In this configuration example we will test Cisco IOS Reflexive Access-lists
Reflexive ACL takes a packet flow, gets session information and create dynamic acl entry in access-list in reverse direction.
Access-lists must be named instead of numbered access-list.
Here is the topology for this test:
ip access-list extended out-acl
permit ospf any any
permit tcp any any reflect reflection
permit udp any any reflect reflection
permit icmp any any reflect reflection
ip access-list extended in-acl
permit ospf any any
evaluate reflection
interface FastEthernet0/1
ip address 10.10.23.2 255.255.255.0
ip access-group in-acl in
ip access-group out-acl out
Lets test the configuration:
Telnet from R1 to R3:
R1#telnet 10.10.10.3 /source-interface loopback 0
Trying 10.10.10.3 ... Open
User Access Verification
Password:
R3>en
Password:
Lets check the access-list entries on R2:
R2#show access-lists
Extended IP access list in-acl
5 permit ospf any any (118 matches)
10 evaluate reflection
Extended IP access list out-acl
5 permit ospf any any
10 permit tcp any any reflect reflection (96 matches)
20 permit udp any any reflect reflection
30 permit icmp any any reflect reflection
Reflexive IP access list reflection
permit tcp host 10.10.10.3 eq telnet host 10.10.10.1 eq 46743 (42 matches) (time left 259)
This acl entry is created dynamically in reverse direction
Reflexive ACL takes a packet flow, gets session information and create dynamic acl entry in access-list in reverse direction.
Access-lists must be named instead of numbered access-list.
Here is the topology for this test:
ip access-list extended out-acl
permit ospf any any
permit tcp any any reflect reflection
permit udp any any reflect reflection
permit icmp any any reflect reflection
ip access-list extended in-acl
permit ospf any any
evaluate reflection
interface FastEthernet0/1
ip address 10.10.23.2 255.255.255.0
ip access-group in-acl in
ip access-group out-acl out
Lets test the configuration:
Telnet from R1 to R3:
R1#telnet 10.10.10.3 /source-interface loopback 0
Trying 10.10.10.3 ... Open
User Access Verification
Password:
R3>en
Password:
Lets check the access-list entries on R2:
R2#show access-lists
Extended IP access list in-acl
5 permit ospf any any (118 matches)
10 evaluate reflection
Extended IP access list out-acl
5 permit ospf any any
10 permit tcp any any reflect reflection (96 matches)
20 permit udp any any reflect reflection
30 permit icmp any any reflect reflection
Reflexive IP access list reflection
permit tcp host 10.10.10.3 eq telnet host 10.10.10.1 eq 46743 (42 matches) (time left 259)
This acl entry is created dynamically in reverse direction
No comments:
Post a Comment