Reflexive access lists provide the
capability to filter network traffic at a router, based on IP
upper-layer protocol "session" information. Like the established
argument, you can use reflexive access lists to permit IP
traffic for sessions originating from within your network but to
deny IP traffic for sessions originating from outside your network.
Unlike the
established
argument, reflexive access lists
can do this with all Internet protocols, not just TCP. This is
accomplished by reflexive filtering; a way of dynamically matching
incoming traffic with the pattern of outgoing traffic.
Note: Reflexive access lists can be defined with
extended named IP access lists only; numbered lists do not support
this feature.
Reflexive access lists are an important part of securing a
network against hackers because they can prevent most kinds of
spoofing and denial-of-service attacks. Reflexive access lists are
simple to use, and, compared to basic access lists, they provide
greater control over which packets enter your network. The following
sections describe how reflexive access lists work, what their
limitations are, and how you can configure reflexive access lists.
|
|