexive access list tcptraffic.

permit tcp any any reflect tcptraffic

Define the inbound access list. This is the access list that evaluates all inbound traffic on interface Serial 1.

ip access-list extended inboundfilters

Define the inbound access list entries. This example shows BGP and Enhanced IGRP running on the interface. Also, no ICMP traffic is permitted. The last entry points to the reflexive access list. If a packet does not match the first three entries, the packet will be evaluated against all the entries in the reflexive access list tcptraffic.

permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic

Define the global idle timeout value for all reflexive access lists. In this example, when the reflexive access list tcptraffic was defined, no timeout was specified, so tcptraffic uses the global timeout. Therefore, if for 120 seconds there is no TCP traffic that is part of an established session, the corresponding reflexive access list entry will be removed.

ip reflexive-list timeout 120

This is what the example configuration looks like. (see Serial 1#show running-config command output).

With this configuration, before any TCP sessions have been initiated the show access-list EXEC command displays the following:

Extended IP access list inboundfilters
 permit bgp any any
 permit eigrp any any
 deny icmp any any
 evaluate tcptraffic
Extended IP access list outboundfilters
 permit tcp any any reflect tcptraffic

Notice that the reflexive access list does not appear in this output because before any TCP sessions have been initiated, no traffic has triggered the reflexive access list, and the list is empty (has no entries). When empty, reflexive access lists do not show up in show access-list output.

After a Telnet connection is initiated from within your network to a destination outside of your network, the show access-list EXEC command displays the following:

Extended IP access list inboundfilters
 permit bgp any any (2 matches)
 permit eigrp any any
 deny icmp any any
 evaluate tcptraffic
Extended IP access list outboundfilters
 permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic
 permit tcp host 172.19.99.67 eq telnet host 192.168.60.185 eq 11005 (5 matches) (time left 115 seconds)

Notice that the reflexive access list tcptraffic now appears, and displays the temporary entry generated when the Telnet session initiated with an outbound packet.

Internal Interface Configuration Example

This is an example configuration for reflexive access lists configured for an internal interface. This example has a topology similar to the one in Figure .

This example is similar to the previous example; the only difference between this example and the previous example is that the entries for the outbound and inbound access lists are swapped. Please refer to the previous example for more details and descriptions.

interface Ethernet 0
 description Access from the I-net to our Internal Network via this interface
 ip access-group inboundfilters in
 ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
 permit bgp any any
 permit eigrp any any
 deny icmp any any
 evaluate tcptraffic
!
ip access-list extended inboundfilters
 permit tcp any any reflect tcptraffic
!

Lab Activity
  In this lab, you will learn the usage of Reflective Access Control Lists.