Reflexive access-lists is a way of filtering traffic where only return traffic
is allowed if it belongs to a session initiated on the “inside”. In a regular
access-list we can use the keyword established for filtering but that only
looks at if the TCP flag ACK has been set which is the case for all packets
except the first one in a session. This isn’t really stateful filtering.
We will use a very simple topology with three routers, diagram is below.
The objective is to allow all TCP from R3 to R1. R1 should be able to use ping
and traceroute and to establish routing peerings with R2.
If you want to try this lab yourself you can download topology, initial configs
and final configs from here.
Lets start by doing a telnet from R3 to R1 and reverse just to see that we have
reachability and that nothing is being filtered.
Everything working as expected. Now lets start creating access-lists. We will
be filtering on R2 Fa0/0. Traffic from R3 to R1 will be outbound and traffic
from R1 to R3 will be inbound.
The keyword here is reflect, we need to match MYREFLECT on the inbound ACL to make
it reflexive. If we want to add more statements like UDP we can do that but
remember to use the reflect keyword.
Now we create the inbound ACL.
We need to explicitally allow ICMP since ICMP is not stateful. We also need
to allow routing because the traffic is terminated on the router.
Apply ACL to R2 Fa0/0.
If our configuration is correct telnet from R3 to R1 should work but not
the other way around.
Still working. We can also see matches in the ACL.
Now lets try from R1 to R3.
That was denied. Are we still able to ping R1 from R3?
There is also matches in the ACL.
Traceroute from R1.
Can R1 form an EIRGP peering?
So reflexive access-lists can be a very useful feature. If you have
a lab task that says that only traffic initiated from inside should
be allowed back in it’s a good bet to use reflexive access-lists.
If you download the .net file remember to set the IOS image dir and your working dir.