Reflexive ACLs

Reflexive ACLs were introduced in Cisco IOS Software Release 11.3. Reflexive ACLs allow IP packets to be filtered based on upper-layer session information. They are generally used to allow outbound traffic and to limit inbound traffic in response to sessions that originate inside the router.


Reflexive ACLs can be defined only with extended named IP ACLs. They cannot be defined with numbered or standard named IP ACLs, or with other protocol ACLs. Reflexive ACLs can be used in conjunction with other standard and static extended ACLs.


**Note that local originated traffic does not match the reflextive ACLs.


Example configuration
R1 ------- R2
Configure the reflexive access-list to allow all tcp/udp/icmp traffic passing through and allow to return. Allow icmp and telnet which is originated from the router itself passing through also to the other router.


ip access-list extended ACL_IN
 permit udp any any eq rip
 permit tcp any any eq bgp
 permit icmp any any echo-reply
 permit tcp any eq telnet any established
 evaluate REFLECT

**Note: we need to allow icmp and telnet traffic back to R1 because the local originated traffic does not match the reflextive ACL**


ip access-list extended ACL_OUT
 permit tcp any any reflect REFLECT
 permit udp any any reflect REFLECT
 permit icmp any any reflect REFLECT
!
!

interface FastEthernet0/0

 ip address 192.168.1.1 255.255.255.0

 ip access-group ACL_IN in

 ip access-group ACL_OUT out

 duplex auto

 speed auto