About Cisco reflexive control list applications

A reflexive Access table is actually an additional feature or feature that extends the I p named Access table. You can create an extension I p named Access table for all protocols that want to create a reverse table entry, using a P e r m i t statement. Also use the r E F l e c t keyword in each p e r m i t statement to indicate that the Access table needs to use a reverse opening table entry. In addition to the need to use the R E F l e c t keyword in one or more P e r m t statements, you must also consider two related I O s words





sentence. One is the E v a l u a t e statement, which is to be added at the end of the list to end the reflexive Access table. The other statement is the I preflexice-list timeout command, which is used to change the value of the global t i m e-o u t of a temporary reflexive Access table entry (the default is 300s, you can modify the global timeout in global mode via IP reflexive-list timeout or Sets the timeout time for the corresponding application line, which takes precedence over the global setting value.




The basic format for
reflexive lists is:





IP access-list Extended xxx





permit protocol source destination reflect name [time-out seconds]





IP access-list Extended yyy





Evaluate name (this keyword creates an open table entry that temporarily internally leads to an external return flow, the two red places must be the same, meaning I don't want to repeat it)





is finally enabled on the interface, which is similar to the application rules for the normal list. 3lian.com





below to illustrate with the example:





First look at the configuration of the reflexive list before the test:





r2#





r2#sh IP acce





Reflexive IP access list Cisco





Extended IP access list Infilter





permit OSPF any (matches) (show definition to allow OSPF traffic through)





Evaluate Cisco





Extended IP access list Outfilter





permit OSPF any any (matches)





permit ICMP any host 2.2.2.2 reflect Cisco





permit ICMP any host 30.1.1.1 reflect Cisco





permit TCP Any host 2.2.2.2 eq telnet reflect Cisco





permit TCP Any host 30.1.1.1 eq telnet reflect Cisco





r2#





then look at the difference in the configuration of the reflexive list after the test:





reflexive IP access list Cisco





Permit TCP host 2.2.2.2 eq telnet host 1.1.1.1 eq 13232 (up matches) (Time left 293)





Permit ICMP host 2.2.2.2 host 1.1.1.1 (Time left 262) (this is the dynamically created temporary open Table entry.) The default time is 300s after deletion)





Extended IP access list Infilter





permit OSPF any any (matches)





Evaluate Cisco





Extended IP access list Outfilter





permit OSPF any any (matches)





permit ICMP any host 2.2.2.2 reflect Cisco (matches)





permit ICMP any host 30.1.1.1 reflect Cisco (one matches)





permit TCP Any host 2.2.2.2 eq telnet reflect Cisco (245 matches)





permit TCP Any host 30.1.1.1 eq telnet reflect Cisco (138 matches)





r2#