Reflect-acl Configuration Guide

Reflective ACL is a state-based dynamic access control technology primarily used for network security protection. Its core principle involves monitoring outbound sessions initiated from the internal network to automatically generate temporary reverse rules. These rules permit response traffic to return while blocking unauthorized access initiated from external sources.

Reflect-acl Configuration

Create reflect-acl table

Operation	Command	Description
Enter the system configuration view	configure terminal
Create and enter the system configuration view	access-list {REFLECT_L3|REFLECT_L3V6} string {ingress|egress} [des_crip string ]

L3/L3v6 Matching Filter

Keywords	Description
ip-protocol	IP protocol type, can be configured using either the numeric value or protocol name
src-ip	Source IP address (with subnet mask), e.g., “10.1.1.1/24”
dst-ip	Destination IP address (with subnet mask), e.g., “10.1.1.1/24”
src-port	Protocol source port number
dst-port	Protocol destination port number
dst-dns-group	DNS field, see Chapter 14 for details
geosite	Geosite field, see Chapter 15 for details
geoip	Geoip field, see Chapter 15 for details

Example of Reflect-acl Configuration

Network Requirements

Interface 1 of the router connects to internal network users, while Interface 2 connects to the Internet. Configure a reflexive ACL on the outbound direction of Interface 2. Internal network hosts must first access servers on the Internet before Internet servers are permitted to access internal network hosts.

Procedure

sonic(config)# access-list REFLECT_L3 test egress
sonic(config-REFLECT_L3-acl-test)# rule 1 src-ip 80.0.0.100 packet-action permit
sonic(config-REFLECT_L3-acl-test)# exit
sonic(config)# interface ethernet 2
sonic(config-if-2)# acl test