Today I have been going through some more of the INE Vol2 labs and thought I would do a quick post on reflexive ACL’s.
Reflexive ACL’s can be used as a basic kind of ‘stateful’ table on devices to allow traffic back inbound on already established connections.
The reflective part of this feature can only be used on normal traffic flows where the inbound traffic is the same as the traffic that flowed outbound, this means it cannot be used for things like traceroute, VoIP (SIP) calls, FTP (active) and so special considerations should be used for this kind of traffic.
Reflexive ACL’s are configured as a pair and usually applied to the same interface, one in an inbound direction and one in the outbound direction.
To configure reflexive ACL’s we make use of a couple of new commands when creating extended access lists, below is a simple example of a reflexive ACL pair (inbound and outbound) –
R2#conf t R2(config)#ip access-list extended OUTBOUND R2(config-ext-nacl)#permit tcp any any reflect STATEFUL R2(config-ext-nacl)#permit udp any any reflect STATEFUL R2(config-ext-nacl)#permit icmp any any reflect STATEFUL R2(config-ext-nacl)#permit ip any any R2(config-ext-nacl)#exit R2(config)#ip access-list extended INBOUND R2(config-ext-nacl)#evaluate STATEFUL # used to insert the reflected rules R2(config-ext-nacl)#permit icmp any any ttl-exceeded # allows return traceroute traffic R2(config-ext-nacl)#permit icmp any any port-unreachable # allows return traceroute traffic R2(config-ext-nacl)#deny ip any any log # logs any denied traffic R2(config-ext-nacl)#exit R2(config)#interface FastEthernet0/0 R2(config-if)#ip access-group OUTBOUND out R2(config-if)#ip access-group INBOUND in
As we can see the configuration is pretty simple, one important thing we need to remember though is to check that no traffic is being blocked that shouldn’t be (e.g. IGP traffic, non-standard traffic) so it is always important to know what traffic should be allowed through and put in explicit permit entries if needed. I have used an explicit deny at the end of the inbound ACL with the log option so that we can see any traffic that is being denied and add explicit permits if needed.
Once the ACL has been applied you can check counters just like any ACL using the ‘show ip access-list’ command, the only difference is that it will now show you the dynamic reflected ACL entries that will be used by the ‘evaluate’ statements.
R2#sh ip access-lists Extended IP access list INBOUND 10 evaluate STATEFUL 20 permit icmp any any time-exceeded (3 matches) 30 permit icmp any any port-unreachable (2 matches) 40 deny ip any any log Reflexive IP access list STATEFUL permit icmp host 126.96.36.199 host 188.8.131.52 (10 matches) (time left 297) Extended IP access list OUTBOUND 10 permit tcp any any reflect STATEFUL (12 matches) 20 permit udp any any reflect STATEFUL 30 permit icmp any any reflect STATEFUL (10 matches) 20 permit ip any any (11 matches)