Reflexive Access Lists | Routing TCP/IP, Volume 1 (2nd Edition)

Reflexive access lists are automatically populated, temporary, session-based filters. If a router permits a session to be initiated from within a network to an external host, a reflexive list permits return session traffic. Reflexive lists are used with extended named IPv4 access lists. Session filters using reflexive lists can be compared to the established keyword used with TCP filters. Using the established keyword, a TCP session is initiated from within a network. If the return traffic has the ACK or RST flag set, the packet is part of a previously established session, and the packet is permitted. This entry with the established keyword is a permanent entry in the access list.

Reflexive access lists use different parameters to determine if the packet is part of a previously established session. For TCP and UDP packets, reflexive access lists use source and destination IP addresses and source and destination TCP or UDP port numbers.

When a session is initiated from within a network, a reflexive access list is populated with the session information gleaned from the initial packet. The source and destination IP addresses and the source and destination port numbers are swapped and added, along with the upper layer protocol type (such as TCP and UDP) as a permit statement to the temporary reflexive list. This entry remains active until there is no longer any traffic for the session and the timeout value expires, until two FIN-flagged packets are received, or until the RST flag is set on a TCP packet.

Example B-16 shows an example of a reflexive access list configuration.

Example B-16. This reflexive access list is named infilter.

interface Serial0/0.1 point-to-point  ip address 172.25.150.65 255.255.255.192  ip access-group infilter in  ip access-group outfilter out ! ip access-list extended infilter  permit eigrp any any  permit udp any any eq rip  evaluate sessiontraffic ip access-list extended outfilter  permit tcp any any reflect sessiontraffic  permit icmp any any echo time-range morning reflect sessiontraffic ! time-range morning  periodic weekdays 9:00 to 12:30

In this example, the filters are applied to an interface that connects to an external network. The outfilter list permits all TCP packets and ICMP echo requests on weekday mornings between 9:00 and 12:30 only, initiated from the internal network. The outfilter list is applied outbound on serial0/0.1. The reflect keyword is used on the permit statements. This creates the reflexive access list called sessiontraffic. The reflexive access list is populated when packets match the permit entries that use the reflect keyword.

Packets coming inbound to interface serial0/0.1 are filtered by the infilter access list. These would be the packets sourced from an external network. In this case, infilter permits EIGRP and RIP packets. After the incoming packet is matched against the EIGRP and RIP entries, the reflexive access list sessiontraffic is evaluated sequentially. The reflexive access list does not have an implicit deny-all at the end, but the extended access list in which the reflexive list is nested does.

Example B-17 shows the access lists before TCP and ICMP traffic has exited serial0/0.1. Example B-18 shows the access lists after TCP and ICMP traffic has exited serial0/0.1.

Example B-17. show ip access-list displays all the configured permanent and temporary IP access lists configured on a router.

Router#show access-lists Extended IP access list infilters   10 permit eigrp any any   20 permit udp any any eq rip (1074 matches)   30 evaluate sessiontraffic Extended IP access list outfilter   10 permit tcp any any reflect sessiontraffic (45 matches)   20 permit icmp any any echo time-range morning (active) reflect sessiontraffic Reflexive IP access list sessiontraffic

Ping and Telnet have been initiated from the internal network to the external network. Example B-18 shows the access lists after this traffic has been initiated.

Example B-18. The show ip access-list displays dynamically created entries in a reflexive access list.

Router#show ip access-list Extended IP access list infilters     10 permit eigrp any any     20 permit udp any any eq rip (1101 matches)     30 permit udp any any eq 521     40 evaluate sessiontraffic Extended IP access list outfilter     10 permit tcp any any reflect sessiontraffic (188 matches)     20 permit icmp any any echo time-range morning (active) reflect sessiontraffic (9 matches) Reflexive IP access list sessiontraffic      permit tcp host 192.168.16.225 eq telnet host 192.168.50.130      eq 11002 (55 matches) (time left 293)     permit icmp host 192.168.16.225 host 192.168.50.130 (19 matches) (time left 270)

The output in Example B-17 displays the access list's infilter and outfilter and their configured parameters. Notice that the ICMP entry in the outfilter says it is active. This means the time and day of the week on the router falls within the configured time range. The output also displays the nonpopulated reflexive access list, sessiontraffic.

After ICMP pings and a Telnet session have been initiated and packets have exited serial0/0.1, the access lists are displayed again in Example B-18. This time there are entries in the reflexive access list. These entries will be matched against all packets arriving into serial0/0.1 from the external network, until the timer expires or the session has been closed. Telnet session and ICMP echos are not successful when initiated from the external network.

Reflexive access lists do not work for protocols that change port numbers during a session, such as FTP.