There
are two examples in this section:
- External Interface Configuration
Example
- Internal Interface Configuration
Example
External Interface Configuration Example
This example has reflexive access lists configured for an
external interface, for a topology similar to the one in Figure .
This configuration example permits both inbound and outbound TCP
traffic at interface Serial 1, but only if the first packet (in
a given session) originated from inside your network. The interface
Serial 1 connects to the Internet.
Define the interface where the session-filtering configuration is
to be applied:
interface serial 1
description Access to the Internet via this interface
Apply access lists to the interface, for inbound traffic and for
outbound traffic:
ip access-group inboundfilters in
ip access-group outboundfilters out
Define the outbound access list. This is the access list that
evaluates all outbound traffic on interface Serial 1.
ip access-list extended outboundfilters
Define the reflexive access list tcptraffic. This entry
permits all outbound TCP traffic and creates a new access
list named tcptraffic. Also, when an outbound TCP packet is
the first in a new session, a corresponding temporary entry will be
automatically created in the reflexive access list tcptraffic.
permit tcp any any reflect tcptraffic
Define the inbound access list. This is the access list that
evaluates all inbound traffic on interface Serial 1.
ip access-list extended inboundfilters
Define the inbound access list entries. This example shows BGP
and Enhanced IGRP running on the interface. Also, no ICMP traffic is
permitted. The last entry points to the reflexive access list. If a
packet does not match the first three entries, the packet will be
evaluated against all the entries in the reflexive access list tcptraffic.
permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Define the global idle timeout value for all reflexive access
lists. In this example, when the reflexive access list tcptraffic
was defined, no timeout was specified, so tcptraffic uses the
global timeout. Therefore, if for 120 seconds there is no TCP
traffic that is part of an established session, the corresponding
reflexive access list entry will be removed.
ip reflexive-list timeout 120
This is what the example configuration looks
like. (see
Serial 1#show running-config
command output).
With this configuration, before any TCP sessions have been
initiated the
show access-list
EXEC command displays the
following:
Extended IP access list inboundfilters
permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Extended IP access list outboundfilters
permit tcp any any reflect tcptraffic
Notice that the reflexive access list does not appear in this
output because before any TCP sessions have been initiated, no
traffic has triggered the reflexive access list, and the list is
empty (has no entries). When empty, reflexive access lists do not
show up in
show access-list
output.
After a Telnet connection is initiated from within your network
to a destination outside of your network, the
show access-list
EXEC command displays the following:
Extended IP access list inboundfilters
permit bgp any any (2 matches)
permit eigrp any any
deny icmp any any
evaluate tcptraffic
Extended IP access list outboundfilters
permit tcp any any reflect tcptraffic
Reflexive IP access list tcptraffic
permit tcp host 172.19.99.67 eq telnet host 192.168.60.185 eq
11005 (5 matches) (time left 115 seconds)
Notice that the reflexive access list tcptraffic now
appears, and displays the temporary entry generated when the Telnet
session initiated with an outbound packet.
Internal Interface Configuration Example
This is an example configuration for reflexive access lists
configured for an internal interface. This example has a topology
similar to the one in Figure .
This example is similar to the previous example; the only
difference between this example and the previous example is that the
entries for the outbound and inbound access lists are swapped.
Please refer to the previous example for more details and
descriptions.
interface Ethernet 0
description Access from the I-net to our Internal Network via
this interface
ip access-group inboundfilters in
ip access-group outboundfilters out
!
ip reflexive-list timeout 120
!
ip access-list extended outboundfilters
permit bgp any any
permit eigrp any any
deny icmp any any
evaluate tcptraffic
!
ip access-list extended inboundfilters
permit tcp any any reflect tcptraffic
!
 |
 |
Lab
Activity |
| |
In
this lab, you will learn the usage of
Reflective Access Control Lists. |
|
|
|
|