• Adds simple state tracking to ACLs
– Outbound ACL triggers “mirror” entry in state table
– Inbound ACL checks state table first before denying
• Entries expire after 5 minutes of inactivity
– Modified via ip reflexive-list timeout
• No application level inspection
– Only works with “standard” TCP/UDP applications.
Reflexive ACL Configuration
• Reflect outbound traffic
• ip access-list extended OUTBOUND
• permit tcp any any reflect STATEFUL
• Check state table in opposite direction
• ip access-list extended INBOUND
• evaluate STATEFUL
• deny ip any any (implicit)
No comments:
Post a Comment