Was going to deploy reflexive ACLs on some campus distribution switches last night and found out they aren't an option on 4500r+e switches or ISR 4321 routers. Anyone have any recommendations on alternative options? The reflexive ACLs would be applied on the VLAN interfaces and would restrict inbound traffic to only specific destinations (untrusted to trusted) and all outbound traffic (trusted to untrusted) would be permitted through the reflect. From what I can tell there doesn't seem to be any options besides just having an extended ACL but that would require opening up alot of unnecessary access initiated from the untrusted side.
