The so-called self-reverse Access list is in the English name Reflexive Access Lists. The self-reverse Access list automatically creates a list of Access control Lists in the same direction, is a list that is reversed from the original control list-IP Source Address and destination address, and the source port number is the opposite to the destination port number, and there is a certain time limit, after timeout, the newly created list disappears, greatly increasing security.
I. Simple example ip access-list extended abcdeny icmp any 192.168.1.0 0.0.255 permit ip any exit www.2cto.com int s0/0 ip access-group abc in above is to prohibit the Internet from pinging 192.168.1.0/ 24 This CIDR block, at this time, if you want to ping the Internet from 192.168.1.1, the communication is bidirectional, and the traffic on one side cannot be blocked.
Ii. Anti-ACLip access-list extended refinpermit ospf any anyevaluate abcexitip access-list extended multicast ip any reflect abcexit using int s0/0ip access-group refin inip access-group rofut outexitip reflexive -list timeout 60
1. Only one ospf protocol is allowed for the in direction of the interface. Other accesses are forbidden, that is, the Internet is not allowed to access the Intranet. The evaluate abc is nested with a reflection ACL, the name is abc. 2. In the out direction of the interface, All accesses are allowed, but they can go out but cannot be returned. Therefore, after permit ip any, a reflect abc is added, if any traffic initiated from the Intranet matches the permit ip any reflect abc statement, a dynamic permit statement is automatically created in the refin list. 3. The self-counter ACL is always permit. ip reflexive-list timeout 60 sets the effective time of the reflected entries.