|
In
a previous section, "Prework," you decided whether to
configure reflexive access lists for an internal or external
interface. Now, complete the tasks in one of the following
configuration task lists.
External Interface Configuration Task List
To configure reflexive access lists for an external interface,
perform these tasks:
- Define the Reflexive Access List(s) in an outbound IP
extended named access list.
- Nest the Reflexive Access List(s) in an inbound IP
extended named access list.
- Set a Global Timeout Value (Optional).
These tasks are described in the sections following the internal
interface configuration task list.
Note: The defined (outbound) reflexive access list
evaluates traffic traveling out of your network: if the defined
reflexive access list is matched, temporary entries are created in
the nested (inbound) reflexive access list. These temporary entries
will then be applied to traffic traveling into your network.
Internal Interface Configuration Task List
To configure reflexive access lists for an internal interface,
perform these tasks:
- Define the Reflexive Access List(s) in an inbound IP
extended named access list.
- Nest the Reflexive Access List(s) in an outbound IP
extended named access list.
- Set a Global Timeout Value (Optional).
These tasks are described in the next sections.
Note: The defined (inbound) reflexive access list is
used to evaluate traffic traveling out of your network: if the
defined reflexive access list is matched, temporary entries are
created in the nested (outbound) reflexive access list. These
temporary entries will then be applied to traffic traveling into
your network.
Define the Reflexive Access List(s)
To define a reflexive access list, you use an entry in an
extended named IP access list. This entry must use the reflect
keyword.
- If you are configuring reflexive access lists for an external
interface, the extended named IP access list should be one that
is applied to outbound traffic.
- If you are configuring reflexive access lists for an internal
interface, the extended named IP access list should be one that
is applied to inbound traffic.
To define reflexive access lists, perform the tasks shown in
Figure ,
starting in global configuration mode.
If the extended named IP access list you just specified has never
been applied to the interface, you must also complete this next task
shown in Figure .
Apply the extended named IP access list to the interface, in
interface configuration mode.
Mixing Reflexive-Access-List Statements with Other Permit and
Deny Entries
The extended IP access list that contains the reflexive access
list permit statement can also contain other normal
permit
and deny statements (entries). However, as with all access
lists, the order of entries is important, as explained in the
following paragraphs.
If you configure reflexive access lists for an external
interface, when an outbound IP packet reaches the interface, the
packet will be evaluated sequentially by each entry in the outbound
access list until a match occurs.
If the packet matches an entry prior to the reflexive permit
entry, the packet will not be evaluated by the reflexive permit
entry, and no temporary entry will be created for the reflexive
access list (reflexive filtering will not be triggered).
The outbound packet will be evaluated by the reflexive permit
entry only if no other match occurs first. Then, if the packet
matches the protocol specified in the reflexive permit entry,
the packet is forwarded out of the interface and a corresponding
temporary entry is created in the inbound reflexive access list
(unless the corresponding entry already exists, indicating the
outbound packet belongs to a session in progress). The temporary
entry specifies criteria that permits inbound traffic only for the
same session.
Nest the Reflexive Access List(s)
After you define a reflexive access list in one IP extended
access list, you must "nest" the reflexive access list
within a different extended named IP access list.
- If you are configuring reflexive access lists for an external
interface, nest the reflexive access list within an extended
named IP access list applied to inbound traffic.
- If you are configuring reflexive access lists for an internal
interface, nest the reflexive access list within an extended
named IP access list applied to outbound traffic.
After you nest a reflexive access list, packets heading into your
internal network can be evaluated against any reflexive access list
temporary entries, along with the other entries in the extended
named IP access list.
To nest reflexive access lists, perform the tasks shown in Figure
,
starting in global configuration mode.
Again, the order of entries is important. Normally, when a packet
is evaluated against entries in an access list, the entries are
evaluated in sequential order, and when a match occurs, no more
entries are evaluated. With a reflexive access list nested in an
extended access list, the extended-access-list entries are evaluated
sequentially up to the nested entry, then the reflexive-access-list
entries are evaluated sequentially, and then the remaining entries
in the extended access list are evaluated sequentially. As usual,
after a packet matches any of these entries, no more entries
will be evaluated.
If the extended named IP access list you just specified has never
been applied to the interface, you must also complete this next task
shown in Figure .
Apply the extended named IP access list to the interface, in
interface configuration mode.
Set a Global Timeout Value (optional)
Reflexive access list entries expire after no packets in the
session have been detected for a certain length of time (the
"timeout" period). You can specify the timeout for a
particular reflexive access list when you define the reflexive
access list. But if you do not specify the timeout for a given
reflexive access list, the list will use the global timeout value
instead.
The global timeout value is 300 seconds by default, but you
can change the global timeout to a different value at any time.
To change the global timeout value, perform the task in Figure
in global configuration mode.
|