Lab 10.7.4 Reflexive Access Control Lists

Objective:

 Demonstrate the use of Reflexive Access Control Lists.

Equipment Requirements:

  • Two routers
  • One switch with two VLANs set or two switches or two hubs
  • Two workstations

Preliminary:

Construct the above network, using IGRP as your routing protocol. Use the network address 172.32.3.0/24 on the serial link between the two routers. The router IP configurations are as follows:

Router-A Router-B
E0=172.32.4.1 E0=172.32.2.1
S0=172.32.3.1 S1=172.32.3.2
SM=255.255.255.0 SM=255.255.255.0

When construction of the network is complete, verify that routers can communicate and are sharing their routing tables. Also verify that the workstations can communicate together correctly. For verification use the show ip route command, show interfaces command, show running-configuration command, ping, telnet, and any other relevant command(s).

Scenario:

For this Lab we will be using Router-B as the border router where we will configure the reflexive access list. We want to prevent the users outside of subnetwork 172.32.2.0 from accessing subnetwork 172.32.2.0. However, the users inside the subnetwork need to have access out and be able to receive information back.

From the "Router-B" console:

Step 1

Enter the EXEC mode.

Step 2

Enter the configuration mode by entering configure terminal command at the router prompt.

Step 3

Determine if the access list should be applied to an internal interface or an external interface. Setup the access lists accordingly. We will need to configure both an inbound access list and an outbound access list. For this example the outbound access list will used to modify the inbound access list.

Note: We will be using named access lists for this example.

  • Enter ip access-list extended filterincoming

What happens to the router prompt?

  • Enter permit igrp any any

Why would we want to permit igrp on our incoming access list?

  • Enter evaluate internaltraffic

Describe how this access control list will work.

  • Enter exit
  • Enter ip access-list extended filteroutgoing

How does the prompt change?

  • Enter permit tcp any any reflect internaltraffic

What does this statement in the access list do?

  • Enter exit

Step 4

Apply the access lists to the correct interface, and in the correct direction.

  • Enter interface serial 1
  • Enter ip access-group filterincoming in
  • Enter ip access-group filteroutgoing out
  • Enter exit

Which access list will be applied to information coming into interface S1?

Which access list will be applied to information going out of interface S1?

Step 5

Set global timeout values.

  • Enter ip reflexive-list timeout 120

How long does it take for the reflexive access list to expire?

  • Enter CTRL-Z
  • Enter copy running-configuration startup-configuration

Why did we copy the running configuration to the startup config?

Step 6

Verify that reflexive access list is working correctly From console on router-B 

  • Enter show access-list

What does the router respond with?

  • From a workstation on subnetwork 172.32.4.0 Try to ping the workstation on subnetwork 172.32.2.0

Were you successful?

  • Try to telnet to 172.32.2.1 (Router-B)

Were you successful?

  • From a workstation on subnet 172.32.2.0 Now try to ping the workstation on subnet 172.32.4.0

Were you successful?

  • Now try to telnet to 172.32.3.1 (Router-A)

Were you successful?

Why were you successful this time?

Step 7

Check the access list on the router. From Router-B EXEC prompt 

  • Enter show access-list

What has changed in the access list?