5 Replies Latest reply: Nov 10, 2018 2:42 PM by NewCareer86 RSS

    REFLEXIVE ACCESS-LIST

    emmanuel

      R2(config)# Ip access-list extended outbound

      R2(config-ext-nacl)# permit tcp any any reflect MIRROR

                                              Permit icmp any any reflect MIRROR

                                             Deny ip any any log

       

      R2(config)# Ip access-list extended inbound

      R2(config-ext-nacl)# permit ospf any any

                                           evaluate MIRROR

      R2(config)#interface fastethernet 1/1

      R2(config-if)# ip access-group inbound in

      Ip access-group outbound out

       

      N/B: Please view the attachment for the network diagram

       

       

       

       

      I was studying about reflexive ACLs and I came across a video that leaves me with a couple of questions.

      1. Why is reflexive ACL not subject to the rule that says not more than one access-list should be placed on an interface? In the diagram accompanied with the configurations above. Two ACLs were placed on the interface fa1/1 of R2.

       

      1. From the configuration above, I understand that any return traffic that was originated from the inside network (from the left of R2) will be allowed back into the inside network. But I don’t understand why the permit ospf any any was not applied on the outbound interface. Since ospf is not a tcp or icmp protocol, my thinking is that an ospf packet originating from the inside network will hit the deny ip any any log statement in the outbound access-list and be denied. So why don’t we have a permit ospf any any in the access-list for the outbound traffic ?