Reflexive Access List

Some of my readers commented on my old article about reflexive access-list with issues in the configuration. I tried it in the lab again to be sure I didn’t make any mistake in the configuration example and here I’m sharing the lab and the config used.

About Reflexive Access Lists

Extended ACLs are a special kind of extended access-lists that have limited stateful behaviour technique implemented for TCP sessions. It is better to say that reflexive access-list is simulating stateful behaviour because it, by use of ‘established’ command, is allowing TCP packets that have the ‘ACK’ bit set but not the initial ‘SYN-only’ packet. In this way, we are effectively permitting only the packets that are part of an established session.

In my prior article, I showed how this works by enabling PING from PC1 in VLAN 10 to PC2 in VLAN 20 but not the other way.

I created the lab topology in GNS3:

I used standard Cisco router image to simulate R1 and PC1 and PC2 I only changed the icon on PC1 and PC2. Full configs are at the bottom. I configured the router-on-the-stick making the simplest topology with trunk between the switch and the R1 and two VLANs on the SWITCH. Switch config is also at the bottom.

Access-list is configured like this:

ip access-list extended TEST
 permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established
 permit icmp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply
 deny   ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
!

And applied inbound on the subinterface of VLAN20:

interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 20.20.20.1 255.255.255.0
 ip access-group TEST in
!

This reflexive access-list is allowing traffic back from VLAN20 (20.20.20.0/24) to VLAN10 (10.10.10.0/24) only if the traffic was firstly initiated from VLAN10. In this way, only PING initiated at PC1 (10.10.10.10) towards PC2 (20.20.20.10) will succeed but PING from 20.20.20.10 to 10.10.10.10 will give you IP address unreachable:

PING OK:

PC1#ping 20.20.20.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/24/32 ms
PC1#

PING Unreachable:

PC2#ping 10.10.10.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.10, timeout is 2 seconds:
UUUUU
Success rate is 0 percent (0/5)
PC2#

So, it seems that the lab is showing I did it on my first try few years ago. I hope this lab with complete configuration will help my readers that reached back to me, to find where they went wrong. Of course, if you need more help, just leave a comment and I will try to help 🙂

You can also download GNS3 lab project here to get started with working thing from the start. I made this in GNS3 version 2.0

All Configurations

R1:

R1#sh runn
!
hostname R1
!
interface FastEthernet0/0
 no ip address
 no sh
 duplex full
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.10.10.1 255.255.255.0
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 20.20.20.1 255.255.255.0
 ip access-group TEST in
!
ip access-list extended TEST
 permit tcp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 established
 permit icmp 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255 echo-reply
 deny   ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
 permit ip any any
!
R1#

PC1:

PC1#sh runn
!
hostname PC1
!
interface FastEthernet0/0
 ip address 10.10.10.10 255.255.255.0
 duplex full
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
PC1#

PC2:

PC2#sh runn
!
hostname PC2
!
interface FastEthernet0/0
 ip address 20.20.20.10 255.255.255.0
 duplex full
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 20.20.20.1
!
PC2#

Switch:

GNS3 SW config

FILE Download:
Download GNS3 lab from this article here.

 

Leave a Reply

%d bloggers like this: