10.4 Session Filtering
10.4.6 Reflexive access list configuration example
The figure shows a reflexive access list for RTA. To create this list, first define and apply the outbound list that will be reflected. The reflection will generate reflexive access list entries:

RTA(config)#ip access-list extended OUTBOUND
RTA(config-ext-nacl)#permit ip any any reflect INVITED-TRAFFIC
RTA(config-ext-nacl)#exit
RTA(config)#interface serial0
RTA(config-if)#ip access-group OUTBOUND out

The commands shown in the above example create an extended named access list called OUTBOUND. This list includes an entry that creates the reflexive list, INVITED-TRAFFIC. Entries for INVITED-TRAFFIC will be generated dynamically based on a reflection of the outbound traffic flow.

Next, configure an inbound list that will match incoming traffic (traffic coming in from the Internet) to this reflexive list, as shown:

RTA(config)#ip access-list extended INBOUND
RTA(config-ext-nacl)#evaluate INVITED-TRAFFIC
RTA(config-ext-nacl)#exit
RTA(config)#interface serial0
RTA(config-if)#ip access-group INBOUND in

The commands in this example create an extended named access list called INBOUND. This list will be used to match traffic coming in from the Internet. Although you could include other entries, the only one shown here is the evaluate statement, which is a reflexive access list nested inside the list, INBOUND. This evaluate statement instructs the router to permit only traffic that matches the INVITED-TRAFFIC reflexive access list. If desired, you can set a global timeout to something other than the default, as shown:

RTA(config)#ip reflexive-list timeout 200

When configured with a reflexive access list, RTA presents a sophisticated firewall, but still a limited one. None of the access lists discussed so far in this chapter can go beyond Layer 4 to filter traffic based on application. However, the next generation of access lists, context-based access control, can do just that, as you will see in the next section.