A reflexive Access table is actually an additional feature or feature that extends the I p named Access table. You can create an extension I p named Access table for all protocols that want to create a reverse table entry, using a P e r m i t statement. Also use the r E F l e c t keyword in each p e r m i t statement to indicate that the Access table needs to use a reverse opening table entry. In addition to the need to use the R E F l e c t keyword in one or more P e r m t statements, you must also consider two related I O s words
sentence. One is the E v a l u a t e statement, which is to be added at the end of the list to end the reflexive Access table. The other statement is the I preflexice-list timeout command, which is used to change the value of the global t i m e-o u t of a temporary reflexive Access table entry (the default is 300s, you can modify the global timeout in global mode via IP reflexive-list timeout or Sets the timeout time for the corresponding application line, which takes precedence over the global setting value.
The basic format for
reflexive lists is:
IP access-list Extended xxx
permit protocol source destination reflect name [time-out seconds]
IP access-list Extended yyy
Evaluate name (this keyword creates an open table entry that temporarily internally leads to an external return flow, the two red places must be the same, meaning I don't want to repeat it)
is finally enabled on the interface, which is similar to the application rules for the normal list. 3lian.com
below to illustrate with the example:
First look at the configuration of the reflexive list before the test:
r2#
r2#sh IP acce
Reflexive IP access list Cisco
Extended IP access list Infilter
permit OSPF any (matches) (show definition to allow OSPF traffic through)
Evaluate Cisco
Extended IP access list Outfilter
permit OSPF any any (matches)
permit ICMP any host 2.2.2.2 reflect Cisco
permit ICMP any host 30.1.1.1 reflect Cisco
permit TCP Any host 2.2.2.2 eq telnet reflect Cisco
permit TCP Any host 30.1.1.1 eq telnet reflect Cisco
r2#
then look at the difference in the configuration of the reflexive list after the test:
reflexive IP access list Cisco
Permit TCP host 2.2.2.2 eq telnet host 1.1.1.1 eq 13232 (up matches) (Time left 293)
Permit ICMP host 2.2.2.2 host 1.1.1.1 (Time left 262) (this is the dynamically created temporary open Table entry.) The default time is 300s after deletion)
Extended IP access list Infilter
permit OSPF any any (matches)
Evaluate Cisco
Extended IP access list Outfilter
permit OSPF any any (matches)
permit ICMP any host 2.2.2.2 reflect Cisco (matches)
permit ICMP any host 30.1.1.1 reflect Cisco (one matches)
permit TCP Any host 2.2.2.2 eq telnet reflect Cisco (245 matches)
permit TCP Any host 30.1.1.1 eq telnet reflect Cisco (138 matches)
r2#