|
The figure shows a reflexive access
list for RTA. To create this list, first define and apply the
outbound list that will be reflected. The reflection will generate
reflexive access list entries:
RTA(config)#ip access-list
extended OUTBOUND
RTA(config-ext-nacl)#permit ip any any reflect INVITED-TRAFFIC
RTA(config-ext-nacl)#exit
RTA(config)#interface serial0
RTA(config-if)#ip access-group OUTBOUND out
The commands shown in the above example create an extended named
access list called OUTBOUND. This list includes an entry that
creates the reflexive list, INVITED-TRAFFIC. Entries for
INVITED-TRAFFIC will be generated dynamically based on a reflection
of the outbound traffic flow.
Next, configure an inbound list that will match incoming traffic
(traffic coming in from the Internet) to this reflexive list, as
shown:
RTA(config)#ip access-list
extended INBOUND
RTA(config-ext-nacl)#evaluate INVITED-TRAFFIC
RTA(config-ext-nacl)#exit
RTA(config)#interface serial0
RTA(config-if)#ip access-group INBOUND in
The commands in this example create an extended named access list
called INBOUND. This list will be used to match traffic coming in
from the Internet. Although you could include other entries, the
only one shown here is the
evaluate
statement, which is a reflexive
access list nested inside the list, INBOUND. This
evaluate statement
instructs the router to permit only traffic that matches the
INVITED-TRAFFIC reflexive access list. If desired, you can set a
global timeout to something other than the default, as shown:
RTA(config)#ip reflexive-list
timeout 200
When configured with a reflexive access list, RTA presents a
sophisticated firewall, but still a limited one. None of the access
lists discussed so far in this chapter can go beyond Layer 4 to
filter traffic based on application. However, the next generation of
access lists, context-based access control, can do just that, as you
will see in the next section.
|