10-25-2010 10:20 AM - edited 03-06-2019 01:43 PM
I have a vlan setup for proxies. I only want to allow the traffic that is going out of that vlan to be able to return in.
I was thinking about using a reflexive access-list and was hoping that someone already had a similar situation that I could take a look at.
Is a reflexive access-list the best way to go in this situation?
Thanks,
Alex
Solved! Go to Solution.
10-25-2010 11:15 AM
alexlpfeil wrote:
I am using a Cisco 7606 router for the access-list.
I saw this on firstdigest.com This is exactly what I thinking about applying to the vlan interface. I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.
ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECTip access-list extended INBOUND
evaluate TO_REFLECT
Ah well, a 7600 should be fine. Short of using a firewall then yes reflexive access-lists would be the way to go.
Jon
10-25-2010 11:00 AM
alexlpfeil wrote:
I have a vlan setup for proxies. I only want to allow the traffic that is going out of that vlan to be able to return in.
I was thinking about using a reflexive access-list and was hoping that someone already had a similar situation that I could take a look at.
Is a reflexive access-list the best way to go in this situation?
Thanks,
Alex
Alex
They would be but it depends on the switch ie. reflexive acls are not supported on all switches. Which switch are you using ?
Jon
10-25-2010 11:12 AM
I am using a Cisco 7606 router for the access-list.
I saw this on firstdigest.com This is exactly what I thinking about applying to the vlan interface. I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.
ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECTip access-list extended INBOUND
evaluate TO_REFLECT
10-25-2010 11:15 AM
alexlpfeil wrote:
I am using a Cisco 7606 router for the access-list.
I saw this on firstdigest.com This is exactly what I thinking about applying to the vlan interface. I was just trying to make sure that this would be the standard practice and there wasn't a better way to do it.
ip access-list extended OUTBOUND
permit tcp any any reflect TO_REFLECT
permit udp any any reflect TO_REFLECTip access-list extended INBOUND
evaluate TO_REFLECT
Ah well, a 7600 should be fine. Short of using a firewall then yes reflexive access-lists would be the way to go.
Jon
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: