Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
404
Views
0
Helpful
3
Replies

Reflexive Access-lists

Go to solution
Alex Pfeil
Level 7
Level 7

‎10-25-2010 10:20 AM - edited ‎03-06-2019 01:43 PM

I have a vlan setup for proxies.  I only want to allow the traffic that is going out of that vlan to be able to return in.

I was thinking about using a reflexive access-list and was hoping that someone already had a similar situation that I could take a look at.

Is a reflexive access-list the best way to go in this situation?

Thanks,

Alex

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Alex Pfeil

‎10-25-2010 11:15 AM 

alexlpfeil wrote:
I am using a Cisco 7606 router for the access-list.
I saw this on firstdigest.com  This is exactly what I thinking about applying to the vlan interface.  I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.
ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT
ip access-list extended INBOUND
evaluate TO_REFLECT

Ah well, a 7600 should be fine. Short of using a firewall then yes reflexive access-lists would be the way to go.

Jon

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-25-2010 11:00 AM 

alexlpfeil wrote:
I have a vlan setup for proxies.  I only want to allow the traffic that is going out of that vlan to be able to return in.
I was thinking about using a reflexive access-list and was hoping that someone already had a similar situation that I could take a look at.
Is a reflexive access-list the best way to go in this situation?
Thanks,
Alex

Alex

They would be but it depends on the switch ie. reflexive acls are not supported on all switches. Which switch are you using ?

Jon

0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Jon Marshall

‎10-25-2010 11:12 AM

I am using a Cisco 7606 router for the access-list.

I saw this on firstdigest.com  This is exactly what I thinking about applying to the vlan interface.  I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.

ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT

ip access-list extended INBOUND
evaluate TO_REFLECT

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Alex Pfeil

‎10-25-2010 11:15 AM 

alexlpfeil wrote:
I am using a Cisco 7606 router for the access-list.
I saw this on firstdigest.com  This is exactly what I thinking about applying to the vlan interface.  I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.
ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECT
ip access-list extended INBOUND
evaluate TO_REFLECT

Ah well, a 7600 should be fine. Short of using a firewall then yes reflexive access-lists would be the way to go.

Jon

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card