By applying a reflexive list to an
external interface (the interface that connects to the outside
world), you can prevent IP traffic from entering the internal
network, unless the traffic is part of a session already
established. The following are the steps in configuring a reflexive
access list:
- Define the extended named access list that will be applied to
the outbound interface. Outbound traffic is traffic originating
from your local hosts, which is leaving your network to outside
destinations. This traffic will be monitored by the router and
used to create reflexive access lists. In a sense, this
traffic's "reflection" will be allowed to enter your
local network as invited traffic. Use the following syntax to
create this list:
router(config)# ip access-list
extended extended-list-name
Configure the extended named access list to include an entry to
reflect traffic. The reflect name parameters create the reflexive
list and assign it a name. The name will be used later in this
configuration. Use the following syntax:
router(config-ext-nacl)# permit
ip-protocol any any reflect name [timeout
seconds]
Apply the outbound list to the outbound interface:
router(config-if)# ip access-group
extended-list-name out
Define the extended named access list that will filter incoming
traffic. This list will include an entry to evaluate incoming
traffic (traffic coming in from the outside world) against the
reflexive list:
router(config)# ip access-list
extended extended-list-name
Configure this extended named access list to include the entry
to evaluate traffic against the reflexive list's assigned name:
router(config-ext-nacl)# evaluate
name
Note that this entry is nested inside the extended list. Other
permit
or
deny
statements can be used before
matching the
evaluate
statement. However, if a packet
does match a preceding statement, it will not be tested for a match
against any of the other entries, including the
evaluate statement.
Apply the inbound list to the external interface for incoming
traffic:
router(config-if)# ip access-group
extended-list-name in
(Optional) Specify a global timeout value for dynamic reflexive
list entries:
router(config)# ip reflexive-list
timeout seconds
Reflexive access list entries expire after no packets in the
session have been detected for a specified length of time (the
timeout period). If you do not specify the timeout for a given
reflexive access list, the list will use the global timeout value
instead. The global timeout value is 300
seconds, by default, but you can change the global timeout to a
different value at any time.
|
|