Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
985
Views
0
Helpful
1
Replies

Reflexive access lists

yuri.volkov
Level 1
Level 1

‎03-12-2011 06:42 AM - edited ‎03-06-2019 04:03 PM

I would like to prevent a web server from initiating any IP traffic from inside it's VLAN. The server must be only able to respond to TCP connections from other VLANs to port 80 only. This looks like the opposite from traditional use of reflexive ACL. So, is it possible to use command reflect in inbound IOS ACL (ip access-group ... out) and command evaluate in outbound ACL (ip access-group ... in), or these commands can only be used in inbound and outbound ACLs respectively? For some reason my configuration doesn't work. Please look at the attached picture.

Labels:
Preview file
93 KB
0 Helpful
1 Reply 1

yuri.volkov
Level 1
Level 1

‎03-14-2011 05:42 AM

The problem was not in the access-lists at all. Last year we were experimenting with MAC ACL and didn't remove command mac packet-classify from interface VLAN 20 (see the attached picture). I have no idea why, but after removing this command from interface VLAN 20, reflexive ACL applied to interface VLAN 10 began working.

0 Helpful
Customers Also Viewed These Support Documents