Reflexive Access-List

By default, an access-list doesn’t keep track of the sessions. An access-list consist of various permit and deny rules which are scanned from top to bottom. If any of the condition matches then it is executed and no other condition is matched.

For a very small office, a reflexive Access-list acts as stateful firewall as it allows only those traffic which is initiated within the network and deny other packets coming from outside network.

Reflexive Access-list –
Reflexive Access-list is an access-list which allows only the replies of the packets of the sessions initiated within the network (from the outside network) .



Working –
When a session is initiated within the network and going outside the network through router (operating reflexive Access-list), reflexive Access-list are triggered.Therefore, it creates a temporary entry for the traffic which is initiated within the network and allows only those traffic from the outside network which is a part of the session (traffic generated within the network).This temporary entry is removed when the session ends.

characteristics of temporary entry –

  1. The entry specifies the same source and destination address as original outbound packet (the packet going outside the network), except they are swapped when coming from outside the network.
  2. The entries should have same source and destination port number as the original outbound packet, except they are swapped when coming from outside the network.
  3. The entry should have same protocol as the original outbound packet.

Characteristics of Reflexive access-list –

  1. Reflexive Access-list should be nested inside the named Extended Access-list.
  2. It cannot be applied directly to an interface.
  3. A temporary entry is generated when a session begins and automatically destroyed when session ends.
  4. It does not have implicit deny at the end of Access-list.
  5. Just like normal access-list, if one the condition matches then no more entries are evaluated.
  6. Reflexive Access-list cannot be defined with numbered Access-list
  7. Reflexive Access-list cannot be defined with named or numbered standard Access-list.

Configuration –

There are 2 routers namely router1 (ip address – 10.1.1.1/24 on fa0/0 and 11. 1.1.1/24 on fa0/1), router2 (ip address-11.1.1.2/24 on fa0/0 and 12.1.1.1/24 on fa0/1) and PC1 (ip address-10.1.1.2/24) and PC2 (ip address-12.1.1.2/24). First, we will give routes, through EIGRP, to all the routers so that PCs will be able to ping each other.

Configuring Eigrp on router1:

router1(config)#router Eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#network 11.1.1.0
router1(config-router)#No auto-summary

Configuring Eigrp on router2:

router2(config)#router Eigrp 100
router2(config-router)#network 11.1.1.0
router2(config-router)#network 12.1.1.0
router2(config-router)#No auto-summary

Now, we will allow ip, tcp and udp traffic from inside the network (10.1.1.0 network) and evaluate the traffic coming from outside the network (12.1.1.0 and 11.1.1.0 network). Creating Access-list named as reflexive for the inside traffic going outside.

router1(config)#ip Access-list extended reflexive 
router1(config-ext-na)#permit ip any any reflect ip_database
router1(config-ext-nacl)#permit tcp any any reflect tcp_database
router1(config-ext-nacl)#permit udp any any reflect udp_database

Here, we have allowed ip, tcp and udp traffic and we have named it as ip_database, tcp_database and udp_database.


Note –
Here, Reflexive is the name of the Access-list and not a keyword. Now, apply this Access-list to the outbound of int fa0/1 of router1 so that the traffic going out the router should be allowed.

router1(config)#int fa0/1
router1(config-if)#ip access-group reflexive out

Now, apply an access-list for inbound traffic i.e traffic coming inside the network. We should allow only that traffic to come inside if it is initiated by the inside (10.1.1.0) network.

router1(config)#ip access-list extended reflexive_in
router1(config-ext-nacl)#permit Eigrp any any
router1(config-ext-nacl)#evaluate tcp_database
router1(config-ext-nacl)#evaluate udp_database
router1(config-ext-nacl)#evaluate ip_database 

Here, we have allowed Eigrp traffic so that reachability should be there between the routers otherwise no traffic will be able to come back inside ether network.
We have evaluated the udp_databse, ip_database and tcp_database so that traffic (tcp, udp or ip) is allowed which has been initiated inside the network. Now, apply this to interface fa0/1 in the inside direction because the traffic coming inside should be evaluated.

router1(config)#int fa0/1
router1(config-if)#ip access-group reflexive_in in

Here, reflexive_in is the name of the Access-list.

Advantages – Advantages of reflexive Access-list are:

  • Easy to implement.
  • Provides greater control over the traffic coming from the outside network.
  • Provides security from certain Dos attacks and spoofing.

Disadvantage –

  • Some applications uses dynamic ports due to which failure can occur as for the reflexive Access-list the source and destination ports should be static.


My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.




Article Tags :
Practice Tags :


Be the First to upvote.


Please write to us at contribute@geeksforgeeks.org to report any issue with the above content.