Reflexive ACL

September 3, 2008 at 12:02 pm | Posted in Security | Leave a comment

Sample Configuration

ip access-list extended OUTBOUND
 permit tcp any any eq telnet reflect MIRROR
 permit tcp any any eq www reflect MIRROR
 permit icmp any any echo reflect MIRROR
 permit tcp any any eq bgp reflect MIRROR

ip access-list extended INBOUND
 ! OSPF traffic can not be reflected
 permit ospf any any
 evaluate MIRROR
 deny   ip any any log

interface Serial1/1
 ip access-group INBOUND in
 ip access-group OUTBOUND out

interface Serial1/0.1 point-to-point
 ip access-group INBOUND in
 ip access-group OUTBOUND out

By default, locally generated traffic such as ping to outside from within the local router, or BGP traffic will not be subject to the OUTBOUND access-list, and not be reflected. To include local traffic in reflexive ACL so that its return traffic is permitted, we need to route local traffic to a loopback interface. Following config acomplish that goal.

ip access-list extended LOCAL_TRAFFIC
 permit tcp any any
 permit icmp any any
route-map LOCAL_POLICY permit 10
 match ip address LOCAL_TRAFFIC
 set interface Loopback0

ip local policy route-map LOCAL_TRAFFIC

Setting a Global Timeout Value

Reflexive access list entries expire after no packets in the session have been detected for a certain length of time (the “timeout” period). You can specify the timeout for a particular reflexive access list when you define the reflexive access list. But if you do not specify the timeout for a given reflexive access list, the list will use the global timeout value instead.

The global timeout value is 300 seconds by default. But, you can change the global timeout to a different value at any time.

To change the global timeout value, use the following command in global configuration mode:

R4(config)#ip reflexive-list timeout ?   
  <1-2147483>  timeout in seconds

R4(config)#ip reflexive-list timeout 300



Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/96/236 ms
Trying ... Open

R4#sh ip access-list MIRROR
Reflexive IP access list MIRROR
     permit tcp host eq telnet host eq 41848 (29 matches) (time left 286)
     permit icmp host host  (19 matches) (time left 280)
     permit tcp host eq bgp host eq 17919 (575 matches) (time left 277)

Doc CD Navigation

  • Cisco IOS Security Configuration Guide, Release 12.4
  • Traffic Filtering, Firewalls, and Virus Detection
  • Configuring IP Session Filtering (Reflexive Access Lists)
  • Reflexive Access List Configuration Examples

Leave a Comment »

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Blog at
Entries and comments feeds.

%d bloggers like this: