Open In App

Reflexive Access-List

Last Updated : 29 Oct, 2021
Improve
Improve
Like Article
Like
Save
Share
Report

By default, an access-list doesn’t keep track of the sessions. An access list consists of various permit and denies rules which are scanned from top to bottom. If any of the conditions match then it is executed and no other condition is matched. 

For a very small office, a reflexive Access-list acts as a stateful firewall as it allows only the traffic that is initiated within the network and denies other packets coming from outside the network. 

Reflexive Access-list – 
Reflexive Access-list is an access-list that allows only the replies of the packets of the sessions initiated within the network (from the outside network). 

Working – 
When a session is initiated within the network and goes outside the network through the router (operating reflexive Access-list), reflexive Access-list are triggered. Therefore, it creates a temporary entry for the traffic which is initiated within the network and allows only those traffic from the outside network which is a part of the session (traffic generated within the network). This temporary entry is removed when the session ends. 

characteristics of temporary entry – 
 

  1. The entry specifies the same source and destination address as the original outbound packet (the packet going outside the network), except they are swapped when coming from outside the network. 
  2. The entries should have the same source and destination port number as the original outbound packet, except they are swapped when coming from outside the network. 
  3. The entry should have the same protocol as the original outbound packet. 
     

Characteristics of Reflexive access-list – 
 

  1. Reflexive Access-list should be nested inside the named Extended Access-list. 
  2. It cannot be applied directly to an interface. 
  3. A temporary entry is generated when a session begins and automatically destroyed when the session ends. 
  4. It does not have implicit deny at the end of the Access-list. 
  5. Just like a normal access list, if one of the conditions matches then no more entries are evaluated. 
  6. Reflexive Access-list cannot be defined with numbered Access-list 
  7. Reflexive Access-list cannot be defined with named or numbered standard Access-list. 
     

Configuration – 

 

There are 2 routers namely router1 (IP address – 10.1.1.1/24 on fa0/0 and 11. 1.1.1/24 on fa0/1), router2 (IP address-11.1.1.2/24 on fa0/0 and 12.1.1.1/24 on fa0/1) and PC1 (IP address-10.1.1.2/24) and PC2 (IP address-12.1.1.2/24). First, we will give routes, through EIGRP, to all the routers so that PCs will be able to ping each other. 

Configuring Eigrp on router1: 
 

router1(config)#router Eigrp 100
router1(config-router)#network 10.1.1.0
router1(config-router)#network 11.1.1.0
router1(config-router)#No auto-summary

Configuring Eigrp on router2: 
 

router2(config)#router Eigrp 100
router2(config-router)#network 11.1.1.0
router2(config-router)#network 12.1.1.0
router2(config-router)#No auto-summary

Now, we will allow IP, TCP, and UDP traffic from inside the network (10.1.1.0 network) and evaluate the traffic coming from outside the network (12.1.1.0 and 11.1.1.0 network). Creating Access-list named as reflexive for the inside traffic going outside. 
 

router1(config)#ip Access-list extended reflexive 
router1(config-ext-na)#permit ip any any reflect ip_database
router1(config-ext-nacl)#permit tcp any any reflect tcp_database
router1(config-ext-nacl)#permit udp any any reflect udp_database

Here, we have allowed IP, TCP, and UDP traffic and we have named it as ip_database, tcp_database, and udp_database. 

Note – 
Here, Reflexive is the name of the Access-list and not a keyword. Now, apply this Access-list to the outbound of int fa0/1 of router1 so that the traffic going out the router should be allowed. 
 

router1(config)#int fa0/1
router1(config-if)#ip access-group reflexive out

Now, apply an access list for inbound traffic i.e traffic coming inside the network. We should allow only that traffic to come inside if it is initiated by the inside (10.1.1.0) network. 
 

router1(config)#ip access-list extended reflexive_in
router1(config-ext-nacl)#permit Eigrp any any
router1(config-ext-nacl)#evaluate tcp_database
router1(config-ext-nacl)#evaluate udp_database
router1(config-ext-nacl)#evaluate ip_database

Here, we have allowed Eigrp traffic so that reachability should be there between the routers otherwise no traffic will be able to come back inside the ether network. 
We have evaluated the udp_databse, ip_database, and tcp_database so that traffic (TCP, UDP, or IP) is allowed which has been initiated inside the network. Now, apply this to interface fa0/1 in the inside direction because the traffic coming inside should be evaluated. 
 

router1(config)#int fa0/1
router1(config-if)#ip access-group reflexive_in in

Here, reflexive_in is the name of the Access-list. 

Advantages – Advantages of reflexive Access-list are: 
 

  • Easy to implement. 
  • Provides greater control over the traffic coming from the outside network. 
  • Provides security from certain Dos attacks and spoofing. 
     

Disadvantage – 
 

  • Some applications use dynamic ports due to which failure can occur as for the reflexive Access-list the source and destination ports should be static. 
     

 


Like Article
Suggest improvement
Previous
Extended Access-List
Next
What is IPv6?
Share your thoughts in the comments

Similar Reads

Standard Access-List
Extended Access-List
Time based Access-List
Controlled Access Protocols in Computer Network
Access and Trunk Ports
Multiple Access Protocols in Computer Network
Java | CDMA (Code Division Multiple Access)
Access-Lists (ACL)
Role-based Access Control
Difference between site to site VPN and remote access VPN
author
saurabhsharma56
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox