10.4 Session Filtering
10.4.2 Reflexive access lists
Reflexive access lists provide the capability to filter network traffic at a router, based on IP upper-layer protocol "session" information. Like the established argument, you can use reflexive access lists to permit IP traffic for sessions originating from within your network but to deny IP traffic for sessions originating from outside your network. Unlike the established argument, reflexive access lists can do this with all Internet protocols, not just TCP. This is accomplished by reflexive filtering; a way of dynamically matching incoming traffic with the pattern of outgoing traffic.

Note: Reflexive access lists can be defined with extended named IP access lists only; numbered lists do not support this feature.

Reflexive access lists are an important part of securing a network against hackers because they can prevent most kinds of spoofing and denial-of-service attacks. Reflexive access lists are simple to use, and, compared to basic access lists, they provide greater control over which packets enter your network. The following sections describe how reflexive access lists work, what their limitations are, and how you can configure reflexive access lists.