Reflexive Access Lists

Reflexive access lists are dynamic filters that allow traffic based on the detection of traffic in the opposite direction. A simple example might be, “only allow Telnet inbound if I initiate Telnet outbound.” When I first explain this to junior engineers, I often get a response similar to, “Doesn’t it work that way anyway?” What confuses many people is the similarity of this feature to Port Address Translation (PAT). PAT only allows traffic inbound in response to outbound traffic originating on the network; this is due to PAT’s nature, in which a translation must be created for the traffic to pass. Reflexive access lists are much more powerful, and can be applied for different reasons.

Without PAT, a filter denies traffic regardless of other traffic. Consider the network in Figure 25-3. There are two hosts, A and B, connected through a router. The router has no access lists installed. Requests from host A to host B are answered, as are requests from host B to host A.

Simple network without ACLs

Figure 25-3. Simple network without ACLs

Say we want host A to be able to telnet to host B, but we don’t want host B to be able to telnet to host A. If we apply a normal inbound access list to interface E1 on the router, we allow A to contact B, and prevent B from contacting A. Unfortunately, we also prevent B from replying to A. This limitation is illustrated in Figure 25-4.

Figure 25-4. Simple access ...

Get Network Warrior, 2nd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.