Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new blog
3556
Views
23
Helpful
2
Comments

Stateful Filtering on Catalyst 9K switches with Reflexive Access List

sudsaman
Cisco Employee
Cisco Employee
‎02-21-2023 04:17 PM

In enterprise networks, standard and extended ACLs (Access Control Lists) are used to provide traffic filtering capabilities to protect the network from unwanted access and other spoofing attacks. The biggest limitation of traditional access control lists is their stateless nature. They do not keep track of the state of a connection; therefore, if someone inside the network sends traffic to the Internet, it is hard to safely allow the returning traffic back into your network without opening a large hole in your network with ACL configurations. Traditional ACLs consume a lot of TCAM (Ternary Content Addressable Memory) memory since there are multiple static inbound and outbound flow combinations with multiple match criteria that must be met to allow traffic in and out of the network. To provide a stateful behavior to the Access List, Cisco has introduced the Reflexive ACL feature on Catalyst 9000 series switches starting from IOS-XE 17.10.1 release.  

 Picture1Sudhir.png

 

Access List

Let us look at the network topology above. Consider that there are two networks, the Internal network (192.168.10.0) and the External network (192.168.20.0). Let us consider a scenario, where an internal host wants to access an external server and a host wants web access to the server.

In using an extended access list, we would have to configure ACLs on the inbound interface on the border switch to allow the “web” traffic from the server to the host in the internal network. 

Switch#conf t 

ip access-list extended ACL_inbound 

permit tcp host 192.168.10.170 host 192.168.20.115 eq  www 

deny ip any any 

end 

Switch#conf t 

interface GigabitEthernet1/0/4 

no switchport 

ip address 192.168.10.11 255.255.255.0 

end

Switch#conf t 

int gi1/0/22 

no switchport 

ip address 192.168.20.21 255.255.255.0 

ip access-group ACL_inbound in 

end 

The above configured ACL being applied to one host in the network seems fine. But one thing to consider, it will not be possible on a large-scale network, to access the Web server or simple ping, you must allow all WWW/ICMP replies to return to these devices or different services. These all-filter statements are always active, so the hacker could implement a denial of service (DoS) spoofing attack against the network. You must include them in the extended ACL, which easily increases the TCAM memory available to the switch. 

Reflexive Access List 

What the reflexive ACL does differently is that it provides a form of bi-directional filtering, allowing the returning traffic of these connections that originated from inside the network back in. Reflective ACLs will deny the traffic that originates outside of your network and attempts to connect to internal resources. 

Whenever an internal device opens a session to the outside world, this temporary entry allows the returning traffic for this session back through the border switch which will create temporary entries in your inbound filter. 

Reflexive ACL Configuration as an example:  

!Configure reflexive access list on outbound interface! 

Switch#conf t 

ip access-list extended ACL_out 

permit tcp host 192.168.10.170 host 192.168.20.115 eq www reflect R1 timeout 100 

!where R1 is the name of the reflexive access list! 

!timeout of 100 is to put a timer on the temporary entries created! 

deny ip any any 

end 

Switch#conf t 

int g1/0/4 

ip address 192.168.10.11 255.255.255.0 

ip access-group ACL_out in 

end 

!Configure reflexive access list on inbound interface! 

Switch#conf t 

ip access-list extended ACL_in 

evaluate R1 

deny ip any any 

end 

Switch#conf t 

int g1/0/22 

ip address 192.168.20.21 255.255.255.0 

ip access-group ACL_in in 

end 

ACL with "reflect" ACL will create temporary entries that will permit the reverse traffic. This entry will be hit only if there is an ACL with an "evaluate" ACL in the reverse direction applied. 

Reflexive ACL provides numerous advantages to the enterprise network, including stateful filtering, which is much harder to spoof because more filter criteria must be matched before a packet is permitted, and uses temporary filters which are removed when a session is over. This limits the hacker's attack opportunity to a smaller time window. 

There are more benefits to using Reflexive Access-Lists. Such as the ability to effortlessly implement and configure, while stipulating greater control over external traffic because of its stateful nature. It will work on all the Catalyst 9000 switches where you must install IOS-XE 17.10.1 (and onwards). 

2 Comments
singh rajaprasad
Level 1
Level 1
‎03-29-2023 02:12 AM
‎03-29-2023 02:12 AM

Hello Sudsaman,

My name is Raja, Nice to meet you here! This is a wonderful piece of information! Thank you so much!

 

 

MHM Cisco World
VIP
VIP
‎03-29-2023 03:36 AM
‎03-29-2023 03:36 AM

NICE 
thanks a lot 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Popular Articles
Customers Also Viewed These Support Documents