About Cisco reflexive control list applications

Source: Internet
Author: User

A reflexive Access table is actually an additional feature or feature that extends the I p named Access table. You can create an extension I p named Access table for all protocols that want to create a reverse table entry, using a P e r m i t statement. Also use the r E F l e c t keyword in each p e r m i t statement to indicate that the Access table needs to use a reverse opening table entry. In addition to the need to use the R E F l e c t keyword in one or more P e r m t statements, you must also consider two related I O s words





sentence. One is the E v a l u a t e statement, which is to be added at the end of the list to end the reflexive Access table. The other statement is the I preflexice-list timeout command, which is used to change the value of the global t i m e-o u t of a temporary reflexive Access table entry (the default is 300s, you can modify the global timeout in global mode via IP reflexive-list timeout or Sets the timeout time for the corresponding application line, which takes precedence over the global setting value.




The basic format for
reflexive lists is:





IP access-list Extended xxx





permit protocol source destination reflect name [time-out seconds]





IP access-list Extended yyy





Evaluate name (this keyword creates an open table entry that temporarily internally leads to an external return flow, the two red places must be the same, meaning I don't want to repeat it)





is finally enabled on the interface, which is similar to the application rules for the normal list. 3lian.com





below to illustrate with the example:





First look at the configuration of the reflexive list before the test:





r2#





r2#sh IP acce





Reflexive IP access list Cisco





Extended IP access list Infilter





permit OSPF any (matches) (show definition to allow OSPF traffic through)





Evaluate Cisco





Extended IP access list Outfilter





permit OSPF any any (matches)





permit ICMP any host 2.2.2.2 reflect Cisco





permit ICMP any host 30.1.1.1 reflect Cisco





permit TCP Any host 2.2.2.2 eq telnet reflect Cisco





permit TCP Any host 30.1.1.1 eq telnet reflect Cisco





r2#





then look at the difference in the configuration of the reflexive list after the test:





reflexive IP access list Cisco





Permit TCP host 2.2.2.2 eq telnet host 1.1.1.1 eq 13232 (up matches) (Time left 293)





Permit ICMP host 2.2.2.2 host 1.1.1.1 (Time left 262) (this is the dynamically created temporary open Table entry.) The default time is 300s after deletion)





Extended IP access list Infilter





permit OSPF any any (matches)





Evaluate Cisco





Extended IP access list Outfilter





permit OSPF any any (matches)





permit ICMP any host 2.2.2.2 reflect Cisco (matches)





permit ICMP any host 30.1.1.1 reflect Cisco (one matches)





permit TCP Any host 2.2.2.2 eq telnet reflect Cisco (245 matches)





permit TCP Any host 30.1.1.1 eq telnet reflect Cisco (138 matches)





r2#


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.