What are Reflexive ACLs?
Reflexive ACLS also known as IP-Session-Filtering ACLs, is used to allow traffic sessions from a source network while denying IP traffic for sessions coming from outside network. It allows a network administrator to dynamically enable a network filtering router to manage session traffic.
The router examines the outbound traffic and when it sees a new connection, it adds an entry to a temporary ACLs to allow replies back in. These entries are automatically created when a new IP session begins and are removed when the session ends.
Reflexive access lists are not applied directly to an interface, but are “nested” within an extended named IP access list that is applied to the interface.
Cisco recommends that reflexive access lists are to be Configure on border routers—routers that pass traffic between an internal and external network. Often, these are firewall routers.
Reflexive ACLs are used to provide a firmer form of session filtering than an extended ACL that uses the established parameter.
Reflexive ACLs also work for UDP and ICMP, which have no ACK or RST bits. The established option also does not work with applications that dynamically alter the source port for the session traffic. The permit established statement only checks ACK and RST bits, not source and destination address.
Advantages of Reflexive ACLs.
Reflexive ACLs have the following advantages:
Network Administrators use reflexive ACLs to secure against network hackers, and can be included in a firewall defence.
* It is Simple to use and, compared to basic ACLs, provide greater control over which packets enter your network.
It provides a level of security against spoofing and certain DoS attacks. Reflex